Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Understanding Windows 7 AppLocker

18 Aug 2009   #1

Understanding Windows 7 AppLocker

Our guest blogger is Daniel Nerenberg. He is an MCT,MCSA,MCSE,MCTS,MVP, STEP Member and an independent consultant based in Montreal. He is also the President of the Montreal IT pro user group. Daniel has written and consulted on the topics of Windows deployment, application virtualization, and Windows infrastructure.

Window 7 RTM has been available for just a few weeks now, but already IT Pros everywhere are diving into great new features. One of the more exciting features introduced in Windows 7 is AppLocker. Many of you know about Software Restriction Policies, they allow you to block the execution of a program by file name or hash calculation. You probably also know how it was a race to block applications in our network with these methods. Users could change the name of the file, or applications updates so frequently that you would constantly need to generate new hash files.

AppLocker works under the premise that itís easier to allow the applications you want, and block the rest. If youíre running a Windows 7 machine you can see AppLocker by typing gpedit.msc into your search bar and pressing enter.

You can define policies based on executables, Windows installers, and scripts. Creating a new policy is simple. Right-click on any of the 3 categories and click Create New Rule.

You can create a policy to allow or deny an executable. You can also select which groups the rule will apply to.

You can choose to create a rule based on a publisher (the program needs to be signed), a program path, or a file hash (usually a good choice if the program isnít signed).

For this example I chose publisher. The Rule Wizard uses the information stored application signing certificate to learn about the application. You can adjust what level of information youíll allow for an application.

In the above example the policy will only allow Internet Explorer and above to run on the computer.

You can use the same steps to create exceptions for specific applications. One of the more convenient features is the ability to automatically generate rules. If you right click on any of the 3 categories and click Automatically Generate Rules you can quickly generate a list of rules based on applications that are already install on the computer (saving you a lot of work to get going with AppLocker!).

In this example, we scan your applications in the Program Files directory and create rules for those programs to run. Perfect for creating a baseline set of rules for applications on a gold image or group policy quickly.

So to summarize, AppLocker allows you from a high level (Publisher) to a granular level (Version) to choose what applications you would like to allow users to run (white listing) rather than creating long lists of what applications they cannot use (black listing).


My System SpecsSystem Spec
18 Aug 2009   #2


Thanks for the info.
My System SpecsSystem Spec
18 Aug 2009   #3
Night Hawk

W7 Ultimate x64/W10 Pro x64 dual boot main build-remote pc W10 Pro x64 Insider Preview/W7 Pro x64

This is one reason why I won't settle for less then the Ultimate edition once 7 is out. That along with the BitLccker and system imaging option are worth the additional cost.
My System SpecsSystem Spec


 Understanding Windows 7 AppLocker

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar help and support threads
Thread Forum
Understanding Windows Boot Manager
I have about 30 years of experience building and maintaining computers, but I'm working with Windows 7 x64 for the first time in a new build that's only a month old. So far I'm impressed with Win7 with modern hardware compared to XP x86 using 2009-vintage hardware, an OS I became very familiar...
General Discussion
Understanding Windows Live Mail - Documentation
I am using Windows 7 Home Premium with Live 2011. My ISP is Time Warner Roadrunner POP/SMTP. On my Vista computer, Windows Mail emails were saved on their server until I downloaded them to my computer. Then they were saved on my computer until I deleted them. It sounds like WLM saves them...
Browsers & Mail
Windows 7 and Applocker
Hi, I am trying to deny access to a particular .exe using applocker. I have created a rule and the default rules, and made sure the appIDSvc service is running. My rule is not being enforced. The application runs normally. If I check the event log I can see a bunch of warnings stating...
General Discussion
Understanding Microsoft Push Notifications for Windows
Windows 7 Enterprise Edition; Understanding Software As
Understanding Windows 7 Libraries

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 11:27.

Twitter Facebook Google+

Windows 7 Forums

Seven Forums Android App Seven Forums IOS App