Microsoft-Windows-AppLocker

49 events across 6 channels

Event ID	Title	Channel
8000	AppID policy conversion failed.	EXE and DLL
8001	The AppLocker policy was applied successfully to this computer.	EXE and DLL
8002	%11 was allowed to run.	EXE and DLL
8003	%11 was allowed to run but would have been prevented from running if the …	EXE and DLL
8004	%11 was prevented from running.	EXE and DLL
8005	%11 was allowed to run.	MSI and Script
8006	%11 was allowed to run but would have been prevented from running if the …	MSI and Script
8007	%11 was prevented from running.	MSI and Script
8008	%2: AppLocker component not available on this SKU.	EXE and DLL
8009	%2: AppLocker component not available on this SKU.	MSI and Script
8010		Operational
8011		Operational
8012		Operational
8013		Operational
8014		Operational
8015		Operational
8016		Operational
8017		Operational
8018		Operational
8019		Operational
8020	%11 was allowed to run.	Packaged app-Execution
8021	%11 was allowed to run but would have been prevented from running if the …	Packaged app-Execution
8022	%11 was prevented from running.	Packaged app-Execution
8023	%11 was allowed to be installed.	Packaged app-Deployment
8024	%11 was allowed to run but would have been prevented from running if the …	Packaged app-Deployment
8025	%11 was prevented from running.	Packaged app-Deployment
8026	No packaged apps can be executed while Exe rules are being enforced and no …	Packaged app-Deployment
8027	No packaged apps can be executed while Exe rules are being enforced and no …	Packaged app-Execution
8028	%2 was allowed to run but would have been prevented if the Config CI policy were …	MSI and Script
8029	%2 was prevented from running due to Config CI policy.	MSI and Script
8030	ManagedInstaller check SUCCEEDED during Appid verification of %2.	EXE and DLL
8031	SmartlockerFilter detected file %2 being written by process %4.	EXE and DLL
8032	ManagedInstaller check FAILED during Appid verification of %2.	EXE and DLL
8033	ManagedInstaller check FAILED during Appid verification of %2.	EXE and DLL
8034	ManagedInstaller Script check FAILED during Appid verification of %2.	MSI and Script
8035	ManagedInstaller Script check SUCCEEDED during Appid verification of %2.	MSI and Script
8036	%2 was prevented from running due to Config CI policy.	MSI and Script
8037	%2 passed Config CI policy and was allowed to run.	MSI and Script
8038	Publisher info: Subject: %4 Issuer: %6 Signature index %2 (%1 total).	MSI and Script
8039	Package family name %2 version %3 was allowed to install or update but would …	MSI and Script
8040	Package family name %2 version %3 was prevented from installing or updating due …	MSI and Script
8041	A %6 was allowed to %1 by system execution policy.	MSI and Script
8042	A %6 was not allowed to be executed by system execution policy.	MSI and Script
8043	Process %6 attempted to register UninstallString %2, Status: %9.	EXE and DLL
8044	Checking cmdline %2 against registered UninstallStrings %4, MatchFound: %5, …	EXE and DLL
8045		Operational
8045	Smart App Control Block Details	MSI and Script
9000	The application setting with ID '.	Verbose
9001	The application setting with ID '.	Verbose

Event ID 8000 — AppID policy conversion failed.

Provider: Microsoft-Windows-AppLocker
Channel: EXE and DLL

Message

AppID policy conversion failed. Status %1.

Fields

Name	Description
`Status`	—

Event ID 8001 — The AppLocker policy was applied successfully to this computer.

Provider: Microsoft-Windows-AppLocker
Channel: EXE and DLL
Level: 4
Samples: 1

Message

The AppLocker policy was applied successfully to this computer.

Example Event

system:
  provider: Microsoft-Windows-AppLocker
  guid: CBDA4DBF-8D5D-4F69-9578-BE14AA540D22
  event_source_name: ''
  event_id: 8001
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-05T23:50:01.740733+00:00'
  event_record_id: 39
  correlation: {}
  execution:
    process_id: 4372
    thread_id: 9624
  channel: Microsoft-Windows-AppLocker/EXE and DLL
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 8002 — %11 was allowed to run.

Provider: Microsoft-Windows-AppLocker
Channel: EXE and DLL

Message

%11 was allowed to run.

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`RuleId`	—
`RuleNameLength`	—
`RuleNameBuffer`	—
`RuleSddlLength`	—
`RuleSddlBuffer`	—
`TargetUser`	—
`TargetProcessId`	—
`FilePathLength`	—
`FilePathBuffer`	—
`FileHashLength`	—
`FileHash`	—
`FqbnLength`	—
`Fqbn`	—
`TargetLogonId`	—
`FullFilePathLength`	—
`FullFilePathBuffer`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 8003 — %11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Provider: Microsoft-Windows-AppLocker
Channel: EXE and DLL

Message

%11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`RuleId`	—
`RuleNameLength`	—
`RuleNameBuffer`	—
`RuleSddlLength`	—
`RuleSddlBuffer`	—
`TargetUser`	—
`TargetProcessId`	—
`FilePathLength`	—
`FilePathBuffer`	—
`FileHashLength`	—
`FileHash`	—
`FqbnLength`	—
`Fqbn`	—
`TargetLogonId`	—
`FullFilePathLength`	—
`FullFilePathBuffer`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker

Event ID 8004 — %11 was prevented from running.

Provider: Microsoft-Windows-AppLocker
Channel: EXE and DLL

Message

%11 was prevented from running.

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`RuleId`	—
`RuleNameLength`	—
`RuleNameBuffer`	—
`RuleSddlLength`	—
`RuleSddlBuffer`	—
`TargetUser`	—
`TargetProcessId`	—
`FilePathLength`	—
`FilePathBuffer`	—
`FileHashLength`	—
`FileHash`	—
`FqbnLength`	—
`Fqbn`	—
`TargetLogonId`	—
`FullFilePathLength`	—
`FullFilePathBuffer`	—

Sigma Rules

AppLocker Prevented Application or Script from Running
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker

Event ID 8005 — %11 was allowed to run.

Provider: Microsoft-Windows-AppLocker
Channel: MSI and Script

Message

%11 was allowed to run.

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`RuleId`	—
`RuleNameLength`	—
`RuleNameBuffer`	—
`RuleSddlLength`	—
`RuleSddlBuffer`	—
`TargetUser`	—
`TargetProcessId`	—
`FilePathLength`	—
`FilePathBuffer`	—
`FileHashLength`	—
`FileHash`	—
`FqbnLength`	—
`Fqbn`	—
`TargetLogonId`	—
`FullFilePathLength`	—
`FullFilePathBuffer`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker

Event ID 8006 — %11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Provider: Microsoft-Windows-AppLocker
Channel: MSI and Script

Message

%11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`RuleId`	—
`RuleNameLength`	—
`RuleNameBuffer`	—
`RuleSddlLength`	—
`RuleSddlBuffer`	—
`TargetUser`	—
`TargetProcessId`	—
`FilePathLength`	—
`FilePathBuffer`	—
`FileHashLength`	—
`FileHash`	—
`FqbnLength`	—
`Fqbn`	—
`TargetLogonId`	—
`FullFilePathLength`	—
`FullFilePathBuffer`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker

Event ID 8007 — %11 was prevented from running.

Provider: Microsoft-Windows-AppLocker
Channel: MSI and Script

Message

%11 was prevented from running.

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`RuleId`	—
`RuleNameLength`	—
`RuleNameBuffer`	—
`RuleSddlLength`	—
`RuleSddlBuffer`	—
`TargetUser`	—
`TargetProcessId`	—
`FilePathLength`	—
`FilePathBuffer`	—
`FileHashLength`	—
`FileHash`	—
`FqbnLength`	—
`Fqbn`	—
`TargetLogonId`	—
`FullFilePathLength`	—
`FullFilePathBuffer`	—

Sigma Rules

AppLocker Prevented Application or Script from Running
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker

Event ID 8008 — %2: AppLocker component not available on this SKU.

Provider: Microsoft-Windows-AppLocker
Channel: EXE and DLL

Message

%2: AppLocker component not available on this SKU.

Fields

Name	Description
`FilePathLength`	—
`FilePathBuffer`	—

Event ID 8009 — %2: AppLocker component not available on this SKU.

Provider: Microsoft-Windows-AppLocker
Channel: MSI and Script

Message

%2: AppLocker component not available on this SKU.

Fields

Name	Description
`FilePathLength`	—
`FilePathBuffer`	—

Event ID 8010 —

Provider: Microsoft-Windows-AppLocker
Channel: Operational

Event ID 8011 —

Provider: Microsoft-Windows-AppLocker
Channel: Operational

Event ID 8012 —

Provider: Microsoft-Windows-AppLocker
Channel: Operational

Event ID 8013 —

Provider: Microsoft-Windows-AppLocker
Channel: Operational

Event ID 8014 —

Provider: Microsoft-Windows-AppLocker
Channel: Operational

Event ID 8015 —

Provider: Microsoft-Windows-AppLocker
Channel: Operational

Event ID 8016 —

Provider: Microsoft-Windows-AppLocker
Channel: Operational

Event ID 8017 —

Provider: Microsoft-Windows-AppLocker
Channel: Operational

Event ID 8018 —

Provider: Microsoft-Windows-AppLocker
Channel: Operational

Event ID 8019 —

Provider: Microsoft-Windows-AppLocker
Channel: Operational

Event ID 8020 — %11 was allowed to run.

Provider: Microsoft-Windows-AppLocker
Channel: Packaged app-Execution

Message

%11 was allowed to run.

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`RuleId`	—
`RuleNameLength`	—
`RuleNameBuffer`	—
`RuleSddlLength`	—
`RuleSddlBuffer`	—
`TargetUser`	—
`TargetProcessId`	—
`PackageLength`	—
`PackageBuffer`	—
`FqbnLength`	—
`Fqbn`	—

Event ID 8021 — %11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Provider: Microsoft-Windows-AppLocker
Channel: Packaged app-Execution

Message

%11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`RuleId`	—
`RuleNameLength`	—
`RuleNameBuffer`	—
`RuleSddlLength`	—
`RuleSddlBuffer`	—
`TargetUser`	—
`TargetProcessId`	—
`PackageLength`	—
`PackageBuffer`	—
`FqbnLength`	—
`Fqbn`	—

Event ID 8022 — %11 was prevented from running.

Provider: Microsoft-Windows-AppLocker
Channel: Packaged app-Execution

Message

%11 was prevented from running.

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`RuleId`	—
`RuleNameLength`	—
`RuleNameBuffer`	—
`RuleSddlLength`	—
`RuleSddlBuffer`	—
`TargetUser`	—
`TargetProcessId`	—
`PackageLength`	—
`PackageBuffer`	—
`FqbnLength`	—
`Fqbn`	—

Sigma Rules

AppLocker Prevented Application or Script from Running
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

Event ID 8023 — %11 was allowed to be installed.

Provider: Microsoft-Windows-AppLocker
Channel: Packaged app-Deployment

Message

%11 was allowed to be installed.

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`RuleId`	—
`RuleNameLength`	—
`RuleNameBuffer`	—
`RuleSddlLength`	—
`RuleSddlBuffer`	—
`TargetUser`	—
`TargetProcessId`	—
`PackageLength`	—
`PackageBuffer`	—
`FqbnLength`	—
`Fqbn`	—

Event ID 8024 — %11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Provider: Microsoft-Windows-AppLocker
Channel: Packaged app-Deployment

Message

%11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`RuleId`	—
`RuleNameLength`	—
`RuleNameBuffer`	—
`RuleSddlLength`	—
`RuleSddlBuffer`	—
`TargetUser`	—
`TargetProcessId`	—
`PackageLength`	—
`PackageBuffer`	—
`FqbnLength`	—
`Fqbn`	—

Event ID 8025 — %11 was prevented from running.

Provider: Microsoft-Windows-AppLocker
Channel: Packaged app-Deployment

Message

%11 was prevented from running.

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`RuleId`	—
`RuleNameLength`	—
`RuleNameBuffer`	—
`RuleSddlLength`	—
`RuleSddlBuffer`	—
`TargetUser`	—
`TargetProcessId`	—
`PackageLength`	—
`PackageBuffer`	—
`FqbnLength`	—
`Fqbn`	—

Sigma Rules

AppLocker Prevented Application or Script from Running
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

Event ID 8026 — No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.

Provider: Microsoft-Windows-AppLocker
Channel: Packaged app-Deployment

Message

No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.

Event ID 8027 — No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.

Provider: Microsoft-Windows-AppLocker
Channel: Packaged app-Execution

Message

No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.

Event ID 8028 — %2 was allowed to run but would have been prevented if the Config CI policy were enforced.

Provider: Microsoft-Windows-AppLocker
Channel: MSI and Script
Level: 3
Samples: 1

Message

%2 was allowed to run but would have been prevented if the Config CI policy were enforced.

Fields

Name	Description
`FilePathLength`	—
`FilePath`	—
`Sha1Hash`	—
`Sha256Hash`	—
`Result`	—
`USN`	—
`Sha1CatalogHash`	—
`Sha256CatalogHash`	—
`UserWriteable`	—

Example Event

system:
  provider: Microsoft-Windows-AppLocker
  guid: CBDA4DBF-8D5D-4F69-9578-BE14AA540D22
  event_source_name: ''
  event_id: 8028
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-06T00:54:55.214802+00:00'
  event_record_id: 241
  correlation:
    ActivityID: E4DB489E-1037-0001-6B7D-E5E43710DA01
  execution:
    process_id: 12792
    thread_id: 6736
  channel: Microsoft-Windows-AppLocker/MSI and Script
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  FilePathLength: 70
  FilePath: C:\Windows\Installer\{6F11CAC3-D33D-4360-B139-73F3276A2B9A}\loc.en.mst
  Sha1Hash: C9FD8657FD8262EF19369B5FB6CAA7CB7632FC87
  Sha256Hash: 3881BD701A2B9DE71742065AADC110FBFFD17F127785FDA4E17570A77FC3FA84
  Result: -790036478
  USN: 309169000
  Sha1CatalogHash: C9FD8657FD8262EF19369B5FB6CAA7CB7632FC87
  Sha256CatalogHash: 9A71D576BC994B8C6DCFA683B38313596DCE7774784D46EFC5FE5D97724043BC
  UserWriteable: false
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 8029 — %2 was prevented from running due to Config CI policy.

Provider: Microsoft-Windows-AppLocker
Channel: MSI and Script

Message

%2 was prevented from running due to Config CI policy.

Fields

Name	Description
`FilePathLength`	—
`FilePath`	—
`Sha1Hash`	—
`Sha256Hash`	—
`Result`	—
`USN`	—
`Sha1CatalogHash`	—
`Sha256CatalogHash`	—
`UserWriteable`	—
`DetachedSignatureFilePathLength`	—
`DetachedSignatureFilePath`	—
`OriginalFileNameLength`	—
`OriginalFilename`	—
`InternalNameLength`	—
`InternalName`	—
`FileDescriptionLength`	—
`FileDescription`	—
`ProductNameLength`	—
`ProductName`	—
`FileVersionLength`	—
`FileVersion`	—
`PolicyNameLength`	—
`PolicyName`	—
`PolicyIDLength`	—
`PolicyID`	—
`PolicyGUID`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 8030 — ManagedInstaller check SUCCEEDED during Appid verification of %2.

Provider: Microsoft-Windows-AppLocker
Channel: EXE and DLL

Message

ManagedInstaller check SUCCEEDED during Appid verification of
%2.
Status: %5

Fields

Name	Description
`Status`	—
`ImageNameLength`	—
`ImageName`	—
`ParentProcessLength`	—
`ParentProcess`	—
`StatusCode`	—
`AppLockerReason`	—
`Bucket`	—
`USN`	—
`NtfsFileIdSize`	—
`NtfsFileId`	—
`OriginDataPresent`	—
`SessionId`	—
`SubSessionId`	—
`Origin`	—
`Type`	—
`Generation`	—
`SmartScreen`	—
`RevocationID`	—
`DataLength`	—
`Data`	—

Event ID 8031 — SmartlockerFilter detected file %2 being written by process %4.

Provider: Microsoft-Windows-AppLocker
Channel: EXE and DLL

Message

SmartlockerFilter detected file %2 being written by process %4.

Fields

Name	Description
`FileNameLength`	—
`FileName`	—
`CurrentProcessLength`	—
`CurrentProcess`	—
`ParentProcessLength`	—
`ParentProcess`	—
`USN`	—
`NtfsFileIdSize`	—
`NtfsFileId`	—
`OriginDataPresent`	—
`SessionId`	—
`Origin`	—
`Type`	—
`Generation`	—
`SmartScreen`	—
`DataLength`	—
`Data`	—

Event ID 8032 — ManagedInstaller check FAILED during Appid verification of %2.

Provider: Microsoft-Windows-AppLocker
Channel: EXE and DLL

Message

ManagedInstaller check FAILED during Appid verification of
%2.
Status: %5

Fields

Name	Description
`Status`	—
`ImageNameLength`	—
`ImageName`	—
`ParentProcessLength`	—
`ParentProcess`	—
`StatusCode`	—
`AppLockerReason`	—
`Bucket`	—
`USN`	—
`NtfsFileIdSize`	—
`NtfsFileId`	—
`OriginDataPresent`	—
`SessionId`	—
`SubSessionId`	—
`Origin`	—
`Type`	—
`Generation`	—
`SmartScreen`	—
`RevocationID`	—
`DataLength`	—
`Data`	—

Event ID 8033 — ManagedInstaller check FAILED during Appid verification of %2.

Provider: Microsoft-Windows-AppLocker
Channel: EXE and DLL

Message

ManagedInstaller check FAILED during Appid verification of
%2.
Status: %5
Allowed to run due to Audit Applocker Policy

Fields

Name	Description
`Status`	—
`ImageNameLength`	—
`ImageName`	—
`ParentProcessLength`	—
`ParentProcess`	—
`StatusCode`	—
`AppLockerReason`	—
`Bucket`	—
`USN`	—
`NtfsFileIdSize`	—
`NtfsFileId`	—
`OriginDataPresent`	—
`SessionId`	—
`SubSessionId`	—
`Origin`	—
`Type`	—
`Generation`	—
`SmartScreen`	—
`RevocationID`	—
`DataLength`	—
`Data`	—

Event ID 8034 — ManagedInstaller Script check FAILED during Appid verification of %2.

Provider: Microsoft-Windows-AppLocker
Channel: MSI and Script

Message

ManagedInstaller Script check FAILED during Appid verification of
%2.
Status: %3

Fields

Name	Description
`Status`	—
`ImageNameLength`	—
`ImageName`	—
`StatusCode`	—
`Bucket`	—
`OriginDataPresent`	—
`SessionId`	—
`SubSessionId`	—
`Origin`	—
`Type`	—
`Generation`	—
`SmartScreen`	—
`RevocationID`	—
`DataLength`	—
`Data`	—

Event ID 8035 — ManagedInstaller Script check SUCCEEDED during Appid verification of %2.

Provider: Microsoft-Windows-AppLocker
Channel: MSI and Script

Message

ManagedInstaller Script check SUCCEEDED during Appid verification of
%2.
Status: %3

Fields

Name	Description
`Status`	—
`ImageNameLength`	—
`ImageName`	—
`StatusCode`	—
`Bucket`	—
`OriginDataPresent`	—
`SessionId`	—
`SubSessionId`	—
`Origin`	—
`Type`	—
`Generation`	—
`SmartScreen`	—
`RevocationID`	—
`DataLength`	—
`Data`	—

Event ID 8036 — %2 was prevented from running due to Config CI policy.

Provider: Microsoft-Windows-AppLocker
Channel: MSI and Script

Message

%2 was prevented from running due to Config CI policy.

Fields

Name	Description
`IsApproved`	—
`CLSID`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 8037 — %2 passed Config CI policy and was allowed to run.

Provider: Microsoft-Windows-AppLocker
Channel: MSI and Script
Level: 4
Samples: 1

Message

%2 passed Config CI policy and was allowed to run.

Fields

Name	Description
`FilePathLength`	—
`FilePath`	—
`Sha1Hash`	—
`Sha256Hash`	—
`Result`	—
`USN`	—
`Sha1CatalogHash`	—
`Sha256CatalogHash`	—
`UserWriteable`	—

Example Event

system:
  provider: Microsoft-Windows-AppLocker
  guid: CBDA4DBF-8D5D-4F69-9578-BE14AA540D22
  event_source_name: ''
  event_id: 8037
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-05T23:23:27.417018+00:00'
  event_record_id: 212
  correlation:
    ActivityID: E4DB489E-1037-0000-B137-E1E43710DA01
  execution:
    process_id: 4436
    thread_id: 4748
  channel: Microsoft-Windows-AppLocker/MSI and Script
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  FilePathLength: 52
  FilePath: C:\Users\User\AppData\Local\Temp\5727A9~1\target.msi
  Sha1Hash: BZ5vuVS8kFhj0G/vkELAqCSVqZQ=
  Sha256Hash: V6OaWrftehYv3pf3Ok8wTra6kixgNW/+/Gv+5qiK/k4=
  Result: ''
  USN: "p�t\x10"
  Sha1CatalogHash: BZ5vuVS8kFhj0G/vkELAqCSVqZQ=
  Sha256CatalogHash: vuwjuOrQZfho6c2gISZZmGl+eXBkI0qHyIi+luLHAGA=
  UserWriteable: true
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 8038 — Publisher info: Subject: %4 Issuer: %6 Signature index %2 (%1 total).

Provider: Microsoft-Windows-AppLocker
Channel: MSI and Script
Level: 4
Samples: 1

Message

Publisher info:
Subject: %4
Issuer: %6
Signature index %2 (%1 total)

Fields

Name	Description
`TotalSignatureCount`	—
`Signature`	—
`PublisherNameLength`	—
`PublisherName`	—
`IssuerNameLength`	—
`IssuerName`	—
`PublisherTBSHashSize`	—
`PublisherTBSHash`	—
`IssuerTBSHashSize`	—
`IssuerTBSHash`	—

Example Event

system:
  provider: Microsoft-Windows-AppLocker
  guid: '{cbda4dbf-8d5d-4f69-9578-be14aa540d22}'
  event_source_name: ''
  event_id: 8038
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-06T00:54:55.214842+00:00'
  event_record_id: 242
  correlation:
    ActivityID: E4DB489E-1037-0001-6B7D-E5E43710DA01
  execution:
    process_id: 12792
    thread_id: 6736
  channel: Microsoft-Windows-AppLocker/MSI and Script
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 8039 — Package family name %2 version %3 was allowed to install or update but would have been prevented if the Config CI policy.

Provider: Microsoft-Windows-AppLocker
Channel: MSI and Script

Message

Package family name %2 version %3 was allowed to install or update but would have been prevented if the Config CI policy (Name:%5 ID:%7 Version:%8 GUID:%9) were enforced. Status %10

Fields

Name	Description
`ID`	—
`Version`	—
`GUID`	—
`PackageFamilyNameLength`	—
`PackageFamilyName`	—
`PackageVersion`	—
`PolicyNameLength`	—
`PolicyName`	—
`PolicyIDLength`	—
`PolicyID`	—
`PolicyVersion`	—
`PolicyGuid`	—
`Status`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 8040 — Package family name %2 version %3 was prevented from installing or updating due to Config CI policy (Name:%5 ID:%7 Version:%8 GUID:%9).

Provider: Microsoft-Windows-AppLocker
Channel: MSI and Script

Message

Package family name %2 version %3 was prevented from installing or updating due to Config CI policy (Name:%5 ID:%7 Version:%8 GUID:%9). Status %10

Fields

Name	Description
`ID`	—
`Version`	—
`GUID`	—
`PackageFamilyNameLength`	—
`PackageFamilyName`	—
`PackageVersion`	—
`PolicyNameLength`	—
`PolicyName`	—
`PolicyIDLength`	—
`PolicyID`	—
`PolicyVersion`	—
`PolicyGuid`	—
`Status`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 8041 — A %6 was allowed to %1 by system execution policy.

Provider: Microsoft-Windows-AppLocker
Channel: MSI and Script

Message

A %6 was allowed to %1 by system execution policy. The application provided this information: '%3'

Fields

Name	Description
`ExecutionDecision`	—
`AuditInfoLength`	—
`AuditInfo`	—
`ExecutionOptionFlags`	—
`Host`	—
`Subject`	—

Event ID 8042 — A %6 was not allowed to be executed by system execution policy.

Provider: Microsoft-Windows-AppLocker
Channel: MSI and Script

Message

A %6 was not allowed to be executed by system execution policy. The application provided this information: '%3'

Fields

Name	Description
`ExecutionDecision`	—
`AuditInfoLength`	—
`AuditInfo`	—
`ExecutionOptionFlags`	—
`Host`	—
`Subject`	—

Event ID 8043 — Process %6 attempted to register UninstallString %2, Status: %9.

Provider: Microsoft-Windows-AppLocker
Channel: EXE and DLL
Level: 4
Samples: 1

Message

Process %6 attempted to register UninstallString %2, Status: %9.

Fields

Name	Description
`RegisterUninstallStringEventData.UninstallStringLength`	—
`RegisterUninstallStringEventData.UninstallString`	—
`RegisterUninstallStringEventData.UninstallerPathLength`	—
`RegisterUninstallStringEventData.UninstallerPath`	—
`RegisterUninstallStringEventData.ProcessNameLength`	—
`RegisterUninstallStringEventData.ProcessName`	—
`RegisterUninstallStringEventData.SessionId`	—
`RegisterUninstallStringEventData.SubSessionId`	—
`RegisterUninstallStringEventData.Status`	2, Status.

Example Event

system:
  provider: Microsoft-Windows-AppLocker
  guid: CBDA4DBF-8D5D-4F69-9578-BE14AA540D22
  event_source_name: ''
  event_id: 8043
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-06T01:02:05.721093+00:00'
  event_record_id: 43
  correlation: {}
  execution:
    process_id: 12912
    thread_id: 13892
  channel: Microsoft-Windows-AppLocker/EXE and DLL
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
user_data:
  RegisterUninstallStringEventData:
    UninstallStringLength: 43
    UninstallString: '"C:\Program Files\TeamViewer\uninstall.exe"'
    UninstallerPathLength: 53
    UninstallerPath: \DosDevices\C:\Program Files\TeamViewer\uninstall.exe
    ProcessNameLength: 78
    ProcessName: \Device\HarddiskVolume4\Users\User\AppData\Local\Temp\CDD35C~1\TeamViewer_.exe
    SessionId: F205B252-1454-4144-BD5A-E00D8E398514
    SubSessionId: 0A236C0E-D7AD-508F-13CB-E8248F7D7476
    Status: 0
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 8044 — Checking cmdline %2 against registered UninstallStrings %4, MatchFound: %5, Status:%6.

Provider: Microsoft-Windows-AppLocker
Channel: EXE and DLL

Message

Checking cmdline %2 against registered UninstallStrings %4, MatchFound: %5, Status:%6.

Fields

Name	Description
`Status`	—
`UninstallStringLength`	—
`UninstallString`	—
`CmdlineLength`	—
`Cmdline`	—
`MatchFound`	—

Event ID 8045 —

Provider: Microsoft-Windows-AppLocker
Channel: Operational

Fields

Name	Description
`FilePathLength`	—
`FilePathBuffer`	—
`FileSha256Hash`	—
`DefenderScanResultDetails`	—
`DefenderClientStatusCode`	—
`DefenderCloudHTTPCode`	—
`DefenderEngineReportGUID`	—
`DefenderFlags`	—
`DefenderCalled`	—
`DefenderCallAttempted`	—
`DefenderCloudCallRequested`	—
`DefenderMadeCloudCall`	—
`ExternalAuthorizationFlags`	—

Event ID 8045 — Smart App Control Block Details

Provider: Microsoft-Windows-AppLocker
Channel: MSI and Script

Message

Smart App Control Block Details

Fields

Name	Description
`FilePathLength`	—
`FilePathBuffer`	—
`FileSha256Hash`	—
`DefenderScanResultDetails`	—
`DefenderClientStatusCode`	—
`DefenderCloudHTTPCode`	—
`DefenderEngineReportGUID`	—
`DefenderFlags`	—
`DefenderCalled`	—
`DefenderCallAttempted`	—
`DefenderCloudCallRequested`	—
`DefenderMadeCloudCall`	—
`ExternalAuthorizationFlags`	—

Event ID 9000 — The application setting with ID '.

Provider: Microsoft-Windows-AppLocker
Channel: Verbose

Message

The application setting with ID '%1' and name '%2' was queried. For more information, see the details tab.

Fields

Name	Description
`AppID`	—
`SettingName`	—
`SettingType`	—
`ValueCount`	—
`Value`	—

Event ID 9001 — The application setting with ID '.

Provider: Microsoft-Windows-AppLocker
Channel: Verbose

Message

The application setting with ID '%1' and name '%2' was queried, and would have a different a value if all policies were enforcing. For more information, see the details tab.

Fields

Name	Description
`AppID`	—
`SettingName`	—
`SettingType`	—
`ValueCount`	—
`Value`	—
`AuditValueCount`	—
`AuditValue`	—