Description

AppID policy conversion failed. Status Status.

Message #

AppID policy conversion failed. Status %1.

Fields #

Description

The AppLocker policy was applied successfully to this computer.

Message #

The AppLocker policy was applied successfully to this computer.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-AppLocker",
    "guid": "CBDA4DBF-8D5D-4F69-9578-BE14AA540D22",
    "event_source_name": "",
    "event_id": 8001,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-05T23:50:01.740733+00:00",
    "event_record_id": 39,
    "correlation": {},
    "execution": {
      "process_id": 4372,
      "thread_id": 9624
    },
    "channel": "Microsoft-Windows-AppLocker/EXE and DLL",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

FilePathBuffer was allowed to run.

Message #

%11 was allowed to run.

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Description

RuleAndFileData.FilePath was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Message #

%11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-AppLocker",
    "guid": "CBDA4DBF-8D5D-4F69-9578-BE14AA540D22",
    "event_source_name": "",
    "event_id": 8003,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-17T22:20:35.068824+00:00",
    "event_record_id": 1172833,
    "correlation": {},
    "execution": {
      "process_id": 4668,
      "thread_id": 13560
    },
    "channel": "Microsoft-Windows-AppLocker/EXE and DLL",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "RuleAndFileData": {
      "PolicyNameLength": 3,
      "PolicyName": "DLL",
      "RuleId": "00000000-0000-0000-0000-000000000000",
      "RuleNameLength": 1,
      "RuleName": "-",
      "RuleSddlLength": 1,
      "RuleSddl": "-",
      "TargetUser": "S-1-5-18",
      "TargetProcessId": 4668,
      "FilePathLength": 38,
      "FilePath": "%SYSTEM32%\\ONDEMANDCONNROUTEHELPER.DLL",
      "FileHashLength": 0,
      "FileHash": null,
      "FqbnLength": 1,
      "Fqbn": "-",
      "TargetLogonId": "0x3e7",
      "FullFilePathLength": 47,
      "FullFilePath": "C:\\Windows\\system32\\OnDemandConnRouteHelper.dll"
    }
  },
  "message": ""
}

References #

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker

Description

FilePathBuffer was prevented from running.

Message #

%11 was prevented from running.

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker

Description

FilePathBuffer was allowed to run.

Message #

%11 was allowed to run.

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker

Description

FilePathBuffer was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Message #

%11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker

Description

FilePathBuffer was prevented from running.

Message #

%11 was prevented from running.

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker

Description

FilePathBuffer: AppLocker component not available on this SKU.

Message #

%2: AppLocker component not available on this SKU.

Fields #

Description

FilePathBuffer: AppLocker component not available on this SKU.

Message #

%2: AppLocker component not available on this SKU.

Fields #

Description

PackageBuffer was allowed to run.

Message #

%11 was allowed to run.

Fields #

Description

PackageBuffer was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Message #

%11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Fields #

Description

PackageBuffer was prevented from running.

Message #

%11 was prevented from running.

Fields #

Description

PackageBuffer was allowed to be installed.

Message #

%11 was allowed to be installed.

Fields #

Description

PackageBuffer was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Message #

%11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Fields #

Description

PackageBuffer was prevented from running.

Message #

%11 was prevented from running.

Fields #

Description

No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.

Message #

No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.

Description

No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.

Message #

No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.

Description

FilePath was allowed to run but would have been prevented if the Config CI policy were enforced.

Message #

%2 was allowed to run but would have been prevented if the Config CI policy were enforced.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-AppLocker",
    "guid": "CBDA4DBF-8D5D-4F69-9578-BE14AA540D22",
    "event_source_name": "",
    "event_id": 8028,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-06T00:54:55.214802+00:00",
    "event_record_id": 241,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0001-6B7D-E5E43710DA01"
    },
    "execution": {
      "process_id": 12792,
      "thread_id": 6736
    },
    "channel": "Microsoft-Windows-AppLocker/MSI and Script",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "FilePathLength": 70,
    "FilePath": "C:\\Windows\\Installer\\{6F11CAC3-D33D-4360-B139-73F3276A2B9A}\\loc.en.mst",
    "Sha1Hash": "C9FD8657FD8262EF19369B5FB6CAA7CB7632FC87",
    "Sha256Hash": "3881BD701A2B9DE71742065AADC110FBFFD17F127785FDA4E17570A77FC3FA84",
    "Result": -790036478,
    "USN": 309169000,
    "Sha1CatalogHash": "C9FD8657FD8262EF19369B5FB6CAA7CB7632FC87",
    "Sha256CatalogHash": "9A71D576BC994B8C6DCFA683B38313596DCE7774784D46EFC5FE5D97724043BC",
    "UserWriteable": false
  },
  "message": ""
}

References #

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations
• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

FilePath was prevented from running due to Config CI policy.

Message #

%2 was prevented from running due to Config CI policy.

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Description

ManagedInstaller check SUCCEEDED during Appid verification of.

Message #

ManagedInstaller check SUCCEEDED during Appid verification of
%2.
Status: %5

Fields #

Description

SmartlockerFilter detected file FileName being written by process CurrentProcess.

Message #

SmartlockerFilter detected file %2 being written by process %4.

Fields #

Description

ManagedInstaller check FAILED during Appid verification of.

Message #

ManagedInstaller check FAILED during Appid verification of
%2.
Status: %5

Fields #

Description

ManagedInstaller check FAILED during Appid verification of.

Message #

ManagedInstaller check FAILED during Appid verification of
%2.
Status: %5
Allowed to run due to Audit Applocker Policy

Fields #

Description

ManagedInstaller Script check FAILED during Appid verification of.

Message #

ManagedInstaller Script check FAILED during Appid verification of
%2.
Status: %3

Fields #

Description

ManagedInstaller Script check SUCCEEDED during Appid verification of.

Message #

ManagedInstaller Script check SUCCEEDED during Appid verification of
%2.
Status: %3

Fields #

Description

CLSID was prevented from running due to Config CI policy.

Message #

%2 was prevented from running due to Config CI policy.

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Description

FilePath passed Config CI policy and was allowed to run.

Message #

%2 passed Config CI policy and was allowed to run.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-AppLocker",
    "guid": "CBDA4DBF-8D5D-4F69-9578-BE14AA540D22",
    "event_source_name": "",
    "event_id": 8037,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-05T23:23:27.417018+00:00",
    "event_record_id": 212,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0000-B137-E1E43710DA01"
    },
    "execution": {
      "process_id": 4436,
      "thread_id": 4748
    },
    "channel": "Microsoft-Windows-AppLocker/MSI and Script",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "FilePathLength": 52,
    "FilePath": "C:\\Users\\User\\AppData\\Local\\Temp\\5727A9~1\\target.msi",
    "Sha1Hash": "BZ5vuVS8kFhj0G/vkELAqCSVqZQ=",
    "Sha256Hash": "V6OaWrftehYv3pf3Ok8wTra6kixgNW/+/Gv+5qiK/k4=",
    "Result": "",
    "USN": "p�t\u0010",
    "Sha1CatalogHash": "BZ5vuVS8kFhj0G/vkELAqCSVqZQ=",
    "Sha256CatalogHash": "vuwjuOrQZfho6c2gISZZmGl+eXBkI0qHyIi+luLHAGA=",
    "UserWriteable": true
  },
  "message": ""
}

References #

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations
• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Publisher info.

Message #

Publisher info:
Subject: %4
Issuer: %6
Signature index %2 (%1 total)

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-AppLocker",
    "guid": "{cbda4dbf-8d5d-4f69-9578-be14aa540d22}",
    "event_source_name": "",
    "event_id": 8038,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2023-11-06T00:54:55.214842+00:00",
    "event_record_id": 242,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0001-6B7D-E5E43710DA01"
    },
    "execution": {
      "process_id": 12792,
      "thread_id": 6736
    },
    "channel": "Microsoft-Windows-AppLocker/MSI and Script",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations
• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Package family name Version version GUID was allowed to install or update but would have been prevented if the Config CI policy (Name:PackageFamilyName ID:PolicyNameLength Version:PolicyName GUID:PolicyIDLength) were enforced. Status PolicyID.

Message #

Package family name %2 version %3 was allowed to install or update but would have been prevented if the Config CI policy (Name:%5 ID:%7 Version:%8 GUID:%9) were enforced. Status %10

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Description

Package family name Version version GUID was prevented from installing or updating due to Config CI policy (Name:PackageFamilyName ID:PolicyNameLength Version:PolicyName GUID:PolicyIDLength). Status PolicyID.

Message #

Package family name %2 version %3 was prevented from installing or updating due to Config CI policy (Name:%5 ID:%7 Version:%8 GUID:%9). Status %10

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Description

A Subject was allowed to ExecutionDecision by system execution policy. The application provided this information: 'AuditInfo'.

Message #

A %6 was allowed to %1 by system execution policy. The application provided this information: '%3'

Fields #

Description

A Subject was not allowed to be executed by system execution policy. The application provided this information: 'AuditInfo'.

Message #

A %6 was not allowed to be executed by system execution policy. The application provided this information: '%3'

Fields #

Description

Process RegisterUninstallStringEventData.ProcessName attempted to register UninstallString RegisterUninstallStringEventData.UninstallString, Status: RegisterUninstallStringEventData.Status.

Message #

Process %6 attempted to register UninstallString %2, Status: %9.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-AppLocker",
    "guid": "CBDA4DBF-8D5D-4F69-9578-BE14AA540D22",
    "event_source_name": "",
    "event_id": 8043,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T01:02:05.721093+00:00",
    "event_record_id": 43,
    "correlation": {},
    "execution": {
      "process_id": 12912,
      "thread_id": 13892
    },
    "channel": "Microsoft-Windows-AppLocker/EXE and DLL",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "user_data": {
    "RegisterUninstallStringEventData": {
      "UninstallStringLength": 43,
      "UninstallString": "\"C:\\Program Files\\TeamViewer\\uninstall.exe\"",
      "UninstallerPathLength": 53,
      "UninstallerPath": "\\DosDevices\\C:\\Program Files\\TeamViewer\\uninstall.exe",
      "ProcessNameLength": 78,
      "ProcessName": "\\Device\\HarddiskVolume4\\Users\\User\\AppData\\Local\\Temp\\CDD35C~1\\TeamViewer_.exe",
      "SessionId": "F205B252-1454-4144-BD5A-E00D8E398514",
      "SubSessionId": "0A236C0E-D7AD-508F-13CB-E8248F7D7476",
      "Status": 0
    }
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Checking cmdline UninstallStringLength against registered UninstallStrings CmdlineLength, MatchFound: Cmdline, Status:MatchFound.

Message #

Checking cmdline %2 against registered UninstallStrings %4, MatchFound: %5, Status:%6.

Fields #

Description

Smart App Control Block Details.

Message #

Smart App Control Block Details

Fields #

Description

Smart App Control Block Details.

Fields #

Description

The application setting with ID 'AppID' and name 'SettingName' was queried. For more information, see the details tab.

Message #

The application setting with ID '%1' and name '%2' was queried. For more information, see the details tab.

Fields #

Description

The application setting with ID 'AppID' and name 'SettingName' was queried, and would have a different a value if all policies were enforcing. For more information, see the details tab.

Message #

The application setting with ID '%1' and name '%2' was queried, and would have a different a value if all policies were enforcing. For more information, see the details tab.

Fields #