Event ID 8003 — RuleAndFileData.FilePath was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Provider: Microsoft-Windows-AppLocker
Channel: EXE and DLL
Level: Warning
Collection Priority: Recommended (Palantir, others)

Description

RuleAndFileData.FilePath was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Message #

%11 was allowed to run but would have been prevented from running if the AppLocker policy were enforced.

Fields #

Name	Description
`RuleAndFileData.PolicyNameLength` UInt16	—
`RuleAndFileData.PolicyName`	—
`RuleAndFileData.RuleId` GUID	—
`RuleAndFileData.RuleNameLength` UInt16	—
`RuleAndFileData.RuleName`	—
`RuleAndFileData.RuleSddlLength` UInt16	—
`RuleAndFileData.RuleSddl`	—
`RuleAndFileData.TargetUser` SID	—
`RuleAndFileData.TargetProcessId` UInt32	—
`RuleAndFileData.FilePathLength` UInt16	—
`RuleAndFileData.FilePath`	—
`RuleAndFileData.FileHashLength` UInt16	—
`RuleAndFileData.FileHash` Binary	—
`RuleAndFileData.FqbnLength` UInt16	—
`RuleAndFileData.Fqbn` UnicodeString	—
`RuleAndFileData.TargetLogonId` HexInt64	—
`RuleAndFileData.FullFilePathLength` UInt16	—
`RuleAndFileData.FullFilePath`	—
`PolicyNameLength` UInt16	—
`PolicyNameBuffer` UnicodeString	—
`RuleId` GUID	—
`RuleNameLength` UInt16	—
`RuleNameBuffer` UnicodeString	—
`RuleSddlLength` UInt16	—
`RuleSddlBuffer` UnicodeString	—
`TargetUser` SID	—
`TargetProcessId` UInt32	—
`FilePathLength` UInt16	—
`FilePathBuffer` UnicodeString	—
`FileHashLength` UInt16	—
`FileHash` Binary	—
`FqbnLength` UInt16	—
`Fqbn` UnicodeString	—
`TargetLogonId` HexInt64	—
`FullFilePathLength` UInt16	—
`FullFilePathBuffer` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-AppLocker",
    "guid": "CBDA4DBF-8D5D-4F69-9578-BE14AA540D22",
    "event_source_name": "",
    "event_id": 8003,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-17T22:20:35.068824+00:00",
    "event_record_id": 1172833,
    "correlation": {},
    "execution": {
      "process_id": 4668,
      "thread_id": 13560
    },
    "channel": "Microsoft-Windows-AppLocker/EXE and DLL",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "RuleAndFileData": {
      "PolicyNameLength": 3,
      "PolicyName": "DLL",
      "RuleId": "00000000-0000-0000-0000-000000000000",
      "RuleNameLength": 1,
      "RuleName": "-",
      "RuleSddlLength": 1,
      "RuleSddl": "-",
      "TargetUser": "S-1-5-18",
      "TargetProcessId": 4668,
      "FilePathLength": 38,
      "FilePath": "%SYSTEM32%\\ONDEMANDCONNROUTEHELPER.DLL",
      "FileHashLength": 0,
      "FileHash": null,
      "FqbnLength": 1,
      "Fqbn": "-",
      "TargetLogonId": "0x3e7",
      "FullFilePathLength": 47,
      "FullFilePath": "C:\\Windows\\system32\\OnDemandConnRouteHelper.dll"
    }
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/using-event-viewer-with-applocker