Windows AppLocker

Windows AppLocker allows administrators to create rules restricting which executables, scripts, and other files users are allowed to run. For more information, see What Is AppLocker? on Microsoft Docs.

AppLocker logs events to the Windows Event Log. There are four logs available, shown in the Event Viewer under Applications and Services Logs > Microsoft > Windows > Applocker:

  • EXE and DLL

  • MSI and Script

  • Packaged app-Deployment

  • Packaged app-Execution

NXLog can collect these events with the im_msvistalog module or other Windows Event Log modules.

Example 1. Collecting AppLocker logs from Windows Event Log

The following configuration uses the im_msvistalog module to collect AppLocker events from the four Windows Event Log channel sources listed above. The xm_xml parse_xml() procedure is used to further parse the UserData XML portion of the event.

nxlog.conf
<Extension _xml>
    Module  xm_xml
</Extension>

<Input in>
    Module  im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id="0">
                <Select Path="Microsoft-Windows-AppLocker/MSI and Script">
                    *</Select>
                <Select Path="Microsoft-Windows-AppLocker/EXE and DLL">
                    *</Select>
                <Select Path="Microsoft-Windows-AppLocker/Packaged app-Deployment">
                    *</Select>
                <Select Path="Microsoft-Windows-AppLocker/Packaged app-Execution">
                    *</Select>
            </Query>
        </QueryList>
    </QueryXML>
    Exec    if $UserData parse_xml($UserData);
</Input>
Output Sample
{
  "EventTime": "2019-01-09T22:34:44.164099+01:00",
  "Hostname": "Host.DOMAIN.local",
  "Keywords": "9223372036854775808",
  "EventType": "ERROR",
  "SeverityValue": 4,
  "Severity": "ERROR",
  "EventID": 8004,
  "SourceName": "Microsoft-Windows-AppLocker",
  "ProviderGuid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
  "Version": 0,
  "TaskValue": 0,
  "OpcodeValue": 0,
  "RecordNumber": 40,
  "ExecutionProcessID": 5612,
  "ExecutionThreadID": 5220,
  "Channel": "Microsoft-Windows-AppLocker/EXE and DLL",
  "Domain": "DOMAIN",
  "AccountName": "admin",
  "UserID": "S-1-5-21-314323950-2314161084-4234690932-1002",
  "AccountType": "User",
  "Message": "%PROGRAMFILES%\\WINDOWS NT\\ACCESSORIES\\WORDPAD.EXE was prevented from running.",
  "Opcode": "Info",
  "UserData": "<RuleAndFileData xmlns='http://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0'><PolicyNameLength>3</PolicyNameLength><PolicyName>EXE</PolicyName><RuleId>{4C8E638D-3DE8-4DCB-B0E4-B0597074D06B}</RuleId><RuleNameLength>113</RuleNameLength><RuleName>WORDPAD.EXE, in MICROSOFT® WINDOWS® OPERATING SYSTEM, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</RuleName><RuleSddlLength>179</RuleSddlLength><RuleSddl>D:(XD;;FX;;;S-1-1-0;((Exists APPID://FQBN) &amp;&amp; ((APPID://FQBN) &gt;= ({\"O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT® WINDOWS® OPERATING SYSTEM\\WORDPAD.EXE\",0}))))</RuleSddl><TargetUser>S-1-5-21-314323950-2314161084-4234690932-1002</TargetUser><TargetProcessId>7964</TargetProcessId><FilePathLength>49</FilePathLength><FilePath>%PROGRAMFILES%\\WINDOWS NT\\ACCESSORIES\\WORDPAD.EXE</FilePath><FileHashLength>0</FileHashLength><FileHash></FileHash><FqbnLength>118</FqbnLength><Fqbn>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT® WINDOWS® OPERATING SYSTEM\\WORDPAD.EXE\\6.3.9600.19060</Fqbn></RuleAndFileData>",
  "EventReceivedTime": "2019-01-09T22:34:45.773240+01:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_msvistalog",
  "RuleAndFileData.PolicyNameLength": "3",
  "RuleAndFileData.PolicyName": "EXE",
  "RuleAndFileData.RuleId": "{4C8E638D-3DE8-4DCB-B0E4-B0597074D06B}",
  "RuleAndFileData.RuleNameLength": "113",
  "RuleAndFileData.RuleName": "WORDPAD.EXE, in MICROSOFT® WINDOWS® OPERATING SYSTEM, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US",
  "RuleAndFileData.RuleSddlLength": "179",
  "RuleAndFileData.RuleSddl": "D:(XD;;FX;;;S-1-1-0;((Exists APPID://FQBN) && ((APPID://FQBN) >= ({\"O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT® WINDOWS® OPERATING SYSTEM\\WORDPAD.EXE\",0}))))",
  "RuleAndFileData.TargetUser": "S-1-5-21-314323950-2314161084-4234690932-1002",
  "RuleAndFileData.TargetProcessId": "7964",
  "RuleAndFileData.FilePathLength": "49",
  "RuleAndFileData.FilePath": "%PROGRAMFILES%\\WINDOWS NT\\ACCESSORIES\\WORDPAD.EXE",
  "RuleAndFileData.FileHashLength": "0",
  "RuleAndFileData.FqbnLength": "118",
  "RuleAndFileData.Fqbn": "O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT® WINDOWS® OPERATING SYSTEM\\WORDPAD.EXE\\6.3.9600.19060"
}
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here.

Last revision: 23 February 2019