From a688e3437ee0aa5725f845f14bdc735dd06f8264 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Thu, 2 Feb 2023 14:24:14 -0700 Subject: [PATCH] Update using-event-viewer-with-applocker.md Line 58: Remove extra spaces. --- .../using-event-viewer-with-applocker.md | 39 +++++++++---------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index ed7b6721dc..d10ebcfc03 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -30,16 +30,16 @@ ms.date: 02/02/2023 This article lists AppLocker events and describes how to use Event Viewer with AppLocker. -The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains detailed info about: +The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains details such as the following information: -- Which file is affected and the path of that file -- Which packaged app is affected and the package identifier of the app -- Whether the file or packaged app is allowed or blocked -- The rule type (path, file hash, or publisher) -- The rule name -- The security identifier (SID) for the user or group identified in the rule +- Which file is affected and the path of that file +- Which packaged app is affected and the package identifier of the app +- Whether the file or packaged app is allowed or blocked +- The rule type (path, file hash, or publisher) +- The rule name +- The security identifier (SID) for the user or group identified in the rule -Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example: %SystemDrive%). +Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example, `%SystemDrive%`). For info about what to look for in the AppLocker event logs, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). @@ -48,24 +48,24 @@ For info about what to look for in the AppLocker event logs, see [Monitor app us **To review the AppLocker log in Event Viewer** -1. Open Event Viewer. -2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, select **AppLocker**. +1. Open Event Viewer. +2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, select **AppLocker**. The following table contains information about the events that you can use to determine which apps are affected by AppLocker rules. | Event ID | Level | Event message | Description | -| - | - | - | - | -| 8000 | Error| Application Identity Policy conversion failed. Status *<%1> *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| +| --- | --- | --- | --- | +| 8000 | Error| Application Identity Policy conversion failed. Status *<%1>*| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| | 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.| -| 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| -| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. | -| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.| -| 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| -| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. | -| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.| +| 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| +| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. | +| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.| +| 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| +| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. | +| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.| | 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.| | 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.| -| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.| +| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.| | 8022| Information| Packaged app disabled.| Added in Windows Server 2012 and Windows 8.| | 8023 | Information| Packaged app installation allowed.| Added in Windows Server 2012 and Windows 8.| | 8024 | Information| Packaged app installation audited.| Added in Windows Server 2012 and Windows 8.| @@ -90,4 +90,3 @@ The following table contains information about the events that you can use to de - [Tools to use with AppLocker](tools-to-use-with-applocker.md) -