mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-18 20:03:40 +00:00
Update using-event-viewer-with-applocker.md
Line 58: Remove extra spaces.
This commit is contained in:
Angela Fleischmann
committed by
GitHub
GitHub
parent
fe29adf39f
commit
a688e3437e
@ -30,16 +30,16 @@ ms.date: 02/02/2023
|
||||
|
||||
This article lists AppLocker events and describes how to use Event Viewer with AppLocker.
|
||||
|
||||
The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains detailed info about:
|
||||
The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains details such as the following information:
|
||||
|
||||
- Which file is affected and the path of that file
|
||||
- Which packaged app is affected and the package identifier of the app
|
||||
- Whether the file or packaged app is allowed or blocked
|
||||
- The rule type (path, file hash, or publisher)
|
||||
- The rule name
|
||||
- The security identifier (SID) for the user or group identified in the rule
|
||||
- Which file is affected and the path of that file
|
||||
- Which packaged app is affected and the package identifier of the app
|
||||
- Whether the file or packaged app is allowed or blocked
|
||||
- The rule type (path, file hash, or publisher)
|
||||
- The rule name
|
||||
- The security identifier (SID) for the user or group identified in the rule
|
||||
|
||||
Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example: %SystemDrive%).
|
||||
Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example, `%SystemDrive%`).
|
||||
|
||||
For info about what to look for in the AppLocker event logs, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
|
||||
|
||||
@ -48,24 +48,24 @@ For info about what to look for in the AppLocker event logs, see [Monitor app us
|
||||
|
||||
**To review the AppLocker log in Event Viewer**
|
||||
|
||||
1. Open Event Viewer.
|
||||
2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, select **AppLocker**.
|
||||
1. Open Event Viewer.
|
||||
2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, select **AppLocker**.
|
||||
|
||||
The following table contains information about the events that you can use to determine which apps are affected by AppLocker rules.
|
||||
|
||||
| Event ID | Level | Event message | Description |
|
||||
| - | - | - | - |
|
||||
| 8000 | Error| Application Identity Policy conversion failed. Status *<%1> *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.|
|
||||
| --- | --- | --- | --- |
|
||||
| 8000 | Error| Application Identity Policy conversion failed. Status *<%1>*| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.|
|
||||
| 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.|
|
||||
| 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.|
|
||||
| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. |
|
||||
| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.|
|
||||
| 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.|
|
||||
| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. |
|
||||
| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.|
|
||||
| 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.|
|
||||
| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. |
|
||||
| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.|
|
||||
| 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.|
|
||||
| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. |
|
||||
| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.|
|
||||
| 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.|
|
||||
| 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.|
|
||||
| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.|
|
||||
| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.|
|
||||
| 8022| Information| Packaged app disabled.| Added in Windows Server 2012 and Windows 8.|
|
||||
| 8023 | Information| Packaged app installation allowed.| Added in Windows Server 2012 and Windows 8.|
|
||||
| 8024 | Information| Packaged app installation audited.| Added in Windows Server 2012 and Windows 8.|
|
||||
@ -90,4 +90,3 @@ The following table contains information about the events that you can use to de
|
||||
|
||||
- [Tools to use with AppLocker](tools-to-use-with-applocker.md)
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user