deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 12:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update using-event-viewer-with-applocker.md

Browse Source 
Line 58: Remove extra spaces.
This commit is contained in:
Angela Fleischmann
2023-02-02 14:24:14 -07:00
committed by GitHub
parent fe29adf39f
commit a688e3437e
1 changed files with 19 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
View File

@ -30,7 +30,7 @@ ms.date: 02/02/2023
This article lists AppLocker events and describes how to use Event Viewer with AppLocker. This article lists AppLocker events and describes how to use Event Viewer with AppLocker.
The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains detailed info about: The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains details such as the following information:
- Which file is affected and the path of that file - Which file is affected and the path of that file
- Which packaged app is affected and the package identifier of the app - Which packaged app is affected and the package identifier of the app
@ -39,7 +39,7 @@ The AppLocker log contains information about applications that are affected by A
- The rule name - The rule name
- The security identifier (SID) for the user or group identified in the rule - The security identifier (SID) for the user or group identified in the rule
Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example: %SystemDrive%). Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example, `%SystemDrive%`).
For info about what to look for in the AppLocker event logs, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). For info about what to look for in the AppLocker event logs, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
@ -54,8 +54,8 @@ For info about what to look for in the AppLocker event logs, see [Monitor app us
The following table contains information about the events that you can use to determine which apps are affected by AppLocker rules. The following table contains information about the events that you can use to determine which apps are affected by AppLocker rules.
| Event ID | Level | Event message | Description | | Event ID | Level | Event message | Description |
| - | - | - | - | | --- | --- | --- | --- |
| 8000 | Error| Application Identity Policy conversion failed. Status *<%1> *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| | 8000 | Error| Application Identity Policy conversion failed. Status *<%1>*| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.|
| 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.| | 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.|
| 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| | 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.|
| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. | | 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. |
@ -90,4 +90,3 @@ The following table contains information about the events that you can use to de
- [Tools to use with AppLocker](tools-to-use-with-applocker.md) - [Tools to use with AppLocker](tools-to-use-with-applocker.md)