Create an instant AppLocker event alert

Discussion in 'other software & services' started by wat0114, Sep 4, 2011.

Thread Status:
Not open for further replies.
  1. wat0114

    wat0114 Guest

    Create an AppLocker instant alert event

    Applocker will not always display a pop-up alert when something is blocked, especially DLLs, and will only silently log, which can be rather frustrating because something may not work right and the user won't know unless they check the Event Viewer logs.

    Here is a tutorial on how to create a Task Scheduler event that will instantly alert you whenever a specific file type is blocked:

    How to create an AppLocker file block event alert:

    1. Open Task Scheduler as an administrator
    2. Select “Create Task…” button
    3. Under the “General” tab do the following:
    a) Name: whatever you want eg: “AppLocker file block event”
    b) Description: eg: “Displays an alert whenever AppLocker blocks an executable or DLL file type”
    c) Select Change User or Group… button, and change to “users”
    d) Configure for: select drop-down and choose: “Windows 7, Windows Server 2008 R2” “OK

    4. Under the “Triggers” tab do the following:
    a) Select: New… button
    b) Begin the task: from drop-down box select “On an event”
    c) Log: “Microsoft-Windows-AppLocker/EXE and DLL”
    d) Source: “AppLocker”
    e) Event ID: “8004”
    f) Place a checkmark in the “Enabled” box “OK

    5. Under the “Actions” tab do the following:
    a) Select: New… button
    b) Action: from drop-down select “Display a message”
    c) Title: type your customized title eg: “AppLocker Block – Executables and DLLs”
    d) Message: type your customized message eg: WARNING! AppLocker blocked a file from launching.” “OK

    6. Under the “Conditions” tab do the following:
    a) Place checkmarks for “Start the task if the computer is on AC power” “OK”

    7. Under the “Settings” tab do the following:
    a) place checkmarks in: “Allow the task to be run on demand” Stop the task if it runs longer than: 1 hour” “If the running task does not end when requested, force it to stop” “OK

    The same procedure can be used to create an event for AppLocker blocked MSI and Scripts, except you will choose Event ID: 8007.

    I highly recommend creating these tasks if you are going to use AppLocker

    A screenshot shows what the tasks will look like.
     

    Attached Files:

    Last edited by a moderator: Sep 4, 2011
  2. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Do you do create this tasks for every category of rules?
     
  3. wat0114

    wat0114 Guest

    The two tasks for Event ID 8004 & 8007 cover executables, DLLs and scripts. I didn't bother for Windows Installer file types.
     
  4. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Ahh ok so you just need a task for exe and dlls and then one for scripts, correct?
     
  5. wat0114

    wat0114 Guest

    Yes, that's all I wanted anyway. You could create one for Windows Installer file types but you won't likely need it. I'm not sure what the event ID is for those.
     
  6. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    I can understand not having one for Windows Install file types, thats fine. I just wanted to be clear on the other three :D
     
  7. wat0114

    wat0114 Guest

    You bet. Those other three I consider to be far more important. Actually I think it might be Event ID 8005 for Windows Installers.
     
  8. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Good info to know if I decide to use it but probably not. I will dive into this soon and let you know the results. First I have to do a reinstall of Windows 7 hehe..
     
  9. wat0114

    wat0114 Guest

    Here's a screenshot example of where these Task Scheduler event alerts can come in handy. Note there is no default warning from AppLocker. In this case the process procexpx64.exe had no rule for it and Process Explorer generated its own alert, but without the alert from the Task Scheduler customized task, it would not be readily apparent that AppLocker was the problem.

    An executable rule is required for procexpx64.exe, which does not appear in Process Explorer's directory until after it's launched.
     

    Attached Files:

  10. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Nice. I see how the task scheduler alert are very useful. Thanks for the screenshot wat.
     
  11. wat0114

    wat0114 Guest

    You're welcome chaotic.
     
  12. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    That seems like it would come in pretty handy. I stopped using Applocker because it was kind of a pain. I don't remember if it was java updates or flash updates but I believe with one or the other the applocker had to be disengaged in order to to update those. Have things changed much for applocker the past few months? Or same issues as before?
     
  13. The Seeker

    The Seeker Registered Member

    Joined:
    Oct 24, 2005
    Posts:
    1,100
    Location:
    Adelaide
    That's odd. Usually the correct publisher rule will handle this.
     
  14. wat0114

    wat0114 Guest

    It's not actually an issue with AppLocker, even though it may seem that way. AppLocker is just doing it's job, but it will allow the updates if the rules are configured correctly. Not all required executables, including DLLs are located in the typical %PROGRAMFILES% or %WINDIR% locations.


    That's right, although it's matter of knowing where the files are located when creating rules for them. They're often buried deep within a user's directory or some other unusual location.

    The way to hunt them down is to search the Event viewer logs under: Application and Services Logs\Microsoft\Windows\AppLocker. The Task Scheduler event alert will trigger instantly, and this is when one should immediately check these logs to find whatever AppLocker blocked.
     
  15. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Are you using Applocker and if so, are you able to update java/flash, etc without disabling applocker?
     
  16. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Of course wat uses Applocker, thats a known fact, just saying :D
     
  17. wat0114

    wat0114 Guest

    As chaotic says, yes indeed, even an AppLocker troll :D

    As for Java and Flash, I normally update by elevating to admin, and your AppLocker ruleset should not hinder installing via BUILTIN\Administrators accounts.

    If you want to know where the files are, at least in Win7x64, they are as follows:

    Flash: %SYSTEM%\Macromed\Flash\FlashUtil10v\

    Java: %PROGRAMFILES%\Java\JRE6\Bin\

    Flash is located under the SysWOW64 (for %SYSTEM% folder)
     
  18. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    Exactly The Seeker. I never had an issue updating flash or Java because of this when using applocker.
     
  19. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    I'm on 32 bit. So elevate just for updating? I like for these to check for updates daily. And I run as admin all the time. But when I tried to install the updates previously I was always denied unless I disabled applocker. I was just trying to learn it on the fly as I went though from posts on here.
     
  20. 1chaoticadult

    1chaoticadult Registered Member

    Joined:
    Oct 28, 2010
    Posts:
    2,248
    Location:
    Chaotic Land
    You shouldn't enable applocker full time until you know everything works. Use audit only for rule enforcement first.. That way when a issue happens you can look at applocker log, find out whats blocked and create or modify an existing rule for the files to be allowed.
     
  21. The Seeker

    The Seeker Registered Member

    Joined:
    Oct 24, 2005
    Posts:
    1,100
    Location:
    Adelaide
    I'm guessing you created the default rules?
     
  22. wat0114

    wat0114 Guest

    If you are running as admin all the time then AppLocker should not be blocking you. Do you have rules in place to allow admins to run all files? It should be:

    BUILTIN\Administrators, (Default Rule) All Files, Path=*

    *EDIT* since you are running as admin all the time, then you will have to (maybe you already are) do things differently. Obviously you can't use the defaults for admins, because that will of course defeat the purpose of AppLocker. Still, you should be able to create rules that allow your admin account the ability to install whatever you like. You would have to select your admin account as the user for the rules you create.
     
    Last edited by a moderator: Sep 4, 2011
  23. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    shouldn't we also create one for the event ID 8009 ?
     
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It would be really nice if the alerts had more information, though. Better yet, it would be nice if there was an application that could intercept blocked AppLocker events, and present us a dialog where we could allow and all that stuff.
     
  25. wat0114

    wat0114 Guest

    Is 8009 ID for Windows Installers? If so, I didn't bother with it.
     
Loading...
Thread Status:
Not open for further replies.