Microsoft-Windows-AppLocker
49 events across 6 channels
Event ID 8000: AppID policy conversion failed.
#Description
AppID policy conversion failed. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
Event ID 8001: The AppLocker policy was applied successfully to this computer.
#Description
The AppLocker policy was applied successfully to this computer.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppLocker",
"guid": "CBDA4DBF-8D5D-4F69-9578-BE14AA540D22",
"event_source_name": "",
"event_id": 8001,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-05T23:50:01.740733+00:00",
"event_record_id": 39,
"correlation": {},
"execution": {
"process_id": 4372,
"thread_id": 9624
},
"channel": "Microsoft-Windows-AppLocker/EXE and DLL",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8002: FilePathBuffer was allowed to run.
#Description
FilePathBuffer was allowed to run.
Message #
Fields #
| Name | Description |
|---|---|
RuleAndFileData.PolicyNameLength UInt16 | |
RuleAndFileData.PolicyName | |
RuleAndFileData.RuleId GUID | |
RuleAndFileData.RuleNameLength UInt16 | |
RuleAndFileData.RuleName | |
RuleAndFileData.RuleSddlLength UInt16 | |
RuleAndFileData.RuleSddl | |
RuleAndFileData.TargetUser SID | |
RuleAndFileData.TargetProcessId UInt32 | Process ID of the target process. |
RuleAndFileData.FilePathLength UInt16 | |
RuleAndFileData.FilePath | |
RuleAndFileData.FileHashLength UInt16 | |
RuleAndFileData.FileHash Binary | |
RuleAndFileData.FqbnLength UInt16 | |
RuleAndFileData.Fqbn UnicodeString | |
RuleAndFileData.TargetLogonId HexInt64 | Logon session identifier (LUID) for the target. |
RuleAndFileData.FullFilePathLength UInt16 | |
RuleAndFileData.FullFilePath | |
PolicyNameLength UInt16 | |
PolicyNameBuffer UnicodeString | |
RuleId GUID | |
RuleNameLength UInt16 | |
RuleNameBuffer UnicodeString | |
RuleSddlLength UInt16 | |
RuleSddlBuffer UnicodeString | |
TargetUser SID | |
TargetProcessId UInt32 | Process ID of the target process. |
FilePathLength UInt16 | |
FilePathBuffer UnicodeString | |
FileHashLength UInt16 | |
FileHash Binary | |
FqbnLength UInt16 | |
Fqbn UnicodeString | |
TargetLogonId HexInt64 | Logon session identifier (LUID) for the target. |
FullFilePathLength UInt16 | |
FullFilePathBuffer UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppLocker",
"guid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
"event_source_name": "",
"event_id": 8002,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-05-30T14:14:52.3346755+00:00",
"event_record_id": 1186891,
"correlation": {},
"execution": {
"process_id": 7916,
"thread_id": 7244
},
"channel": "Microsoft-Windows-AppLocker/EXE and DLL",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"RuleAndFileData": {
"PolicyNameLength": "3",
"PolicyName": "EXE",
"RuleId": "{aa000001-0000-0000-0000-00000000a001}",
"RuleNameLength": "20",
"RuleName": "ALTest-Allow-Windows",
"RuleSddlLength": "57",
"RuleSddl": "D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains \"%WINDIR%\\*\"))",
"TargetUser": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"TargetProcessId": "4424",
"FilePathLength": "22",
"FilePath": "%SYSTEM32%\\CONHOST.EXE",
"FileHashLength": "0",
"FileHash": "",
"FqbnLength": "119",
"Fqbn": "O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT® WINDOWS® OPERATING SYSTEM\\CONHOST.EXE\\10.0.22621.5415",
"TargetLogonId": "0x31bfc8f",
"FullFilePathLength": "32",
"FullFilePath": "\\SystemRoot\\System32\\Conhost.exe"
}
},
"message": "%SYSTEM32%\\CONHOST.EXE was allowed to run."
}
References #
Event ID 8003: RuleAndFileData.FilePath was allowed to run but would have been prevented from running if the AppLocker policy were enforced.
#Description
RuleAndFileData.FilePath was allowed to run but would have been prevented from running if the AppLocker policy were enforced.
Message #
Fields #
| Name | Description |
|---|---|
PolicyNameLength UInt16 | |
PolicyNameBuffer UnicodeString | |
RuleId GUID | |
RuleNameLength UInt16 | |
RuleNameBuffer UnicodeString | |
RuleSddlLength UInt16 | |
RuleSddlBuffer UnicodeString | |
TargetUser SID | |
TargetProcessId UInt32 | Process ID of the target process. |
FilePathLength UInt16 | |
FilePathBuffer UnicodeString | |
FileHashLength UInt16 | |
FileHash Binary | |
FqbnLength UInt16 | |
Fqbn UnicodeString | |
TargetLogonId HexInt64 | Logon session identifier (LUID) for the target. |
FullFilePathLength UInt16 | |
FullFilePathBuffer UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppLocker",
"guid": "CBDA4DBF-8D5D-4F69-9578-BE14AA540D22",
"event_source_name": "",
"event_id": 8003,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-02-17T22:20:35.068824+00:00",
"event_record_id": 1172833,
"correlation": {},
"execution": {
"process_id": 4668,
"thread_id": 13560
},
"channel": "Microsoft-Windows-AppLocker/EXE and DLL",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"RuleAndFileData": {
"PolicyNameLength": 3,
"PolicyName": "DLL",
"RuleId": "00000000-0000-0000-0000-000000000000",
"RuleNameLength": 1,
"RuleName": "-",
"RuleSddlLength": 1,
"RuleSddl": "-",
"TargetUser": "S-1-5-18",
"TargetProcessId": 4668,
"FilePathLength": 38,
"FilePath": "%SYSTEM32%\\ONDEMANDCONNROUTEHELPER.DLL",
"FileHashLength": 0,
"FileHash": null,
"FqbnLength": 1,
"Fqbn": "-",
"TargetLogonId": "0x3e7",
"FullFilePathLength": 47,
"FullFilePath": "C:\\Windows\\system32\\OnDemandConnRouteHelper.dll"
}
},
"message": ""
}
References #
Event ID 8004: FilePathBuffer was prevented from running.
#Description
FilePathBuffer was prevented from running.
Message #
Fields #
| Name | Description |
|---|---|
RuleAndFileData.PolicyNameLength UInt16 | |
RuleAndFileData.PolicyName | |
RuleAndFileData.RuleId GUID | |
RuleAndFileData.RuleNameLength UInt16 | |
RuleAndFileData.RuleName | |
RuleAndFileData.RuleSddlLength UInt16 | |
RuleAndFileData.RuleSddl | |
RuleAndFileData.TargetUser SID | |
RuleAndFileData.TargetProcessId UInt32 | Process ID of the target process. |
RuleAndFileData.FilePathLength UInt16 | |
RuleAndFileData.FilePath | |
RuleAndFileData.FileHashLength UInt16 | |
RuleAndFileData.FileHash Binary | |
RuleAndFileData.FqbnLength UInt16 | |
RuleAndFileData.Fqbn UnicodeString | |
RuleAndFileData.TargetLogonId HexInt64 | Logon session identifier (LUID) for the target. |
RuleAndFileData.FullFilePathLength UInt16 | |
RuleAndFileData.FullFilePath | |
PolicyNameLength UInt16 | |
PolicyNameBuffer UnicodeString | |
RuleId GUID | |
RuleNameLength UInt16 | |
RuleNameBuffer UnicodeString | |
RuleSddlLength UInt16 | |
RuleSddlBuffer UnicodeString | |
TargetUser SID | |
TargetProcessId UInt32 | Process ID of the target process. |
FilePathLength UInt16 | |
FilePathBuffer UnicodeString | |
FileHashLength UInt16 | |
FileHash Binary | |
FqbnLength UInt16 | |
Fqbn UnicodeString | |
TargetLogonId HexInt64 | Logon session identifier (LUID) for the target. |
FullFilePathLength UInt16 | |
FullFilePathBuffer UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppLocker",
"guid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
"event_source_name": "",
"event_id": 8004,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-05-30T14:14:55.0568115+00:00",
"event_record_id": 1186892,
"correlation": {},
"execution": {
"process_id": 8020,
"thread_id": 4872
},
"channel": "Microsoft-Windows-AppLocker/EXE and DLL",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"RuleAndFileData": {
"PolicyNameLength": "3",
"PolicyName": "EXE",
"RuleId": "{aa000001-0000-0000-0000-00000000d001}",
"RuleNameLength": "19",
"RuleName": "ALTest-Deny-TestExe",
"RuleSddlLength": "70",
"RuleSddl": "D:(XD;;FX;;;S-1-1-0;(APPID://PATH Contains \"C:\\PROGRAMDATA\\ALTEST\\*\"))",
"TargetUser": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"TargetProcessId": "3096",
"FilePathLength": "46",
"FilePath": "%OSDRIVE%\\PROGRAMDATA\\ALTEST\\ALTEST_DENIED.EXE",
"FileHashLength": "0",
"FileHash": "",
"FqbnLength": "115",
"Fqbn": "O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT® WINDOWS® OPERATING SYSTEM\\CMD.EXE\\10.0.22621.5840",
"TargetLogonId": "0x315f46f",
"FullFilePathLength": "39",
"FullFilePath": "C:\\ProgramData\\ALTest\\altest_denied.exe"
}
},
"message": "%OSDRIVE%\\PROGRAMDATA\\ALTEST\\ALTEST_DENIED.EXE was prevented from running."
}
Detection Patterns #
References #
Event ID 8005: FilePathBuffer was allowed to run.
#Description
FilePathBuffer was allowed to run.
Message #
Fields #
| Name | Description |
|---|---|
RuleAndFileData.PolicyNameLength UInt16 | |
RuleAndFileData.PolicyName | |
RuleAndFileData.RuleId GUID | |
RuleAndFileData.RuleNameLength UInt16 | |
RuleAndFileData.RuleName | |
RuleAndFileData.RuleSddlLength UInt16 | |
RuleAndFileData.RuleSddl | |
RuleAndFileData.TargetUser SID | |
RuleAndFileData.TargetProcessId UInt32 | Process ID of the target process. |
RuleAndFileData.FilePathLength UInt16 | |
RuleAndFileData.FilePath | |
RuleAndFileData.FileHashLength UInt16 | |
RuleAndFileData.FileHash Binary | |
RuleAndFileData.FqbnLength UInt16 | |
RuleAndFileData.Fqbn UnicodeString | |
RuleAndFileData.TargetLogonId HexInt64 | Logon session identifier (LUID) for the target. |
RuleAndFileData.FullFilePathLength UInt16 | |
RuleAndFileData.FullFilePath | |
PolicyNameLength UInt16 | |
PolicyNameBuffer UnicodeString | |
RuleId GUID | |
RuleNameLength UInt16 | |
RuleNameBuffer UnicodeString | |
RuleSddlLength UInt16 | |
RuleSddlBuffer UnicodeString | |
TargetUser SID | |
TargetProcessId UInt32 | Process ID of the target process. |
FilePathLength UInt16 | |
FilePathBuffer UnicodeString | |
FileHashLength UInt16 | |
FileHash Binary | |
FqbnLength UInt16 | |
Fqbn UnicodeString | |
TargetLogonId HexInt64 | Logon session identifier (LUID) for the target. |
FullFilePathLength UInt16 | |
FullFilePathBuffer UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppLocker",
"guid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
"event_source_name": "",
"event_id": 8005,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-05-30T14:14:51.5552713+00:00",
"event_record_id": 9,
"correlation": {
"ActivityID": "{852E7D3D-86DF-4116-8BA8-601187FFCF75}"
},
"execution": {
"process_id": 5080,
"thread_id": 5184
},
"channel": "Microsoft-Windows-AppLocker/MSI and Script",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"RuleAndFileData": {
"PolicyNameLength": "6",
"PolicyName": "SCRIPT",
"RuleId": "{bb000001-0000-0000-0000-00000000a003}",
"RuleNameLength": "25",
"RuleName": "ALTest-Allow-Script-Users",
"RuleSddlLength": "64",
"RuleSddl": "D:(XA;;FX;;;S-1-1-0;(APPID://PATH Contains \"%OSDRIVE%\\USERS\\*\"))",
"TargetUser": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"TargetProcessId": "5080",
"FilePathLength": "84",
"FilePath": "%OSDRIVE%\\USERS\\DOMAINADMIN\\APPDATA\\LOCAL\\TEMP\\__PSSCRIPTPOLICYTEST_FUGE3UXW.0Q4.PS1",
"FileHashLength": "0",
"FileHash": "",
"FqbnLength": "1",
"Fqbn": "-",
"TargetLogonId": "0x31bfc8f",
"FullFilePathLength": "77",
"FullFilePath": "C:\\Users\\domainadmin\\AppData\\Local\\Temp\\__PSScriptPolicyTest_fuge3uxw.0q4.ps1"
}
},
"message": "%OSDRIVE%\\USERS\\DOMAINADMIN\\APPDATA\\LOCAL\\TEMP\\__PSSCRIPTPOLICYTEST_FUGE3UXW.0Q4.PS1 was allowed to run."
}
References #
Event ID 8006: FilePathBuffer was allowed to run but would have been prevented from running if the AppLocker policy were enforced.
#Description
FilePathBuffer was allowed to run but would have been prevented from running if the AppLocker policy were enforced.
Message #
Fields #
| Name | Description |
|---|---|
PolicyNameLength UInt16 | |
PolicyNameBuffer UnicodeString | |
RuleId GUID | |
RuleNameLength UInt16 | |
RuleNameBuffer UnicodeString | |
RuleSddlLength UInt16 | |
RuleSddlBuffer UnicodeString | |
TargetUser SID | |
TargetProcessId UInt32 | Process ID of the target process. |
FilePathLength UInt16 | |
FilePathBuffer UnicodeString | |
FileHashLength UInt16 | |
FileHash Binary | |
FqbnLength UInt16 | |
Fqbn UnicodeString | |
TargetLogonId HexInt64 | Logon session identifier (LUID) for the target. |
FullFilePathLength UInt16 | |
FullFilePathBuffer UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppLocker",
"guid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
"event_source_name": "",
"event_id": 8006,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": "0x4000000000000000",
"time_created": "2026-06-02T17:34:50.927+00:00",
"event_record_id": 0,
"correlation": {
"ActivityID": "{AE3ADFDF-F2B5-0003-07F0-3AAEB5F2DC01}"
},
"execution": {
"process_id": 6096,
"thread_id": 6128
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {
"FileHash": "96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7",
"FileHashLength": 32,
"FilePathBuffer": "%OSDRIVE%\\USERS\\LOCALUSER\\APPDATA\\LOCAL\\TEMP\\__PSSCRIPTPOLICYTEST_JHWC5UKO.ZUV.PS1",
"FilePathLength": 82,
"Fqbn": "-",
"FqbnLength": 1,
"FullFilePathBuffer": "C:\\Users\\localuser\\AppData\\Local\\Temp\\__PSScriptPolicyTest_jhwc5uko.zuv.ps1",
"FullFilePathLength": 75,
"PolicyNameBuffer": "SCRIPT",
"PolicyNameLength": 6,
"RuleId": "{00000000-0000-0000-0000-000000000000}",
"RuleNameBuffer": "-",
"RuleNameLength": 1,
"RuleSddlBuffer": "-",
"RuleSddlLength": 1,
"TargetLogonId": "9F74080000000000",
"TargetProcessId": 6096,
"TargetUser": "DESKTOP-FF3N5XK\\localuser"
},
"message": ""
}
References #
Event ID 8007: FilePathBuffer was prevented from running.
#Description
FilePathBuffer was prevented from running.
Message #
Fields #
| Name | Description |
|---|---|
RuleAndFileData.PolicyNameLength UInt16 | |
RuleAndFileData.PolicyName | |
RuleAndFileData.RuleId GUID | |
RuleAndFileData.RuleNameLength UInt16 | |
RuleAndFileData.RuleName | |
RuleAndFileData.RuleSddlLength UInt16 | |
RuleAndFileData.RuleSddl | |
RuleAndFileData.TargetUser SID | |
RuleAndFileData.TargetProcessId UInt32 | Process ID of the target process. |
RuleAndFileData.FilePathLength UInt16 | |
RuleAndFileData.FilePath | |
RuleAndFileData.FileHashLength UInt16 | |
RuleAndFileData.FileHash Binary | |
RuleAndFileData.FqbnLength UInt16 | |
RuleAndFileData.Fqbn UnicodeString | |
RuleAndFileData.TargetLogonId HexInt64 | Logon session identifier (LUID) for the target. |
RuleAndFileData.FullFilePathLength UInt16 | |
RuleAndFileData.FullFilePath | |
PolicyNameLength UInt16 | |
PolicyNameBuffer UnicodeString | |
RuleId GUID | |
RuleNameLength UInt16 | |
RuleNameBuffer UnicodeString | |
RuleSddlLength UInt16 | |
RuleSddlBuffer UnicodeString | |
TargetUser SID | |
TargetProcessId UInt32 | Process ID of the target process. |
FilePathLength UInt16 | |
FilePathBuffer UnicodeString | |
FileHashLength UInt16 | |
FileHash Binary | |
FqbnLength UInt16 | |
Fqbn UnicodeString | |
TargetLogonId HexInt64 | Logon session identifier (LUID) for the target. |
FullFilePathLength UInt16 | |
FullFilePathBuffer UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppLocker",
"guid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
"event_source_name": "",
"event_id": 8007,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-05-30T15:36:09.0839691+00:00",
"event_record_id": 135,
"correlation": {},
"execution": {
"process_id": 6536,
"thread_id": 7128
},
"channel": "Microsoft-Windows-AppLocker/MSI and Script",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"RuleAndFileData": {
"PolicyNameLength": "6",
"PolicyName": "SCRIPT",
"RuleId": "{aaaaaaa2-0000-0000-0000-000000000002}",
"RuleNameLength": "16",
"RuleName": "Deny test script",
"RuleSddlLength": "73",
"RuleSddl": "D:(XD;;FX;;;S-1-1-0;(APPID://PATH Contains \"%OSDRIVE%\\APPLOCKER_TEST\\*\"))",
"TargetUser": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"TargetProcessId": "6536",
"FilePathLength": "36",
"FilePath": "%OSDRIVE%\\APPLOCKER_TEST\\BLOCKED.BAT",
"FileHashLength": "0",
"FileHash": "",
"FqbnLength": "1",
"Fqbn": "-",
"TargetLogonId": "0x6ee77",
"FullFilePathLength": "29",
"FullFilePath": "C:\\applocker_test\\blocked.bat"
}
},
"message": "%OSDRIVE%\\APPLOCKER_TEST\\BLOCKED.BAT was prevented from running."
}
Detection Patterns #
References #
Event ID 8008: FilePathBuffer: AppLocker component not available on this SKU.
#Event ID 8009: FilePathBuffer: AppLocker component not available on this SKU.
#Event ID 8010: SrpPolicyConversionStart
#Event ID 8011: SrpPolicyConversionStop
#Event ID 8012: SrpPolicyConversionStop8012
#Event ID 8013: SrpPolicyRuleSortStart
#Event ID 8014: SrpPolicyRuleSortStop
#Event ID 8015: SrpPolicyHitCountJoinStart
#Event ID 8016: SrpPolicyHitCountJoinStop
#Event ID 8017: SrpPolicyLoad
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppLocker",
"guid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
"event_source_name": "",
"event_id": 8017,
"version": 0,
"level": 4,
"task": 4,
"opcode": 1,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T06:56:30.673+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 948,
"thread_id": 5404
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "SrpPolicyLoad"
}
Event ID 8018: SrpPolicyLoad
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppLocker",
"guid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
"event_source_name": "",
"event_id": 8018,
"version": 0,
"level": 4,
"task": 4,
"opcode": 2,
"keywords": "0x0000000000000000",
"time_created": "2026-06-02T06:56:30.673+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 948,
"thread_id": 5404
},
"channel": "ETW Trace",
"computer": "DESKTOP-FF3N5XK",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "SrpPolicyLoad"
}
Event ID 8019: SrpPolicyLoadStop8019
#Event ID 8020: PackageBuffer was allowed to run.
#Description
PackageBuffer was allowed to run.
Message #
Fields #
| Name | Description |
|---|---|
RuleAndFileData.PolicyNameLength UInt16 | |
RuleAndFileData.PolicyName | |
RuleAndFileData.RuleId GUID | |
RuleAndFileData.RuleNameLength UInt16 | |
RuleAndFileData.RuleName | |
RuleAndFileData.RuleSddlLength UInt16 | |
RuleAndFileData.RuleSddl | |
RuleAndFileData.TargetUser SID | |
RuleAndFileData.TargetProcessId UInt32 | Process ID of the target process. |
RuleAndFileData.PackageLength UInt16 | |
RuleAndFileData.Package | |
RuleAndFileData.FqbnLength UInt16 | |
RuleAndFileData.Fqbn UnicodeString | |
PolicyNameLength UInt16 | |
PolicyNameBuffer UnicodeString | |
RuleId GUID | |
RuleNameLength UInt16 | |
RuleNameBuffer UnicodeString | |
RuleSddlLength UInt16 | |
RuleSddlBuffer UnicodeString | |
TargetUser SID | |
TargetProcessId UInt32 | Process ID of the target process. |
PackageLength UInt16 | |
PackageBuffer UnicodeString | |
FqbnLength UInt16 | |
Fqbn UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppLocker",
"guid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
"event_source_name": "",
"event_id": 8020,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 2305843009213693952,
"time_created": "2026-05-30T15:34:11.4085161+00:00",
"event_record_id": 70,
"correlation": {},
"execution": {
"process_id": 9464,
"thread_id": 3544
},
"channel": "Microsoft-Windows-AppLocker/Packaged app-Execution",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"RuleAndFileData": {
"PolicyNameLength": "4",
"PolicyName": "APPX",
"RuleId": "{cc000001-0000-0000-0000-00000000a001}",
"RuleNameLength": "28",
"RuleName": "ALTest-Allow-AllPackagedApps",
"RuleSddlLength": "81",
"RuleSddl": "D:(XA;;FX;;;S-1-1-0;((Exists APPID://FQBN) && ((APPID://FQBN) >= ({\"*\\*\\*\",0}))))",
"TargetUser": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"TargetProcessId": "8036",
"PackageLength": "37",
"Package": "MICROSOFTWINDOWS.CLIENT.WEBEXPERIENCE",
"FqbnLength": "149",
"Fqbn": "CN=MICROSOFT WINDOWS, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFTWINDOWS.CLIENT.WEBEXPERIENCE\\MSEDGEWEBVIEW2.EXE\\526.11701.40.00"
}
},
"message": "MICROSOFTWINDOWS.CLIENT.WEBEXPERIENCE was allowed to run."
}
Event ID 8021: PackageBuffer was allowed to run but would have been prevented from running if the AppLocker policy were enforced.
#Description
PackageBuffer was allowed to run but would have been prevented from running if the AppLocker policy were enforced.
Message #
Fields #
| Name | Description |
|---|---|
PolicyNameLength UInt16 | |
PolicyNameBuffer UnicodeString | |
RuleId GUID | |
RuleNameLength UInt16 | |
RuleNameBuffer UnicodeString | |
RuleSddlLength UInt16 | |
RuleSddlBuffer UnicodeString | |
TargetUser SID | |
TargetProcessId UInt32 | Process ID of the target process. |
PackageLength UInt16 | |
PackageBuffer UnicodeString | |
FqbnLength UInt16 | |
Fqbn UnicodeString |
Event ID 8022: PackageBuffer was prevented from running.
#Description
PackageBuffer was prevented from running.
Message #
Fields #
| Name | Description |
|---|---|
PolicyNameLength UInt16 | |
PolicyNameBuffer UnicodeString | |
RuleId GUID | |
RuleNameLength UInt16 | |
RuleNameBuffer UnicodeString | |
RuleSddlLength UInt16 | |
RuleSddlBuffer UnicodeString | |
TargetUser SID | |
TargetProcessId UInt32 | Process ID of the target process. |
PackageLength UInt16 | |
PackageBuffer UnicodeString | |
FqbnLength UInt16 | |
Fqbn UnicodeString |
Detection Patterns #
Event ID 8023: PackageBuffer was allowed to be installed.
#Description
PackageBuffer was allowed to be installed.
Message #
Fields #
| Name | Description |
|---|---|
RuleAndFileData.PolicyNameLength UInt16 | |
RuleAndFileData.PolicyName | |
RuleAndFileData.RuleId GUID | |
RuleAndFileData.RuleNameLength UInt16 | |
RuleAndFileData.RuleName | |
RuleAndFileData.RuleSddlLength UInt16 | |
RuleAndFileData.RuleSddl | |
RuleAndFileData.TargetUser SID | |
RuleAndFileData.TargetProcessId UInt32 | Process ID of the target process. |
RuleAndFileData.PackageLength UInt16 | |
RuleAndFileData.Package | |
RuleAndFileData.FqbnLength UInt16 | |
RuleAndFileData.Fqbn UnicodeString | |
PolicyNameLength UInt16 | |
PolicyNameBuffer UnicodeString | |
RuleId GUID | |
RuleNameLength UInt16 | |
RuleNameBuffer UnicodeString | |
RuleSddlLength UInt16 | |
RuleSddlBuffer UnicodeString | |
TargetUser SID | |
TargetProcessId UInt32 | Process ID of the target process. |
PackageLength UInt16 | |
PackageBuffer UnicodeString | |
FqbnLength UInt16 | |
Fqbn UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppLocker",
"guid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
"event_source_name": "",
"event_id": 8023,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-05-30T15:32:32.5187947+00:00",
"event_record_id": 44,
"correlation": {
"ActivityID": "{55C1F16C-F047-0006-7E5F-C25547F0DC01}"
},
"execution": {
"process_id": 7684,
"thread_id": 8516
},
"channel": "Microsoft-Windows-AppLocker/Packaged app-Deployment",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"RuleAndFileData": {
"PolicyNameLength": "4",
"PolicyName": "APPX",
"RuleId": "{cc000001-0000-0000-0000-00000000a001}",
"RuleNameLength": "28",
"RuleName": "ALTest-Allow-AllPackagedApps",
"RuleSddlLength": "81",
"RuleSddl": "D:(XA;;FX;;;S-1-1-0;((Exists APPID://FQBN) && ((APPID://FQBN) >= ({\"*\\*\\*\",0}))))",
"TargetUser": "S-1-5-21-1006758700-2167138679-1475694448-1105",
"TargetProcessId": "7684",
"PackageLength": "32",
"Package": "Microsoft.WidgetsPlatformRuntime",
"FqbnLength": "128",
"Fqbn": "CN=MICROSOFT CORPORATION, O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\\MICROSOFT.WIDGETSPLATFORMRUNTIME\\APPX\\1.6.18.00"
}
},
"message": "Microsoft.WidgetsPlatformRuntime was allowed to be installed."
}
Event ID 8024: PackageBuffer was allowed to run but would have been prevented from running if the AppLocker policy were enforced.
#Description
PackageBuffer was allowed to run but would have been prevented from running if the AppLocker policy were enforced.
Message #
Fields #
| Name | Description |
|---|---|
PolicyNameLength UInt16 | |
PolicyNameBuffer UnicodeString | |
RuleId GUID | |
RuleNameLength UInt16 | |
RuleNameBuffer UnicodeString | |
RuleSddlLength UInt16 | |
RuleSddlBuffer UnicodeString | |
TargetUser SID | |
TargetProcessId UInt32 | Process ID of the target process. |
PackageLength UInt16 | |
PackageBuffer UnicodeString | |
FqbnLength UInt16 | |
Fqbn UnicodeString |
Event ID 8025: PackageBuffer was prevented from running.
#Description
PackageBuffer was prevented from running.
Message #
Fields #
| Name | Description |
|---|---|
PolicyNameLength UInt16 | |
PolicyNameBuffer UnicodeString | |
RuleId GUID | |
RuleNameLength UInt16 | |
RuleNameBuffer UnicodeString | |
RuleSddlLength UInt16 | |
RuleSddlBuffer UnicodeString | |
TargetUser SID | |
TargetProcessId UInt32 | Process ID of the target process. |
PackageLength UInt16 | |
PackageBuffer UnicodeString | |
FqbnLength UInt16 | |
Fqbn UnicodeString |
Detection Patterns #
Event ID 8026: No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.
#Description
No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.
Message #
Event ID 8027: No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.
#Description
No packaged apps can be executed while Exe rules are being enforced and no Packaged app rules have been configured.
Message #
Event ID 8028: FilePath was allowed to run but would have been prevented if the Config CI policy were enforced.
#Description
FilePath was allowed to run but would have been prevented if the Config CI policy were enforced.
Message #
Fields #
| Name | Description |
|---|---|
FilePathLength UInt16 | |
FilePath UnicodeString | |
Sha1Hash Binary | |
Sha256Hash Binary | |
Result Int32 | |
USN Int64 | |
Sha1CatalogHash Binary | |
Sha256CatalogHash Binary | |
UserWriteable Boolean | |
DetachedSignatureFilePathLength | |
DetachedSignatureFilePath | |
OriginalFileNameLength | |
OriginalFilename | |
InternalNameLength | |
InternalName | |
FileDescriptionLength | |
FileDescription | |
ProductNameLength | |
ProductName | |
FileVersionLength | |
FileVersion | |
PolicyNameLength | |
PolicyName | |
PolicyIDLength | |
PolicyID | |
PolicyGUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppLocker",
"guid": "CBDA4DBF-8D5D-4F69-9578-BE14AA540D22",
"event_source_name": "",
"event_id": 8028,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T00:54:55.214802+00:00",
"event_record_id": 241,
"correlation": {
"ActivityID": "E4DB489E-1037-0001-6B7D-E5E43710DA01"
},
"execution": {
"process_id": 12792,
"thread_id": 6736
},
"channel": "Microsoft-Windows-AppLocker/MSI and Script",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"FilePathLength": 70,
"FilePath": "C:\\Windows\\Installer\\{6F11CAC3-D33D-4360-B139-73F3276A2B9A}\\loc.en.mst",
"Sha1Hash": "C9FD8657FD8262EF19369B5FB6CAA7CB7632FC87",
"Sha256Hash": "3881BD701A2B9DE71742065AADC110FBFFD17F127785FDA4E17570A77FC3FA84",
"Result": -790036478,
"USN": 309169000,
"Sha1CatalogHash": "C9FD8657FD8262EF19369B5FB6CAA7CB7632FC87",
"Sha256CatalogHash": "9A71D576BC994B8C6DCFA683B38313596DCE7774784D46EFC5FE5D97724043BC",
"UserWriteable": false
},
"message": ""
}
References #
Event ID 8029: FilePath was prevented from running due to Config CI policy.
#Description
FilePath was prevented from running due to Config CI policy.
Message #
Fields #
| Name | Description |
|---|---|
FilePathLength UInt16 | |
FilePath UnicodeString | |
Sha1Hash Binary | |
Sha256Hash Binary | |
Result Int32 | |
USN Int64 | |
Sha1CatalogHash Binary | |
Sha256CatalogHash Binary | |
UserWriteable Boolean | |
DetachedSignatureFilePathLength UInt16 | |
DetachedSignatureFilePath UnicodeString | |
OriginalFileNameLength UInt16 | |
OriginalFilename UnicodeString | |
InternalNameLength UInt16 | |
InternalName UnicodeString | |
FileDescriptionLength UInt16 | |
FileDescription UnicodeString | |
ProductNameLength UInt16 | |
ProductName UnicodeString | |
FileVersionLength UInt16 | |
FileVersion UnicodeString | |
PolicyNameLength UInt16 | |
PolicyName UnicodeString | |
PolicyIDLength UInt16 | |
PolicyID UnicodeString | |
PolicyGUID GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppLocker",
"guid": "{CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}",
"event_source_name": "",
"event_id": 8029,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-05-30T14:47:49.0454544+00:00",
"event_record_id": 53,
"correlation": {
"ActivityID": "{01270331-F043-000C-7B06-270143F0DC01}"
},
"execution": {
"process_id": 8672,
"thread_id": 8852
},
"channel": "Microsoft-Windows-AppLocker/MSI and Script",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"FilePathLength": "190",
"FilePath": "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\8824.15672628.0.15672628-8b171f9ec9ed2bf3419a2050d3b34777657e0caf\\05f2c576-9ed5-41eb-9b1e-1b653eebfdff.ps1",
"Sha1Hash": "A33BA45F00EB5ED27A1F94E26427C236AAC525F6",
"Sha256Hash": "A7012F1C99D806B1241D617B735C478135EA18E699E36F675FC68D8265D4148D",
"Result": "-790036478",
"USN": "2273922288",
"Sha1CatalogHash": "A33BA45F00EB5ED27A1F94E26427C236AAC525F6",
"Sha256CatalogHash": "82CF9DB102B7054E4344C430C45E02C8D0C9801DEB410A6B416BF2E3764D308B",
"UserWriteable": "false"
},
"message": "C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\DataCollection\\8824.15672628.0.15672628-8b171f9ec9ed2bf3419a2050d3b34777657e0caf\\05f2c576-9ed5-41eb-9b1e-1b653eebfdff.ps1 was prevented from running due to Config CI policy."
}
References #
Event ID 8030: ManagedInstaller check SUCCEEDED during Appid verification of ImageNameLength.
#Description
ManagedInstaller check SUCCEEDED during Appid verification of.
Message #
Fields #
| Name | Description |
|---|---|
ImageNameLength UInt16 | |
ImageName UnicodeString | |
ParentProcessLength UInt16 | |
ParentProcess AnsiString | |
StatusCode HexInt32 | NTSTATUS reference |
AppLockerReason UInt32 | |
Bucket UInt32 | |
USN UInt64 | |
NtfsFileIdSize UInt16 | |
NtfsFileId Binary | |
OriginDataPresent Boolean | |
SessionId GUID | |
SubSessionId GUID | |
Origin UInt32 | Known values
|
Type UInt32 | |
Generation UInt32 | |
SmartScreen UInt32 | |
RevocationID UInt32 | |
DataLength UInt16 | |
Data UnicodeString |
Event ID 8031: SmartlockerFilter detected file FileName being written by process CurrentProcess.
#Description
SmartlockerFilter detected file FileName being written by process CurrentProcess.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | |
FileName UnicodeString | |
CurrentProcessLength UInt16 | |
CurrentProcess AnsiString | |
ParentProcessLength UInt16 | |
ParentProcess AnsiString | |
USN UInt64 | |
NtfsFileIdSize UInt16 | |
NtfsFileId Binary | |
OriginDataPresent Boolean | |
SessionId GUID | |
Origin UInt32 | Known values
|
Type UInt32 | |
Generation UInt32 | |
SmartScreen UInt32 | |
DataLength UInt16 | |
Data UnicodeString |
Event ID 8032: ManagedInstaller check FAILED during Appid verification of ImageNameLength.
#Description
ManagedInstaller check FAILED during Appid verification of.
Message #
Fields #
| Name | Description |
|---|---|
ImageNameLength UInt16 | |
ImageName UnicodeString | |
ParentProcessLength UInt16 | |
ParentProcess AnsiString | |
StatusCode HexInt32 | NTSTATUS reference |
AppLockerReason UInt32 | |
Bucket UInt32 | |
USN UInt64 | |
NtfsFileIdSize UInt16 | |
NtfsFileId Binary | |
OriginDataPresent Boolean | |
SessionId GUID | |
SubSessionId GUID | |
Origin UInt32 | Known values
|
Type UInt32 | |
Generation UInt32 | |
SmartScreen UInt32 | |
RevocationID UInt32 | |
DataLength UInt16 | |
Data UnicodeString |
Event ID 8033: ManagedInstaller check FAILED during Appid verification of ImageNameLength.
#Description
ManagedInstaller check FAILED during Appid verification of.
Message #
Fields #
| Name | Description |
|---|---|
ImageNameLength UInt16 | |
ImageName UnicodeString | |
ParentProcessLength UInt16 | |
ParentProcess AnsiString | |
StatusCode HexInt32 | NTSTATUS reference |
AppLockerReason UInt32 | |
Bucket UInt32 | |
USN UInt64 | |
NtfsFileIdSize UInt16 | |
NtfsFileId Binary | |
OriginDataPresent Boolean | |
SessionId GUID | |
SubSessionId GUID | |
Origin UInt32 | Known values
|
Type UInt32 | |
Generation UInt32 | |
SmartScreen UInt32 | |
RevocationID UInt32 | |
DataLength UInt16 | |
Data UnicodeString |
Event ID 8034: ManagedInstaller Script check FAILED during Appid verification of ImageNameLength.
#Description
ManagedInstaller Script check FAILED during Appid verification of.
Message #
Fields #
| Name | Description |
|---|---|
ImageNameLength UInt16 | |
ImageName UnicodeString | |
StatusCode HexInt32 | NTSTATUS reference |
Bucket UInt32 | |
OriginDataPresent Boolean | |
SessionId GUID | |
SubSessionId GUID | |
Origin UInt32 | Known values
|
Type UInt32 | |
Generation UInt32 | |
SmartScreen UInt32 | |
RevocationID UInt32 | |
DataLength UInt16 | |
Data UnicodeString |
Event ID 8035: ManagedInstaller Script check SUCCEEDED during Appid verification of ImageNameLength.
#Description
ManagedInstaller Script check SUCCEEDED during Appid verification of.
Message #
Fields #
| Name | Description |
|---|---|
ImageNameLength UInt16 | |
ImageName UnicodeString | |
StatusCode HexInt32 | NTSTATUS reference |
Bucket UInt32 | |
OriginDataPresent Boolean | |
SessionId GUID | |
SubSessionId GUID | |
Origin UInt32 | Known values
|
Type UInt32 | |
Generation UInt32 | |
SmartScreen UInt32 | |
RevocationID UInt32 | |
DataLength UInt16 | |
Data UnicodeString |
Event ID 8036: CLSID was prevented from running due to Config CI policy.
#Event ID 8037: FilePath passed Config CI policy and was allowed to run.
#Description
FilePath passed Config CI policy and was allowed to run.
Message #
Fields #
| Name | Description |
|---|---|
FilePathLength UInt16 | |
FilePath UnicodeString | |
Sha1Hash Binary | |
Sha256Hash Binary | |
Result Int32 | |
USN Int64 | |
Sha1CatalogHash Binary | |
Sha256CatalogHash Binary | |
UserWriteable Boolean | |
DetachedSignatureFilePathLength | |
DetachedSignatureFilePath | |
OriginalFileNameLength | |
OriginalFilename | |
InternalNameLength | |
InternalName | |
FileDescriptionLength | |
FileDescription | |
ProductNameLength | |
ProductName | |
FileVersionLength | |
FileVersion |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppLocker",
"guid": "CBDA4DBF-8D5D-4F69-9578-BE14AA540D22",
"event_source_name": "",
"event_id": 8037,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T23:23:27.417018+00:00",
"event_record_id": 212,
"correlation": {
"ActivityID": "E4DB489E-1037-0000-B137-E1E43710DA01"
},
"execution": {
"process_id": 4436,
"thread_id": 4748
},
"channel": "Microsoft-Windows-AppLocker/MSI and Script",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"FilePathLength": 52,
"FilePath": "C:\\Users\\User\\AppData\\Local\\Temp\\5727A9~1\\target.msi",
"Sha1Hash": "BZ5vuVS8kFhj0G/vkELAqCSVqZQ=",
"Sha256Hash": "V6OaWrftehYv3pf3Ok8wTra6kixgNW/+/Gv+5qiK/k4=",
"Result": "",
"USN": "p�t\u0010",
"Sha1CatalogHash": "BZ5vuVS8kFhj0G/vkELAqCSVqZQ=",
"Sha256CatalogHash": "vuwjuOrQZfho6c2gISZZmGl+eXBkI0qHyIi+luLHAGA=",
"UserWriteable": true
},
"message": ""
}
References #
Event ID 8038: Publisher info.
#Description
Publisher info.
Message #
Fields #
| Name | Description |
|---|---|
TotalSignatureCount UInt32 | |
Signature UInt32 | |
PublisherNameLength UInt16 | |
PublisherName UnicodeString | |
IssuerNameLength UInt16 | |
IssuerName UnicodeString | |
PublisherTBSHashSize UInt32 | |
PublisherTBSHash Binary | |
IssuerTBSHashSize UInt32 | |
IssuerTBSHash Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppLocker",
"guid": "{cbda4dbf-8d5d-4f69-9578-be14aa540d22}",
"event_source_name": "",
"event_id": 8038,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T00:54:55.214842+00:00",
"event_record_id": 242,
"correlation": {
"ActivityID": "E4DB489E-1037-0001-6B7D-E5E43710DA01"
},
"execution": {
"process_id": 12792,
"thread_id": 6736
},
"channel": "Microsoft-Windows-AppLocker/MSI and Script",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
Event ID 8039: Package family name Version version GUID was allowed to install or update but would have been prevented if the Config CI policy.
#Description
Package family name Version version GUID was allowed to install or update but would have been prevented if the Config CI policy (Name:PackageFamilyName ID:PolicyNameLength Version:PolicyName GUID:PolicyIDLength) were enforced. Status PolicyID.
Message #
Fields #
| Name | Description |
|---|---|
PackageFamilyNameLength UInt16 | |
PackageFamilyName UnicodeString | |
PackageVersion UInt64 | |
PolicyNameLength UInt16 | |
PolicyName UnicodeString | |
PolicyIDLength UInt16 | |
PolicyID UnicodeString | |
PolicyVersion UInt64 | |
PolicyGuid GUID | |
Status HexInt32 | NTSTATUS reference |
References #
Event ID 8040: Package family name Version version GUID was prevented from installing or updating due to Config CI policy (Name:PackageFamilyName ID:PolicyNameLength Version:PolicyName GUID:PolicyIDLength).
#Description
Package family name Version version GUID was prevented from installing or updating due to Config CI policy (Name:PackageFamilyName ID:PolicyNameLength Version:PolicyName GUID:PolicyIDLength). Status PolicyID.
Message #
Fields #
| Name | Description |
|---|---|
PackageFamilyNameLength UInt16 | |
PackageFamilyName UnicodeString | |
PackageVersion UInt64 | |
PolicyNameLength UInt16 | |
PolicyName UnicodeString | |
PolicyIDLength UInt16 | |
PolicyID UnicodeString | |
PolicyVersion UInt64 | |
PolicyGuid GUID | |
Status HexInt32 | NTSTATUS reference |
References #
Event ID 8041: A Subject was allowed to ExecutionDecision by system execution policy.
#Event ID 8042: A Subject was not allowed to be executed by system execution policy.
#Event ID 8043: Process RegisterUninstallStringEventData.ProcessName attempted to register UninstallString RegisterUninstallStringEventData.UninstallString, Status: RegisterUninstallStringEventData.Status.
#Description
Process RegisterUninstallStringEventData.ProcessName attempted to register UninstallString RegisterUninstallStringEventData.UninstallString, Status: RegisterUninstallStringEventData.Status.
Message #
Fields #
| Name | Description |
|---|---|
UninstallStringLength | |
UninstallString | |
UninstallerPathLength | |
UninstallerPath | |
ProcessNameLength | |
ProcessName | |
SessionId | |
SubSessionId | |
Status |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AppLocker",
"guid": "CBDA4DBF-8D5D-4F69-9578-BE14AA540D22",
"event_source_name": "",
"event_id": 8043,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:02:05.721093+00:00",
"event_record_id": 43,
"correlation": {},
"execution": {
"process_id": 12912,
"thread_id": 13892
},
"channel": "Microsoft-Windows-AppLocker/EXE and DLL",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"user_data": {
"RegisterUninstallStringEventData": {
"UninstallStringLength": 43,
"UninstallString": "\"C:\\Program Files\\TeamViewer\\uninstall.exe\"",
"UninstallerPathLength": 53,
"UninstallerPath": "\\DosDevices\\C:\\Program Files\\TeamViewer\\uninstall.exe",
"ProcessNameLength": 78,
"ProcessName": "\\Device\\HarddiskVolume4\\Users\\User\\AppData\\Local\\Temp\\CDD35C~1\\TeamViewer_.exe",
"SessionId": "F205B252-1454-4144-BD5A-E00D8E398514",
"SubSessionId": "0A236C0E-D7AD-508F-13CB-E8248F7D7476",
"Status": 0
}
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8044: Checking cmdline UninstallStringLength against registered UninstallStrings CmdlineLength, MatchFound: Cmdline, Status:MatchFound.
#Description
Checking cmdline UninstallStringLength against registered UninstallStrings CmdlineLength, MatchFound: Cmdline, Status:MatchFound.
Message #
Fields #
| Name | Description |
|---|---|
UninstallStringLength UInt16 | |
UninstallString UnicodeString | |
CmdlineLength UInt16 | |
Cmdline UnicodeString | |
MatchFound Boolean | |
Status HexInt32 | NTSTATUS reference |
Event ID 8045: Smart App Control Block Details
#Description
Smart App Control Block Details.
Message #
Fields #
| Name | Description |
|---|---|
FilePathLength UInt16 | |
FilePathBuffer UnicodeString | |
FileSha256Hash Binary | |
DefenderScanResultDetails UInt32 | |
DefenderClientStatusCode Int32 | |
DefenderCloudHTTPCode HexInt32 | |
DefenderEngineReportGUID GUID | |
DefenderFlags Int64 | |
DefenderCalled UInt32 | |
DefenderCallAttempted UInt32 | |
DefenderCloudCallRequested UInt32 | |
DefenderMadeCloudCall UInt32 | |
ExternalAuthorizationFlags UInt32 |
Event ID 8045
#Description
Smart App Control Block Details.
Fields #
| Name | Description |
|---|---|
FilePathLength UInt16 | |
FilePathBuffer UnicodeString | |
FileSha256Hash Binary | |
DefenderScanResultDetails UInt32 | |
DefenderClientStatusCode Int32 | |
DefenderCloudHTTPCode HexInt32 | |
DefenderEngineReportGUID GUID | |
DefenderFlags Int64 | |
DefenderCalled UInt32 | |
DefenderCallAttempted UInt32 | |
DefenderCloudCallRequested UInt32 | |
DefenderMadeCloudCall UInt32 | |
ExternalAuthorizationFlags UInt32 |
Event ID 9000: The application setting with ID 'AppID' and name 'SettingName' was queried.
#Event ID 9001: The application setting with ID 'AppID' and name 'SettingName' was queried, and would have a different a value if all policies were enforcing.
#Description
The application setting with ID 'AppID' and name 'SettingName' was queried, and would have a different a value if all policies were enforcing. For more information, see the details tab.
Message #
Fields #
| Name | Description |
|---|---|
AppID UnicodeString | |
SettingName UnicodeString | |
SettingType UInt32 | |
ValueCount UInt32 | |
Value UnicodeString | |
AuditValueCount UInt32 | |
AuditValue UnicodeString |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {CBDA4DBF-8D5D-4F69-9578-BE14AA540D22}
Defined in srpapi.dll, which carries the event manifest.
Observed on:
- Win11-26200.6584, sample captured from a live trace, binary version 10.0.26100.1, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.4647, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02