Microsoft-Windows-SoftwareRestrictionPolicies
6 events across 1 channel
Event ID 50: Access to AttemptedPath is monitored by policy rule SrpRuleGuid.
#Event ID 865: Access to AttemptedPath has been restricted by your Administrator by the default software restriction policy level.
#Description
Access to AttemptedPath has been restricted by your Administrator by the default software restriction policy level.
Message #
Fields #
| Name | Description |
|---|---|
AttemptedPath UnicodeString |
Detection Patterns #
Execution: Software Deployment Tools
SoftwareRestrictionPolicies Event ID 865: Access to AttemptedPath has been restricted by your Administrator by the default software restriction policy level.OREvent ID 866: Access to AttemptedPath has been restricted by your Administrator by location with policy rule SrpRuleGuid placed on path RulePath.OREvent ID 867: Access to AttemptedPath has been restricted by your Administrator by software publisher policy.OREvent ID 868: Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid.OREvent ID 882: Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid.
1 rule
Event ID 866: Access to AttemptedPath has been restricted by your Administrator by location with policy rule SrpRuleGuid placed on path RulePath.
#Description
Access to AttemptedPath has been restricted by your Administrator by location with policy rule SrpRuleGuid placed on path RulePath.
Message #
Fields #
| Name | Description |
|---|---|
PathGuidAndRule.AttemptedPath UnicodeString | |
PathGuidAndRule.SrpRuleGuid GUID | |
PathGuidAndRule.RulePath UnicodeString | |
AttemptedPath UnicodeString | |
SrpRuleGuid GUID | |
RulePath UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SoftwareRestrictionPolicies",
"guid": "{7D29D58A-931A-40AC-8743-48C733045548}",
"event_source_name": "",
"event_id": 866,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-05-30T15:39:52.0982744+00:00",
"event_record_id": 216872,
"correlation": {},
"execution": {
"process_id": 5536,
"thread_id": 2924
},
"channel": "Application",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"PathGuidAndRule": {
"AttemptedPath": "C:\\srp_test\\blocked.exe",
"SrpRuleGuid": "{bbbbbbb1-0000-0000-0000-000000000001}",
"RulePath": "C:\\srp_test\\*"
}
},
"message": "Access to C:\\srp_test\\blocked.exe has been restricted by your Administrator by location with policy rule {bbbbbbb1-0000-0000-0000-000000000001} placed on path C:\\srp_test\\*."
}
Detection Patterns #
Execution: Software Deployment Tools
SoftwareRestrictionPolicies Event ID 865: Access to AttemptedPath has been restricted by your Administrator by the default software restriction policy level.OREvent ID 866: Access to AttemptedPath has been restricted by your Administrator by location with policy rule SrpRuleGuid placed on path RulePath.OREvent ID 867: Access to AttemptedPath has been restricted by your Administrator by software publisher policy.OREvent ID 868: Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid.OREvent ID 882: Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid.
1 rule
Event ID 867: Access to AttemptedPath has been restricted by your Administrator by software publisher policy.
#Description
Access to AttemptedPath has been restricted by your Administrator by software publisher policy.
Message #
Fields #
| Name | Description |
|---|---|
AttemptedPath UnicodeString |
Detection Patterns #
Execution: Software Deployment Tools
SoftwareRestrictionPolicies Event ID 865: Access to AttemptedPath has been restricted by your Administrator by the default software restriction policy level.OREvent ID 866: Access to AttemptedPath has been restricted by your Administrator by location with policy rule SrpRuleGuid placed on path RulePath.OREvent ID 867: Access to AttemptedPath has been restricted by your Administrator by software publisher policy.OREvent ID 868: Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid.OREvent ID 882: Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid.
1 rule
Event ID 868: Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid.
#Description
Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid.
Message #
Fields #
| Name | Description |
|---|---|
PathAndGuid.AttemptedPath UnicodeString | |
PathAndGuid.SrpRuleGuid GUID | |
AttemptedPath UnicodeString | |
SrpRuleGuid GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-SoftwareRestrictionPolicies",
"guid": "{7D29D58A-931A-40AC-8743-48C733045548}",
"event_source_name": "",
"event_id": 868,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": -9223372036854775808,
"time_created": "2026-05-30T14:07:12.2933825+00:00",
"event_record_id": 267242,
"correlation": {
"ActivityID": "{14429F51-EFE2-000B-37E8-4214E2EFDC01}"
},
"execution": {
"process_id": 12392,
"thread_id": 3896
},
"channel": "Application",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"user_data": {
"PathAndGuid": {
"AttemptedPath": "C:\\SrpTest\\srp_hashrule.exe",
"SrpRuleGuid": "{fac641ae-da29-4870-9429-1e17ac53758b}"
}
},
"message": "Access to C:\\SrpTest\\srp_hashrule.exe has been restricted by your Administrator by policy rule {fac641ae-da29-4870-9429-1e17ac53758b}."
}
Detection Patterns #
Execution: Software Deployment Tools
SoftwareRestrictionPolicies Event ID 865: Access to AttemptedPath has been restricted by your Administrator by the default software restriction policy level.OREvent ID 866: Access to AttemptedPath has been restricted by your Administrator by location with policy rule SrpRuleGuid placed on path RulePath.OREvent ID 867: Access to AttemptedPath has been restricted by your Administrator by software publisher policy.OREvent ID 868: Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid.OREvent ID 882: Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid.
1 rule
Event ID 882: Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid.
#Description
Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid.
Message #
Fields #
| Name | Description |
|---|---|
AttemptedPath UnicodeString | |
SrpRuleGuid GUID |
Detection Patterns #
Execution: Software Deployment Tools
SoftwareRestrictionPolicies Event ID 865: Access to AttemptedPath has been restricted by your Administrator by the default software restriction policy level.OREvent ID 866: Access to AttemptedPath has been restricted by your Administrator by location with policy rule SrpRuleGuid placed on path RulePath.OREvent ID 867: Access to AttemptedPath has been restricted by your Administrator by software publisher policy.OREvent ID 868: Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid.OREvent ID 882: Access to AttemptedPath has been restricted by your Administrator by policy rule SrpRuleGuid.
1 rule
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 7d29d58a-931a-40ac-8743-48c733045548
Defined in Microsoft-Windows-System-Events.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3932, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02