AppLocker

Last updated January 09, 2025

AppLocker is an application whitelisting technology introduced with Microsoft's Windows 7 operating system. It allows restricting which programs users can execute based on the program's path, publisher, or hash,^[1] and in an enterprise can be configured via Group Policy.

Summary

Windows AppLocker allows administrators to control which executable files are denied or allowed to execute. With AppLocker, administrators are able to create rules based on file names, publishers or file location that will allow certain files to execute. Unlike the earlier Software Restriction Policies, which was originally available for Windows XP and Windows Server 2003,^[2] AppLocker rules can apply to individuals or groups. Policies are used to group users into different enforcement levels. For example, some users can be added to an 'audit' policy that will allow administrators to see the rule violations before moving that user to a higher enforcement level.

AppLocker availability charts

AppLocker availability on Windows 7^[3]
Starter	Home Basic	Home Premium	Professional	Enterprise	Ultimate
No	No	No	Create policies, but cannot enforce	Create and enforce policies	Create and enforce policies

AppLocker availability on Windows 8^[4]
RT	(Core)	Pro	Enterprise
No	No	No	Yes

AppLocker availability on Windows 10^[5]^[6]^[7]
Home	Pro	Enterprise	Education
Yes	Yes	Yes	Yes

Bypass techniques

There are several generic techniques for bypassing AppLocker:

Writing an unapproved program to a whitelisted location.
Using a whitelisted program as a delegate to launch an unapproved program.^[8]^[9]^[10]^[11]
Hijacking the DLLs loaded by a trusted application in an untrusted directory.^[12]

Related Research Articles

Windows is a product line of proprietary graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sectors of the computing industry – Windows (unqualified) for a consumer or corporate workstation, Windows Server for a server and Windows IoT for an embedded system. Windows is sold as either a consumer retail product or licensed to third-party hardware manufacturers who sell products bundled with Windows.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

A package manager or package-management system is a collection of software tools that automates the process of installing, upgrading, configuring, and removing computer programs for a computer in a consistent manner.

A whitelist or allowlist is a list or register of entities that are being provided a particular privilege, service, mobility, access or recognition. Entities on the list will be accepted, approved and/or recognized. Whitelisting is the reverse of blacklisting, the practice of identifying entities that are denied, unrecognized, or ostracized.

A patch is data that is intended to be used to modify an existing software resource such as a program or a file, often to fix bugs and security vulnerabilities. A patch may be created to improve functionality, usability, or performance. A patch is typically provided by a vendor for updating the software that they provide. A patch may be created manually, but commonly it is created via a tool that compares two versions of the resource and generates data that can be used to transform one to the other.

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application or user with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

<span class="mw-page-title-main">Windows Registry</span> Database for Microsoft Windows

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.

Adblock Plus (ABP) is a free and open-source browser extension for content-filtering and ad blocking. It is developed by Eyeo GmbH, a German software company. The extension has been released for Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge, Opera, Safari, Yandex Browser, and Android.

User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed version also present in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows 11. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorises an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges and malware are kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorises it.

Task Manager, previously known as Windows Task Manager, is a task manager, system monitor, and startup manager included with Microsoft Windows systems. It provides information about computer performance and running software, including names of running processes, CPU and GPU load, commit charge, I/O details, logged-in users, and Windows services. Task Manager can also be used to set process priorities, processor affinity, start and stop services, and forcibly terminate processes.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

Security and Maintenance is a component of the Windows NT family of operating systems that monitors the security and maintenance status of the computer. Its monitoring criteria includes optimal operation of antivirus software, personal firewall, as well as the working status of Backup and Restore, Network Access Protection (NAP), User Account Control (UAC), Windows Error Reporting (WER), and Windows Update. It notifies the user of any problem with the monitored criteria, such as when an antivirus program is not up-to-date or is offline.

A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations prior to Windows NT, CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics, which began development in the 1960s; it wasn't until UNIX, BSD, Linux, and NT in the late 80s and early 90s that multi-tasking security contexts were brought to x86 consumer machines.

Microsoft Desktop Optimization Pack (MDOP) is a suite of utilities for Microsoft Windows customers who have subscribed to Microsoft Software Assurance program. It aims at bringing easier manageability and monitoring of enterprise desktops, emergency recovery, desktop virtualization and application virtualization.

Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection.

<span class="mw-page-title-main">DriveSentry</span>

DriveSentry was an antivirus program, developed by DriveSentry Inc, to protect Microsoft Windows users from malware. It is available free for personal use, though with restricted functionality.

The Microsoft Store is a digital distribution platform operated by Microsoft. It was created as an app store for Windows 8 as the primary means of distributing Universal Windows Platform apps. With Windows 10 1803, Microsoft merged its other distribution platforms into Microsoft Store, making it a unified distribution point for apps, console games, and digital videos. Digital music was included until the end of 2017, and E-books were included until 2019.

Gatekeeper is a security feature of the macOS operating system by Apple. It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware. Gatekeeper builds upon File Quarantine, which was introduced in Mac OS X Leopard (10.5) and expanded in Mac OS X Snow Leopard (10.6). The feature originated in version 10.7.3 of Mac OS X Lion as the command-line utility spctl. A graphical user interface was originally added in OS X Mountain Lion (10.8) but was backported to Lion with the 10.7.5 update.

Windows 8, a major release of the Microsoft Windows operating system, was available in four different editions: Windows 8 (Core), Pro, Enterprise, and RT. Only Windows 8 (Core) and Pro were widely available at retailers. The other editions focus on other markets, such as embedded systems or enterprise. All editions support 32-bit IA-32 CPUs and x64 CPUs.

Windows RT is a mobile operating system developed by Microsoft and released alongside Windows 8 on October 26, 2012. It is a version of Windows 8 or Windows 8.1 built for the 32-bit ARM architecture (ARMv7), designed to take advantage of the architecture's power efficiency to allow for longer battery life, to use system-on-chip (SoC) designs to allow for thinner devices and to provide a "reliable" experience over time. Unlike Windows 8, Windows RT was only available as preloaded software on devices specifically designed for the operating system by original equipment manufacturers (OEMs); Microsoft launched its own hardware running it, the Surface tablet, which was followed by Surface 2, although only five models running Windows RT were released by third-party OEMs throughout its lifetime.

References

↑ "AppLocker". Microsoft TechNet . Microsoft. Retrieved 23 August 2012.
↑ "Using Software Restriction Policies to Protect Against Unauthorized Software". Microsoft TechNet . Microsoft. 11 September 2009. Retrieved 27 July 2017.
↑ "Windows Versions That Support AppLocker". Microsoft. 17 November 2009. Retrieved 27 July 2017.
↑ Visser, Erwin (18 April 2012). "Introducing Windows 8 Enterprise and Enhanced Software Assurance for Today's Modern Workforce". Windows for your Business. Microsoft. Archived from the original on 25 December 2012. Retrieved 22 November 2012.
↑ Dudau, Vlad (10 June 2015). "Microsoft shows OEMs how to market Windows 10; talks features and SKUs". Neowin. Neowin LLC. Retrieved 19 June 2015.
↑ "Find out which Windows is right for you". Microsoft. Microsoft Inc. Retrieved 2 July 2015.
↑ "Removal of Windows edition checks for AppLocker". Microsoft. Microsoft Inc. Retrieved 22 February 2023.
↑ "AppLocker Bypass – InstallUtil". Penetration Testing Lab. 8 May 2017. Retrieved 27 July 2017.
↑ "AppLocker Bypass Techniques". Evi1cg's blog. 12 September 2016. Retrieved 27 July 2017.
↑ "How to Bypass Windows AppLocker". Hacking Tutorial. 19 April 2017. Retrieved 27 July 2017.
↑ "caseysmithrc/gethelp.cs". Github Gist. Archived from the original on 14 May 2019. Retrieved 14 May 2019.
↑ "Bypassing Application Whitelisting". CERT/CC Blog. 29 June 2016. Retrieved 27 July 2017.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "AppLocker". Microsoft TechNet . Microsoft. Retrieved 23 August 2012.

[2] "Using Software Restriction Policies to Protect Against Unauthorized Software". Microsoft TechNet . Microsoft. 11 September 2009. Retrieved 27 July 2017.

[3] "Windows Versions That Support AppLocker". Microsoft. 17 November 2009. Retrieved 27 July 2017.

[WFYB-2012-4] Visser, Erwin (18 April 2012). "Introducing Windows 8 Enterprise and Enhanced Software Assurance for Today's Modern Workforce". Windows for your Business. Microsoft. Archived from the original on 25 December 2012. Retrieved 22 November 2012.

[neowinoem-5] Dudau, Vlad (10 June 2015). "Microsoft shows OEMs how to market Windows 10; talks features and SKUs". Neowin. Neowin LLC. Retrieved 19 June 2015.

[winforbusiness-6] "Find out which Windows is right for you". Microsoft. Microsoft Inc. Retrieved 2 July 2015.

[KB5024351-7] "Removal of Windows edition checks for AppLocker". Microsoft. Microsoft Inc. Retrieved 22 February 2023.

[8] "AppLocker Bypass – InstallUtil". Penetration Testing Lab. 8 May 2017. Retrieved 27 July 2017.

[9] "AppLocker Bypass Techniques". Evi1cg's blog. 12 September 2016. Retrieved 27 July 2017.

[10] "How to Bypass Windows AppLocker". Hacking Tutorial. 19 April 2017. Retrieved 27 July 2017.

[11] "caseysmithrc/gethelp.cs". Github Gist. Archived from the original on 14 May 2019. Retrieved 14 May 2019.

[12] "Bypassing Application Whitelisting". CERT/CC Blog. 29 June 2016. Retrieved 27 July 2017.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]