AppLocker Events

AppLocker Events

Base Rule

Production

General Logging Information

Information

EVID 8001 : Policy Successfully Applied

Sub Rule

Production

Configuration Enabled : Application

Configuration

EVID 8002 : EXE Or DLL Allowed To Run

Sub Rule

Production

Process/Service Started

Startup and Shutdown

EVID 8003 : Process Allowed But Would Be Blocked

Sub Rule

Production

Process/Service Started

Startup and Shutdown

EVID 8004 : Process Not Allowed To Run

Sub Rule

Production

Process Failed

Error

EVID 8005 : Script Or MSI Allowed To Run

Sub Rule

Production

Process/Service Started

Startup and Shutdown

EVID 8006 : Process Allowed But Would Be Blocked

Sub Rule

Production

Process/Service Started

Startup and Shutdown

EVID 8007 : Process Not Allowed To Run

Sub Rule

Production

Process Failed

Error

EVID 8008 : AppLocker Disabled On The SKU

Sub Rule

Production

Feature Disabled

Information

EVID 8020 : Packaged App Allowed

Sub Rule

Production

General Application Information

Information

EVID 8021 : Packaged App Audited

Sub Rule

Production

General Audit Message

Other Audit

EVID 8022 : Packaged App Disabled

Sub Rule

Production

Disabled

Information

EVID 8023 : Packaged App Installation Allowed

Sub Rule

Production

General Application Information

Information

EVID 8024 : Packaged App Installation Audited

Sub Rule

Production

General Audit Message

Other Audit

EVID 8025 : Packaged App Installation Disabled

Sub Rule

Production

Disabled

Information

EVID 8027 : No Packaged App Rule Configured

Sub Rule

Production

Failed Configuration

Other Audit Failure

<eventid>

<vmid>

Number

execution processid

<processid>

Number

<channel>

<tag1>

Text/String

<computer>

<sname>

Text/String

<security userid>

<domain>

Text/String

<security userid>

<login>

Text/String

<UserData>

<vendorinfo>

Text/String

<UserData>

<object>

Text/String

<UserData>

<objectname>

Text/String

was

<tag2>

Text/String