>From what I've seen, if the AppIdSvc is not running, then nothing should be >blocked until the service starts. So in theory, if the AppIdSvc has not >started, then it should not have blocked the first script below.
I assume that for both events below, the username is the same? Also, it may be helpful to review the Details tab for these event log entries to read the RuleName/RuleSddl fields to see what rule allowed the second attempt to run and see if that may help explain why the first attempt didn't run. -Aakash Shah From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Sean Chapman Sent: Tuesday, December 5, 2017 6:41 AM To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] Applocker AppIDsvc autostart Hey guys, Im trying to set up Applocker policies and move away from SRP whitelisting but im having trouble getting some stuff that runs via login script to work properly. If I go to the event viewer and see the blocked scripts I can click them and they then run fine. Im leaning toward the AppID Service not starting before this is trying to run but I cant see anywhere to change it from Automatic trigger to Automatic. Ive tried using SC to change it but since its turned on via GPO its just not changing, and maybe that's how its supposed to be? Ive definitely made rules to allow these as well. Either way its frustrating, any advice? This is from the login: Error 12/5/2017 7:33:05 AM AppLocker 8007 None *REMOVED FOR SECURITY*\POWERLINK_XA_ENV_CHANGE\POWERLINK_XA_ENV_CHANGE.BAT was prevented from running. This is me looking at the event log and then clicking on the link to what was blocked: Information 12/5/2017 7:41:30 AM AppLocker 8005 None *REMOEVD FOR SECURITY*\POWERLINK_XA_ENV_CHANGE\POWERLINK_XA_ENV_CHANGE.BAT was allowed to run. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The information contained in this communication and all accompanying documents from Coilcraft may be confidential and/or legally privileged, and is intended only for the use of the recipient(s) named above. If you are not the intended recipient you are hereby notified that any review, disclosure, copying, distribution or the taking of any action in reliance on the contents of this transmitted information is strictly prohibited. If you have received this communication in error, please return it to the sender immediately and destroy the original message or accompanying materials and any copy thereof. If you have any questions concerning this message, please contact the sender.
