Valid HTML 4.01 Transitional Valid CSS Valid SVG 1.0

Me, myself & IT

One-Click Setup of an AppLocker Policy

Purpose
Instructions
Message Box

Purpose

Present a Windows Script File (*.wsf) to set an (arbitrary) AppLocker policy with a single double-click.

Note: the script requires neither PowerShell with its AppLocker cmdlets nor Microsoft Management Console with its GPEdit.msc and SecPol.msc snap-ins.

Instructions

Perform the following 4 (plus 1) simple steps to create, optionally sign and execute a Windows Script File *.wsf that sets an AppLocker policy, then activate it.

  1. Create a text file *.wsf, for example AppLocker.wsf, with the following content in an arbitrary directory: 

    <?xml version='1.0' encoding='US-ASCII' standalone='yes' ?>
<package>
    <comment>Copyright (C) 2009-2025, Stefan Kanthak</comment>
    <job>
        <object id='Application' progid='Shell.Application' />
        <runtime>
            <description>Set an AppLocker Policy on Windows 7 and later versions</description>
        </runtime>
        <script language='JScript'>
            if (WScript.Arguments.Length != 0)
                WScript.Arguments.ShowUsage()
            else
                Application.ShellExecute(WScript.FullName, '//Job:Policy ' + WScript.ScriptFullName, WScript.Path, 'RunAs', 1)
        </script>
    </job>
    <job id='Policy'>
        <object id='AppIdPolicyHandler' classid='clsid:F1ED7D4C-F863-4DE6-A1CA-7253EFDEE1F3' />
        <object id='Application' progid='Shell.Application' />
        <object id='Shell' progid='WScript.Shell' />
        <resource id='Policy'><![CDATA[<AppLockerPolicy Version='1' />]]></resource>
        <script language='JScript'>
            if (Application.IsServiceRunning('AppIdSvc') == false)
                Application.ServiceStart('AppIdSvc', true)
            AppIdPolicyHandler.SetPolicy('', getResource('Policy'))
            Shell.RegWrite('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Script Host\\Settings\\IgnoreUserSettings', 1)
            Shell.RegWrite('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Script Host\\Settings\\UseWinSAFER', 1)
        //  WScript.Echo(Shell.Exec('GPUpdate.exe /Target:Computer').StdOut.ReadAll())
        </script>
    </job>
    <job id='Sign'>
        <object id='Signer' progid='Scripting.Signer' />
        <runtime>
            <description>Sign this Windows Script File</description>
            <unnamed helpstring='Mandatory Argument' name='Certificate Name' required='1' />
        </runtime>
        <script language='JScript'>
            if (WScript.Arguments.Named.Length != 0
             || WScript.Arguments.Unnamed.Length != 1)
                WScript.Arguments.ShowUsage()
            else
                Signer.SignFile(WScript.ScriptFullName, WScript.Arguments.Unnamed.Item(0))
        </script>
    </job>
</package>
    Note: the second setting written by the second job enables SAFER – either Software Restriction Policies or AppLocker – for the Windows Script Host, and the first setting prevents to overrule it with the opposite setting in the corresponding Registry key of any user account.

  2. Replace the highlighted XML snippet – an (empty) allow all AppLocker policy – with the one you wish to deploy, for example the generic AppLocker policy for Windows 11 presented as part of the Eleventh Commandment, then save the modified Windows Script File.

  3. (Optional) If you have a code signing certificate run the following command line to sign the Windows Script File modified in step 2.: 

    WSCRIPT.EXE //Job:Sign ‹script file name›.wsf ‹certificate name›

  4. Run the Windows Script File modified in step 2. respectively signed in step 3. per double-click.

    Note: it requires Administrator rights and requests them via User Account Control if necessary.

  5. Restart Windows to activate the just set AppLocker policy.

Message Box

Perform the following 2 simple steps to create a Scheduled Task that displays a message box to the interactive user whenever an AppLocker entry is written to the Event Log.

  1. Create the text file AppLocker.xml with the following content in an arbitrary directory: 

    <?xml version='1.0' encoding='UTF-16' standalone='yes' ?>
<!-- Copyright (C) 2011-2025, Stefan Kanthak -->
<Task version='1.3' xmlns='http://schemas.microsoft.com/windows/2004/02/mit/task'>
    <RegistrationInfo>
        <Author>AMNESIAC\Stefan</Author>
        <Date>2011-04-27T12:34:56.7890123</Date>
        <Description>Display a message box to the interactive user whenever an AppLocker entry is written to the event log</Description>
    </RegistrationInfo>
    <Triggers>
        <EventTrigger>
            <Enabled>true</Enabled>
            <Subscription>&lt;QueryList&gt;&lt;Query Id='0' Path='Microsoft-Windows-AppLocker/EXE and DLL'&gt;&lt;Select Path='Microsoft-Windows-AppLocker/EXE and DLL'&gt;*[System[Provider[@Name='Microsoft-Windows-AppLocker'] and (Level=1 or Level=2 or Level=3)]]&lt;/Select&gt;&lt;Select Path='Microsoft-Windows-AppLocker/MSI and Script'&gt;*[System[Provider[@Name='Microsoft-Windows-AppLocker'] and (Level=1 or Level=2 or Level=3)]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
            <ValueQueries>
                <Value name='eventChannel'>Event/System/Channel</Value>
                <Value name='eventComputer'>Event/System/Computer</Value>
                <Value name='eventCorrelation'>Event/System/Correlation</Value>
                <Value name='eventFilePath'>Event/UserData/RuleAndFileData/FilePath</Value>
                <Value name='eventID'>Event/System/EventID</Value>
                <Value name='eventKeywords'>Event/System/Keywords</Value>
                <Value name='eventLevel'>Event/System/Level</Value>
                <Value name='eventOpcode'>Event/System/Opcode</Value>
                <Value name='eventProcessID'>Event/System/Execution/@ProcessID</Value>
                <Value name='eventProvider'>Event/System/Provider/@Name</Value>
                <Value name='eventRecordID'>Event/System/EventRecordID</Value>
                <Value name='eventTask'>Event/System/Task</Value>
                <Value name='eventThreadID'>Event/System/Execution/@ThreadID</Value>
                <Value name='eventTime'>Event/System/TimeCreated/@SystemTime</Value>
                <Value name='eventUser'>Event/UserData/RuleAndFileData/TargetUser</Value>
                <Value name='eventUserID'>Event/System/Security/@UserID</Value>
                <Value name='eventVersion'>Event/System/Version</Value>
            </ValueQueries>
        </EventTrigger>
    </Triggers>
    <Principals>
        <Principal id='Author'>
            <GroupId>S-1-5-4</GroupId>
            <RunLevel>LeastPrivilege</RunLevel>
        </Principal>
    </Principals>
    <Settings>
        <AllowHardTerminate>true</AllowHardTerminate>
        <AllowStartOnDemand>false</AllowStartOnDemand>
        <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
        <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
        <Enabled>true</Enabled>
        <ExecutionTimeLimit>PT1H</ExecutionTimeLimit>
        <Hidden>false</Hidden>
        <IdleSettings>
            <Duration>PT5M</Duration>
            <RestartOnIdle>false</RestartOnIdle>
            <StopOnIdleEnd>true</StopOnIdleEnd>
            <WaitTimeout>PT1H</WaitTimeout>
        </IdleSettings>
        <MultipleInstancesPolicy>Queue</MultipleInstancesPolicy>
        <Priority>7</Priority>
        <RunOnlyIfIdle>false</RunOnlyIfIdle>
        <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
        <StartWhenAvailable>false</StartWhenAvailable>
        <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
        <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>
        <WakeToRun>false</WakeToRun>
    </Settings>
    <Actions Context='Author'>
        <ShowMessage>
            <Body>File: $(eventFilePath)
Event: $(eventID)
Provider: $(eventProvider)
Time: $(eventTime)
User: $(eventUser)
UserID: $(eventUserID)</Body>
            <Title>AppLocker</Title>
        </ShowMessage>
    </Actions>
</Task>

  2. Create a Scheduled Task from the task definition file AppLocker.xml created in step 1.: 

    SCHTASKS.EXE /Create /TN "AppLocker Alert" /XML AppLocker.xml
    SUCCESS: The scheduled task AppLocker Alert has successfully been created.

Contact and Feedback

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

Copyright © 1995–2025 • Stefan Kanthak • <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>