How to monitor AppLocker events

Article ID: 478
Category: Configuration
Updated: 2024-08-20

What is AppLocker?

Introduced in Windows 7 Enterprise Edition, AppLocker provides a mechanism within Windows to whitelist / blacklist known applications, publishers or file hashes via Group Policy. AppLocker provides Administrators the ability to restrict the execution of these resources in Enforce rules mode or to generate audit logs in Audit only mode.

Application blocked by AppLocker

Regularly monitoring these events will allow you to quickly detect and respond to any attempts to bypass these restrictions, identify unauthorized software installation and ensure compliance with organizational policies. Additionally, monitoring these logs can help in auditing and forensics, providing insights into user behavior and application usage across the domain.


Setup AppLocker via Group Policy

Microsoft's guide to Administering AppLock via Group Policy in your environment


Monitoring AppLocker events with EventSentry

• Open the EventSentry Management Console
• Expand Packages -> Event Logs -> Database Consolidation
• Select Consolidate Non-Security Events
• Click Custom Event Logs tab
• Use the + button on the right side to include all Microsoft-Windows-AppLocker event logs
• Save & Push Configuration

Consolidating AppLocker events

Viewing consolidated AppLocker via the web reports

• Open the EventSentry Web Reports
• Navigate to Features -> Event Log
• Search for source:Microsoft-Windows-AppLocker
• Click Detailed tab

AppLocker Web Reports


Setup alerts when AppLocker prevents apps from running

In the EventSentry Management Console create an include filter to match the following:

Custom Event Logs: Microsoft-Windows-AppLocker/EXE and DLL
Event Severity: Error
Event ID: 8004

Adding AppLocker Include Filter
Setup AppLocker Block Filter
Email Alert AppLocker

Key AppLocker events

Enforce rules

Event ID Type Message Context
8004 Error {File name} was not allowed to run. The .exe or .dll file cannot run and has been blocked
8007 Error {File name} was not allowed to run. The script or .msi file cannot run and has been blocked.

All AppLocker event definitions



Try EventSentry on-premise

FREE 30-day evaluation

Download Now