I have a windows 7 image that appears to be using an applocker ruleset that I'm unable to modify or disable.
Performing the following appears to have no effect on this enforced AppLocker mystery ruleset:
- Disabling the AppIdSvc
- restarting the AppIdSvc
- updating the AppLocker ruleset in the local security policy (this system is not part of the domain)
- Any combination of the above
The above comes from this technet article.
This is the result of using the applocker powershell module:
Import-Module AppLocker
Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path c:\TestScript.bat
FilePath PolicyDecision MatchingRule
-------- -------------- ------------
C:\TestScript.bat AllowedByDefault
If I create a wildcard ruleset for scripts or exes, this test changes to Allowed for the policydecision.
However, when actually testing execution, I receive the error This program is blocked by group policy...
and there's a corresponding message in the AppLocker event log stating the execution was prevented from running with a blank RuleName and zeroed RuleId.
There also appears to be rules in effect. If I ran the TestScript.bat as an administrator (UAC is on) then the script will execute as expected an an event will be registered stating the execution was allowed with a RuleName of All scripts. This rule likely came from an earlier setup but I can't seem to find it or remove it. how can I remove these hidden rules?
I found a partial solution. The AppLocker rules that were in effect but hidden from the security policy (secpol.msc or gpedit.msc) where located here:
From here I was able to manually manipulate the applocker rules. However, I'm still unable to modify these rules through the security policy or the Set-AppLockerPolicy cmdlet. Something is preventing the system from applying the AppLocker rules.