Update 23.08.2010: added workaround to resolve the issue.


Today one customer claimed that AppLocker rules are not worked for his environment. He just created simple path rule and it didn't work. I have investigated this issue and I'm able to confirm that AppLocker don't apply path rules to a folder that contains non-english letters. Here is an example how to reproduce this issue. Assuming you have default Windows 7 Ultimate/Enterprise installation with C:\Windows as a system root folder.

  1. Logon with local administrator permissions.
  2. On the desktop create a folder that contains non-english letters. For example, the folder named Папка (here I use russian letters), or Mapīte (the word contains latvian letters). You can copy and paste these names as a folder name.
  3. Copy any your favorite executable to this folder.
  4. Click Start and in Search for programs or files edit box type Local Security Policy. You should see local security policy entry, click it. If prompted, confirm or enter your password in User Account Control prompt box.
  5. In the opened windows select and expand Application Control Policies node.
  6. Select and expand AppLocker node.
  7. Select Executable rules node.
  8. Right-click on the node and select Create Default Rules. This will create default rules, so you will be able to run any programs in elevated mode.
  9. Find and remove the rule that allows built-in administrators to run anything on the system. Here is a rule example:
    image
  10. After that you will be able to run any program in %systemroot% and %programfiles% folders. All other folders will be restricted to run executables. Right-click on Executable rules and click Create New Rule.
  11. In the Before You Begin page you can get information about the wizard. Click Next.
  12. In the Permissions page ensure if Action is set to Allow and User or group is set to Everyone (default values). Click Next.
  13. In the Conditions page switch a radiobutton to Path and click Next.
  14. In the Path page click Browse Folders. Locate your created folder on the desktop (usually this is C:\Users\<YourAccountName>\Desktop\) and click Ok. In the Path page click Create.
  15. Minimize MMC console window.
  16. Switch to the desktop and try to run the file. You will get an error that the file was blocked.

By this procedure you should be able to run any executable from this folder. However there is a bug (at least it looks like a bug) and if leaf folder in the rule contains non-english letters, the rule will not applied to the system and your application will be blocked.

Now create another folder on the desktop so the folder contains only english letters and create the same rule for this folder (steps 10-16). And now any executable in the folder will successfully started.

If you don't want to use AppLocker, return to minimized MMC console window, select Executable rules. In right pane select all rules and press Del. Confirm that you want to delete them and close all opened windows.

There is available workaround to resolve the issue: The case of another AppLocker bug (resolved).

HTH


Share this article:

Comments:


Post your comment:

Please, solve this little equation and enter result below. Captcha