I have a windows 7 image that appears to be using an applocker ruleset that I'm unable to modify or disable.
Performing the following appears to have no effect on this enforced AppLocker mystery ruleset:
- Disabling the AppIdSvc
- restarting the AppIdSvc
- updating the AppLocker ruleset in the local security policy (this system is not part of the domain)
- Any combination of the above
The above comes from this technet article.
This is the result of using the applocker powershell module:
Import-Module AppLocker
Get-AppLockerPolicy -Effective | Test-AppLockerPolicy -Path c:\TestScript.bat
FilePath PolicyDecision MatchingRule
-------- -------------- ------------
C:\TestScript.bat AllowedByDefault
If I create a wildcard ruleset for scripts or exes, this test changes to Allowed for the policydecision.
However, when actually testing execution, I receive the error This program is blocked by group policy... and there's a corresponding message in the AppLocker event log stating the execution was prevented from running with a blank RuleName and zeroed RuleId.
There also appears to be rules in effect. If I ran the TestScript.bat as an administrator (UAC is on) then the script will execute as expected an an event will be registered stating the execution was allowed with a RuleName of All scripts. This rule likely came from an earlier setup but I can't seem to find it or remove it. how can I remove these hidden rules?
