• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 253
  • Last Modified:

Software Restrictions

I have software restrictions in place (to try and prevent the crypto virus from running).
However I need some apps to be able to run under the %localappdata% folder structure.

From (http://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx) it indicates "When there are multiple matching path rules, the most specific matching rule takes precedence."

However that is not what I am seeing.

I have the following to Software Restrictions policies;
1) %LocalAppData%\<App I want to run folder>\*.exe - Unrestricted
2) %LocalAppData%\*\*.exe - Disallowed

(they appear in this order with in the GPO Policy)

When I run an app in <App I Want to Run Folder> it is stopped by policy 2)

If I change policy 1) to actual specify the full executable name, then it is able to run.

However there are several exe files in the App Folder, and I was hopping not to have to specify each app - based on the above article I found.

What am I missing.

  • 3
  • 2
1 Solution
Try 2nd rule as below and check if it works
%LocalAppData%\*.exe - Disallowed

If it still giving problem, then it looks like *.exe is more generic term and actual exe path is more specific in 1st rule causing allow you to run exe files

bmcollisAuthor Commented:
Hi MaheshPM
Thanks for responding.

I actually have your suggestion in place as well, to stop exe files within the %LocalAppData% folder from running.

Rule 2) is meant to stop programs in all folders below %localappdata% from running - which it does.

However there are some programs "installed"/placed in folders below %localappdata% that I need to be able to let run.  I was hopping I could just specify the folder and that would be more specific therefore the program would run.

However the error in the event log indicates that rule 2 is stopping the program from running - Have I discovered a bug???

What is the default security level for software restriction policy
You can set it to disallowed and then make exceptions as appropriate

Please check below PDF file for detailed configuration


Also you can exclude administrators from applying software restrictions policies if wanted to

Just test it 1st prior to deploy in production as it can impact production

bmcollisAuthor Commented:
Hi Mahesh,
Thanks for the link.  I did not see anything in there that referred to my issue, in terms of order and precedence.

I do appreciate you input into this.

But at this point, and without further input I guess I will have to specify the exe files individually rather than just the folder they are in.

I have shared that link so that you might set software restriction policy according to link and you will get the required results

The link will not address your existing issue

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now