After my article on Fairy-Law, where I used kernel mitigations to disable Endpoint Detection & Response (EDR) solutions, diversenok pointed out that IFEO exclusions (Image File Execution Options) were too invasive for third-party applications. This led to a better idea: use the power that administrators already have –> AppLocker.
The idea was inspired by diversenok, who highlighted that administrators can inherently disable any software they want. From that insight, I developed a methodical and system-compliant way of using AppLocker as a legitimate control mechanism. This article focuses on the technical use of AppLocker, comparing it with WDAC.
AppLocker was introduced with Windows 7 and enhanced in Windows 8.1, 10 (Enterprise) and Windows Server 2012/R2/2016+. It is an application whitelisting system that allows administrators to define exactly which executables, scripts, or installers may be run by specific users or groups.
-
AppIDSvc (AppID Service)
- Runs under
LocalService - Detects registry changes to AppLocker policies
- Translates XML-based rules into binary SDDL (Security Descriptor Definition Language)
- Communicates policy changes to the kernel using DeviceIoControl
- Runs under
-
AppID.sys (Kernel Driver)
- Monitors process creation events
- Uses
SeSrpAccessCheckto enforce rules - Optionally checks DLL loads (disabled by default for performance)
AppLocker supports two types of rules:
- Allow Rules: Only defined applications may execute
- Deny Rules: Defined applications are explicitly blocked
- Deny rules take precedence over allow rules.
Additional features:
- Exceptions to both allow/deny rules
- User or group targeting (e.g., only Finance group may run
finance.exe)
- Path-based (e.g.,
C:\\Program Files\\Secure\\*) - Hash-based (SHA256 – blocks tampered files)
- Publisher rules (digital signature, version, product, etc.)
HKLM\\Software\\Policies\\Microsoft\\Windows\\SrpV2(XML, persistent)HKLM\\SYSTEM\\CurrentControlSet\\Control\\Srp\\Gp\\Exe(SDDL, active)
Certificates are cached in
HKLM\\SYSTEM\\CurrentControlSet\\Control\\AppID\\CertStoreand verified regularly.
- Windows notifies AppID driver on process creation
AppID.sysevaluates application attributes- Based on AppLocker rules, it allows or blocks the process
- If blocked, process creation is aborted with
STATUS_ACCESS_DISABLED_BY_POLICY_OTHER
./EDR-AppLocker.ps1 -ExeToBlock "SomePath", "AnotherPath"-
Must be run from an elevated (Administrator) PowerShell console.
-
A system reboot is required after execution to fully block active EDR processes.
With carefully crafted PowerShell-based AppLocker policies, specific EXE files (like EDR binaries) can be reliably blocked.
Real-world example include:
- Blocking SentinelOne:
- Stopped services:
This PowerShell script dynamically builds and applies an AppLocker policy with block rules:
param (
[Parameter(Mandatory = $true)]
[string[]]$ExeToBlock
)
# Validate paths, create dynamic deny rules, apply XML policy
Set-AppLockerPolicy -XmlPolicy $tempPath -ErrorAction Stop
gpupdate /force | Out-Null
A reboot is required to enforce the new AppLocker policy and block active EDR processes.
Windows Defender Application Control (WDAC) was introduced in Windows 10+. It enforces application policies on both user-mode and kernel-mode binaries, including drivers, scripts, and bootloaders.
- Applies to the entire machine, affecting all users
- Loaded before boot, affecting pre-Windows components
- Default deny: everything is blocked unless explicitly allowed
- Based on Code Integrity (CI) policies
Krueger is a proof-of-concept tool showing how WDAC can be misused to block EDR drivers:
- A custom WDAC policy is generated
- It is placed in C:\Windows\System32\CodeIntegrity\
- On reboot, EDR drivers fail to load
AppLocker offers a reliable, system-native way to manage and block application execution. Unlike invasive techniques or kernel manipulation, it provides transparent auditing, user scoping, and policy-level enforcement.