AppLocker incorrectly calculates the hash of certain files at runtime in Windows 7 or in Windows Server 2008 R2

Article translations Article translations
Article ID: 975449 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

In Windows 7 or in Windows Server 2008 R2, AppLocker may incorrectly calculate the file hash at runtime for specific rare file types. Those files cannot run even though they are explicitly allowed to run by using an AppLocker rule that has a file hash condition. If the AppLocker rule explicitly rejects a file that is affected by this issue, AppLocker does not prevent the file from running.

CAUSE

When you create a file hash rule, AppLocker calculates the file hash and adds this value into the rule configuration. At runtime, AppLocker calculates the hash of the file and matches it with the rule configuration. If the hash matches, AppLocker applies that rule. If AppLocker incorrectly calculates the file hash of some files at runtime, the rule comparison fails.

There is currently one known kind of file that can have this issue:
  • Executable files that have headers larger than 32 kilobytes (KB).
    Currently, the only known kind of executable that may have this large header are BIOS firmware update utilities that contain a real mode DOS portion for starting directly into the BIOS for updates.

RESOLUTION

If you experience this problem, hash rules must no longer be used for those specific files. Instead, path or publisher rules should be used.

To convert a hash file to a publisher rule for a given executable file

Note If the application has not been signed by using a trusted publisher, go to the "To convert a hash rule to a path rule" section.
    • If you use domain-based Group Policy settings, follow these steps:
      • Click Start, type GPMC.MSC in the Start Search box, and then press ENTER to edit your existing AppLocker Group Policy settings.
      • Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Application Control Policies, expand AppLocker, and then click Executable Rules.
    • If you use local Group Policy settings, follow these steps:
      • Click Start, type GPEDIT.MSC in the Start Search box, and then press ENTER.
      • Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Application Control Policies, expand AppLocker, and then click Executable Rules.
  1. Right-click the rule for the affected executable, and then click Delete.
  2. Right-Click Executable Rules, and then click Create New Rule.
  3. On the Permissions page, click to select the Allow or Deny option for users or groups as needed, and then click Next.
  4. On the Conditions page, click to select the Publisher option, and then click Next.
  5. On the Publisher page, browse and select the file, use the slider to select the detail of publisher information to be used, and then click Next.
  6. On the Exceptions page, add exceptions as needed, and then click Next.
  7. On the Name and Description page, enter the required information, and then click Create.
To convert a hash rule to a path rule
    • If you use domain-based Group Policy settings, follow these steps:
      • Click Start, type GPMC.MSC in the Start Search box, and then press ENTER to edit your existing AppLocker Group Policy settings.
      • Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Application Control Policies, expand AppLocker, and then click Executable Rules.
    • If you use local Group Policy settings, follow these steps:
      • Click Start, type GPEDIT.MSC in the Start Search box, and then press ENTER.
      • Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Application Control Policies, expand AppLocker, and then click Executable Rules.
  1. Right-click the rule for the affected executable, and then click Delete.
  2. Right-Click Executable Rules, and then click Create New Rule.
  3. On the Permissions page, click to select the Allow or Deny option for users or groups as needed, and then click Next.
  4. On the Conditions page, click to select the Path option, and then click Next.
  5. On the Publisher page, browse and select the file, use the slider to select the detail of publisher information to be used, and then click Next.
  6. On the Exceptions page, add exceptions as needed, and then click Next.
  7. On the Name and Description page, enter the required information, and then click Create.

Properties

Article ID: 975449 - Last Review: September 29, 2009 - Revision: 2.0
APPLIES TO
  • Windows 7 Enterprise
  • Windows 7 Ultimate
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Standard
Keywords: 
kbtshoot kbexpertisebeginner kbsurveynew kbprb KB975449

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com