"0x800700C1: not a valid Win32 application" error when you create an AppLocker hash rule for a file in Windows 8, Windows Server 2012, Windows 7, or Windows Server 2008 R2
- Windows 8
- Windows Server 2012
- Windows 7 that has security update MS12-024 installed
- Windows Server 2008 R2 that has security update MS12-024 installed
- Windows can identify content that does not comply with the Authenticode specification in the file. This condition applies to some third-party installers.
- Additional content was added to the file after the signature was applied.
If you decide to continue working with such files, you can create AppLocker path-based rules to control these files.
<AppLockerPolicy Version="1"><RuleCollection Type="Exe" EnforcementMode="Enforced"><FileHashRule Action="Allow" UserOrGroupSid="S-1-1-0" Description="" Name="Allow Calculator" Id="7509591f-7552-4ed0-ac56-7b727cd1f9cf"><Conditions><FileHashCondition><FileHash Type="SHA256" SourceFileLength="53344" SourceFileName="calculator.exe" Data="0x2E8950C38FE3DD02D9F9A012BA9481E7E4704838BB5208E3F7086B6935520A93"/></FileHashCondition> </Conditions></FileHashRule><FilePublisherRule Id="a3ab2d94-c20d-4039-8f2b-6caaff04e816" Name="Deny Contoso" Description="Deny Games" UserOrGroupSid="S-1-1-0" Action="Deny"><Conditions><FilePublisherCondition PublisherName="Contoso" ProductName="Attack of Zombies" BinaryName="*"><BinaryVersionRange LowSection="*" HighSection="*" /> </FilePublisherCondition></Conditions> </FilePublisherRule>……</AppLockerPolicy>In this example, the AppLocker policy has two rules. The first rule ("Allow Calculator") is a hash rule that allows Calculator.exe to run. The second rule ("Deny Contoso") is a publisher rule that blocks any file that belongs to the Attack of Zombies game that is published by Contoso. As both Calculator.exe and Zombies.exe both meet one of the two conditions that were mentioned earlier, Windows Authenticode Signature verification fails. Before you apply MS12-024, Calculator.exe is allowed by the "Allow Calculator" rule, and Zombies.exe is blocked by the "Deny Contoso" rule. However, after you apply MS12-024, AppLocker cannot process the SHA2 Authenticode hash for Calculator.exe and considers Zombies.exe as an unsigned file. Therefore, neither of the rules is triggered, and unexpected behavior occurs.
Article ID: 2749690 - Last Review: 10/31/2012 14:29:00 - Revision: 1.0
- kbprb kbsurveynew kbexpertiseadvanced KB2749690