AppLocker blocks administrators and other high privileged group’s users from executing files on a Windows 7 SP1-based or Windows Server 2008 R2 SP1-based computer

View products that this article applies to.

Symptoms

Consider the following scenario:

You deploy an AppLocker policy together with a default rule on a Windows 7 Service Pack 1 (SP1)-based or Windows Server 2008 R2 SP1-based computer.
The administrative users or other high privileged group’s users can run executable files that are in a whitelist that is defined in AppLocker policy without receiving a User Account Control (UAC) prompt on the computer.
You create a user named "AdminUser" as a member of the Administrators group or other high privileged group.
You use "AdminUser" to run an executable file that is in the whitelist.

In this scenario, you still have to use the Run as Administrator option to run the file. Otherwise, the operation fails, and you receive the following error message:

Your system administrator has blocked this program.

Note For more information about high privileged groups, go to the References section.

↑ Back to the top

Cause

This issue occurs because the Administrators security identifier in the user's access token is disabled by UAC.

↑ Back to the top

Resolution

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix Download Available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:

http://support.microsoft.com/contactus/?ws=support

Note The "Hotfix Download Available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must be running Windows 7 SP1 or Windows Server 2008 R2 SP1. For more information about how to obtain a Windows 7 or Windows Server 2008 R2 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

976932 Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2

Registry information

To use the update in this package, you do not have to make any changes to the registry.

Restart requirement

You do not have to restart the computer after you apply this update.

Update replacement information

This update does not replace a previously released update.

File information

The global version of this update installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files

Windows 7 and Windows Server 2008 R2 file information notes

Important Windows 7 hotfixes and Windows Server 2008 R2 hotfixes are included in the same packages. However, hotfixes on the Hotfix Request page are listed under both operating systems. To request the hotfix package that applies to one or both operating systems, select the hotfix that is listed under "Windows 7/Windows Server 2008 R2" on the page. Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to.

The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
Version Product Milestone Service branch
6.1.760
1.22xxx Windows 7 and Windows Server 2008 R2 SP1 LDR
GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows 7 and for Windows Server 2008 R2" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are critical to maintaining the state of the updated component. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.

Version	Product	Milestone	Service branch
6.1.760 1.22xxx	Windows 7 and Windows Server 2008 R2	SP1	LDR

For all supported x86-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1

File name	File version	File size	Date	Time	Platform
Appid-ppdlic.xrm-ms	Not applicable	3,013	12-Jul-2013	11:27	Not applicable
Appid.sys	6.1.7601.22382	50,176	12-Jul-2013	09:41	x86
Appidapi.dll	6.1.7601.22382	50,688	12-Jul-2013	11:01	x86
Appidcertstorecheck.exe	6.1.7601.22382	16,896	12-Jul-2013	09:41	x86
Appidpolicyconverter.exe	6.1.7601.22382	97,792	12-Jul-2013	09:41	x86
Appidsvc.dll	6.1.7601.22382	29,696	12-Jul-2013	09:41	x86
Csrsrv.dll	6.1.7601.22382	38,912	12-Jul-2013	11:02	x86
Ntkrnlpa.exe	6.1.7601.22382	3,973,056	12-Jul-2013	11:12	Not applicable
Ntoskrnl.exe	6.1.7601.22382	3,917,760	12-Jul-2013	11:12	Not applicable
Apisetschema.dll	6.1.7601.22382	6,656	12-Jul-2013	11:01	x86
Smss.exe	6.1.7601.22382	69,632	12-Jul-2013	09:17	x86
Apisetschema.dll	6.1.7601.22382	6,656	12-Jul-2013	11:01	x86
Smss.exe	6.1.7601.22382	69,632	12-Jul-2013	09:17	x86

For all supported x64-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1

File name	File version	File size	Date	Time	Platform
Appid-ppdlic.xrm-ms	Not applicable	3,013	12-Jul-2013	12:21	Not applicable
Appid.sys	6.1.7601.22382	61,952	12-Jul-2013	10:15	x64
Appidapi.dll	6.1.7601.22382	58,368	12-Jul-2013	11:58	x64
Appidcertstorecheck.exe	6.1.7601.22382	17,920	12-Jul-2013	10:15	x64
Appidpolicyconverter.exe	6.1.7601.22382	148,480	12-Jul-2013	10:15	x64
Appidsvc.dll	6.1.7601.22382	34,304	12-Jul-2013	11:58	x64
Csrsrv.dll	6.1.7601.22382	43,520	12-Jul-2013	11:58	x64
Ntoskrnl.exe	6.1.7601.22382	5,554,112	12-Jul-2013	12:07	x64
Apisetschema.dll	6.1.7601.22382	6,656	12-Jul-2013	11:58	x64
Smss.exe	6.1.7601.22382	112,640	12-Jul-2013	09:34	x64
Apisetschema.dll	6.1.7601.22382	6,656	12-Jul-2013	11:58	x64
Smss.exe	6.1.7601.22382	112,640	12-Jul-2013	09:34	x64
Appidapi.dll	6.1.7601.22382	50,688	12-Jul-2013	11:01	x86
Apisetschema.dll	6.1.7601.22382	6,656	12-Jul-2013	11:01	x86
Apisetschema.dll	6.1.7601.22382	6,656	12-Jul-2013	11:01	x86
Ntkrnlpa.exe	6.1.7601.22382	3,973,056	12-Jul-2013	11:12	Not applicable
Ntoskrnl.exe	6.1.7601.22382	3,917,760	12-Jul-2013	11:12	Not applicable

For all supported IA-64-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1

File name	File version	File size	Date	Time	Platform
Appid-ppdlic.xrm-ms	Not applicable	3,013	12-Jul-2013	11:26	Not applicable
Appid.sys	6.1.7601.22382	131,584	12-Jul-2013	09:46	IA-64
Appidapi.dll	6.1.7601.22382	116,736	12-Jul-2013	11:01	IA-64
Appidcertstorecheck.exe	6.1.7601.22382	39,424	12-Jul-2013	09:46	IA-64
Appidpolicyconverter.exe	6.1.7601.22382	282,624	12-Jul-2013	09:46	IA-64
Appidsvc.dll	6.1.7601.22382	74,240	12-Jul-2013	11:01	IA-64
Csrsrv.dll	6.1.7601.22382	94,720	12-Jul-2013	11:02	IA-64
Ntoskrnl.exe	6.1.7601.22382	11,125,696	12-Jul-2013	11:09	IA-64
Apisetschema.dll	6.1.7601.22382	6,656	12-Jul-2013	11:01	IA-64
Smss.exe	6.1.7601.22382	207,872	12-Jul-2013	09:03	IA-64
Appidapi.dll	6.1.7601.22382	50,688	12-Jul-2013	11:01	x86
Apisetschema.dll	6.1.7601.22382	6,656	12-Jul-2013	11:01	x86
Ntkrnlpa.exe	6.1.7601.22382	3,973,056	12-Jul-2013	11:12	Not applicable
Ntoskrnl.exe	6.1.7601.22382	3,917,760	12-Jul-2013	11:12	Not applicable

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

2393659 A DHCP client computer that has multiple network adapters and that is running Windows 7 or Windows Server 2008 R2 cannot renew a DHCP lease when the computer wakes

Additional file information

Additional file information for Windows 7 SP1 and Windows Server 2008 R2 SP1

Additional files for all supported x86-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1

File name	X86_a85517db085d7e0160de4527953f69ac_31bf3856ad364e35_6.1.7601.22382_none_a002d4b24763031b.manifest
File version	Not applicable
File size	1,371
Date (UTC)	12-Jul-2013
Time (UTC)	17:57
Platform	Not applicable

File name	X86_db34bfe1b9ed65c605081ab9a41cf0e4_31bf3856ad364e35_6.1.7601.22382_none_20566ae144045c30.manifest
File version	Not applicable
File size	1,371
Date (UTC)	12-Jul-2013
Time (UTC)	17:57
Platform	Not applicable

File name	X86_f72ecdbe89b4b8b71020ec805874dd44_31bf3856ad364e35_6.1.7601.22382_none_56c3a1c5ece9367e.manifest
File version	Not applicable
File size	693
Date (UTC)	12-Jul-2013
Time (UTC)	17:57
Platform	Not applicable

File name	X86_f9aaf4699f5c880149f5410b573be240_31bf3856ad364e35_6.1.7601.22382_none_9f29d4ed00adcadc.manifest
File version	Not applicable
File size	1,708
Date (UTC)	12-Jul-2013
Time (UTC)	17:57
Platform	Not applicable

File name	X86_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.22382_none_598f4a8029c1b7f0.manifest
File version	Not applicable
File size	15,313
Date (UTC)	12-Jul-2013
Time (UTC)	11:35
Platform	Not applicable

File name	X86_microsoft-windows-csrsrv_31bf3856ad364e35_6.1.7601.22382_none_cbca713a1cf80db3.manifest
File version	Not applicable
File size	2,513
Date (UTC)	12-Jul-2013
Time (UTC)	11:42
Platform	Not applicable

File name	X86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22382_none_6e739bd52bbd7e52.manifest
File version	Not applicable
File size	16,151
Date (UTC)	12-Jul-2013
Time (UTC)	11:43
Platform	Not applicable

File name	X86_microsoft-windows-smss_31bf3856ad364e35_6.1.7601.22382_none_ae7de23190cc0ba4.manifest
File version	Not applicable
File size	26,386
Date (UTC)	12-Jul-2013
Time (UTC)	11:43
Platform	Not applicable

File name	X86_microsoft-windows-smss_31bf3856ad364e35_7.1.7601.22382_none_9fee5e771bb2b473.manifest
File version	Not applicable
File size	26,420
Date (UTC)	12-Jul-2013
Time (UTC)	11:40
Platform	Not applicable

Additional files for all supported x64-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1

File name	Amd64_3f341f1cecf6bacc07f28cc34d8ae3e8_31bf3856ad364e35_6.1.7601.22382_none_abb31ca052fe7577.manifest
File version	Not applicable
File size	2,398
Date (UTC)	12-Jul-2013
Time (UTC)	17:57
Platform	Not applicable

File name	Amd64_4c4bca4fef87de6da096460893dfefdf_31bf3856ad364e35_6.1.7601.22382_none_dff78deaeb841302.manifest
File version	Not applicable
File size	698
Date (UTC)	12-Jul-2013
Time (UTC)	17:57
Platform	Not applicable

File name	Amd64_7186cfc56eadcab0599b2bbf66a2af51_31bf3856ad364e35_6.1.7601.22382_none_0340f223d5f23fc9.manifest
File version	Not applicable
File size	1,379
Date (UTC)	12-Jul-2013
Time (UTC)	17:57
Platform	Not applicable

File name	Amd64_8203ee238aa12df69d3cb117538ba8e9_31bf3856ad364e35_6.1.7601.22382_none_04c073991fa9d735.manifest
File version	Not applicable
File size	1,377
Date (UTC)	12-Jul-2013
Time (UTC)	17:57
Platform	Not applicable

File name	Amd64_9bda798937d564259435a6b8d79213bf_31bf3856ad364e35_6.1.7601.22382_none_f8a8a99b4ff205ac.manifest
File version	Not applicable
File size	1,036
Date (UTC)	12-Jul-2013
Time (UTC)	17:57
Platform	Not applicable

File name	Amd64_b42b7248a3416da9e7df88092f7db54d_31bf3856ad364e35_6.1.7601.22382_none_62b059cf7803febe.manifest
File version	Not applicable
File size	1,717
Date (UTC)	12-Jul-2013
Time (UTC)	17:57
Platform	Not applicable

File name	Amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.22382_none_b5ade603e21f2926.manifest
File version	Not applicable
File size	15,317
Date (UTC)	12-Jul-2013
Time (UTC)	12:29
Platform	Not applicable

File name	Amd64_microsoft-windows-csrsrv_31bf3856ad364e35_6.1.7601.22382_none_27e90cbdd5557ee9.manifest
File version	Not applicable
File size	2,515
Date (UTC)	12-Jul-2013
Time (UTC)	12:34
Platform	Not applicable

File name	Amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22382_none_ca923758e41aef88.manifest
File version	Not applicable
File size	15,291
Date (UTC)	12-Jul-2013
Time (UTC)	12:37
Platform	Not applicable

File name	Amd64_microsoft-windows-smss_31bf3856ad364e35_6.1.7601.22382_none_0a9c7db549297cda.manifest
File version	Not applicable
File size	26,679
Date (UTC)	12-Jul-2013
Time (UTC)	12:36
Platform	Not applicable

File name	Amd64_microsoft-windows-smss_31bf3856ad364e35_7.1.7601.22382_none_fc0cf9fad41025a9.manifest
File version	Not applicable
File size	26,713
Date (UTC)	12-Jul-2013
Time (UTC)	12:30
Platform	Not applicable

File name	Wow64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.22382_none_c0029056167feb21.manifest
File version	Not applicable
File size	3,356
Date (UTC)	12-Jul-2013
Time (UTC)	11:21
Platform	Not applicable

File name	Wow64_microsoft-windows-csrsrv_31bf3856ad364e35_6.1.7601.22382_none_323db71009b640e4.manifest
File version	Not applicable
File size	1,136
Date (UTC)	12-Jul-2013
Time (UTC)	11:20
Platform	Not applicable

File name	Wow64_microsoft-windows-smss_31bf3856ad364e35_6.1.7601.22382_none_14f128077d8a3ed5.manifest
File version	Not applicable
File size	8,429
Date (UTC)	12-Jul-2013
Time (UTC)	11:21
Platform	Not applicable

File name	Wow64_microsoft-windows-smss_31bf3856ad364e35_7.1.7601.22382_none_0661a44d0870e7a4.manifest
File version	Not applicable
File size	8,429
Date (UTC)	12-Jul-2013
Time (UTC)	11:21
Platform	Not applicable

File name	X86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22382_none_6e739bd52bbd7e52.manifest
File version	Not applicable
File size	16,151
Date (UTC)	12-Jul-2013
Time (UTC)	11:43
Platform	Not applicable

Additional files for all supported IA-64-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1

File name	Ia64_a1203830cffff57adbbb9de8561128e6_31bf3856ad364e35_6.1.7601.22382_none_a0143c08321a5211.manifest
File version	Not applicable
File size	3,071
Date (UTC)	12-Jul-2013
Time (UTC)	17:57
Platform	Not applicable

File name	Ia64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.22382_none_5990ee7629bfc0ec.manifest
File version	Not applicable
File size	15,315
Date (UTC)	12-Jul-2013
Time (UTC)	11:33
Platform	Not applicable

File name	Ia64_microsoft-windows-csrsrv_31bf3856ad364e35_6.1.7601.22382_none_cbcc15301cf616af.manifest
File version	Not applicable
File size	2,514
Date (UTC)	12-Jul-2013
Time (UTC)	11:36
Platform	Not applicable

File name	Ia64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22382_none_6e753fcb2bbb874e.manifest
File version	Not applicable
File size	15,289
Date (UTC)	12-Jul-2013
Time (UTC)	11:37
Platform	Not applicable

File name	Ia64_microsoft-windows-smss_31bf3856ad364e35_6.1.7601.22382_none_ae7f862790ca14a0.manifest
File version	Not applicable
File size	26,675
Date (UTC)	12-Jul-2013
Time (UTC)	11:37
Platform	Not applicable

File name	Wow64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.22382_none_c0029056167feb21.manifest
File version	Not applicable
File size	3,356
Date (UTC)	12-Jul-2013
Time (UTC)	11:21
Platform	Not applicable

File name	Wow64_microsoft-windows-csrsrv_31bf3856ad364e35_6.1.7601.22382_none_323db71009b640e4.manifest
File version	Not applicable
File size	1,136
Date (UTC)	12-Jul-2013
Time (UTC)	11:20
Platform	Not applicable

File name	Wow64_microsoft-windows-smss_31bf3856ad364e35_6.1.7601.22382_none_14f128077d8a3ed5.manifest
File version	Not applicable
File size	8,429
Date (UTC)	12-Jul-2013
Time (UTC)	11:21
Platform	Not applicable

File name	X86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22382_none_6e739bd52bbd7e52.manifest
File version	Not applicable
File size	16,151
Date (UTC)	12-Jul-2013
Time (UTC)	11:43
Platform	Not applicable

↑ Back to the top

References

For more information about how to use AppLocker, go to the following TechNet website:

How to use AppLocker

The following groups are considered to be high privileged groups:

Built-In Administrators
Power Users
Account Operators
Server Operators
Printer Operators
Backup Operators
RAS Servers Group
Windows NT 4.0 App Compat Group
Network Configuration Operators
Domain Administrators
Domain Controllers
Certificate Publishers
Schema Administrators
Enterprise Administrators
Group Policy Administrators

↑ Back to the top

Applies to:

↑ Back to the top

Keywords: kb, kbautohotfix, kbqfe, kbhotfixserver, kbfix, kbsurveynew, kbexpertiseadvanced

↑ Back to the top

Article Info

Article ID	:	2862565
Revision	:	1
Created on	:	1/7/2017
Published on	:	9/10/2013
Exists online	:	False
Views	:	267

Microsoft KB Archive Search

AppLocker blocks administrators and other high privileged group’s users from executing files on a Windows 7 SP1-based or Windows Server 2008 R2 SP1-based computer

Symptoms

Cause

Resolution

Hotfix information

Prerequisites

Registry information

Restart requirement

Update replacement information

Windows 7 and Windows Server 2008 R2 file information notes

For all supported x86-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1

For all supported x64-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1

For all supported IA-64-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1

Status

More Information

Additional file information

Additional files for all supported x86-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1

Additional files for all supported x64-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1

Additional files for all supported IA-64-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1

References

Applies to: