Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. AppLocker blocks administrators and other high privileged group’s users from executing files on a Windows 7 SP1-based or Windows Server 2008 R2 SP1-based computer

AppLocker blocks administrators and other high privileged group’s users from executing files on a Windows 7 SP1-based or Windows Server 2008 R2 SP1-based computer

View products that this article applies to.

Symptoms


Consider the following scenario:
  • You deploy an AppLocker policy together with a default rule on a Windows 7 Service Pack 1 (SP1)-based or Windows Server 2008 R2 SP1-based computer.
  • The administrative users or other high privileged group’s users can run executable files that are in a whitelist that is defined in AppLocker policy without receiving a User Account Control (UAC) prompt on the computer.
  • You create a user named "AdminUser" as a member of the Administrators group or other high privileged group.
  • You use "AdminUser" to run an executable file that is in the whitelist.
In this scenario, you still have to use the Run as Administrator option to run the file. Otherwise, the operation fails, and you receive the following error message:
Your system administrator has blocked this program.
Note For more information about high privileged groups, go to the References section.

↑ Back to the top

Cause

This issue occurs because the Administrators security identifier in the user's access token is disabled by UAC.

↑ Back to the top

Resolution

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix Download Available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix Download Available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must be running Windows 7 SP1 or Windows Server 2008 R2 SP1. For more information about how to obtain a Windows 7 or Windows Server 2008 R2 service pack, click the following article number to view the article in the Microsoft Knowledge Base:
976932 Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2

Registry information

To use the update in this package, you do not have to make any changes to the registry.

Restart requirement

You do not have to restart the computer after you apply this update.

Update replacement information

This update does not replace a previously released update.
File information
The global version of this update installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files

Windows 7 and Windows Server 2008 R2 file information notes
Important Windows 7 hotfixes and Windows Server 2008 R2 hotfixes are included in the same packages. However, hotfixes on the Hotfix Request page are listed under both operating systems. To request the hotfix package that applies to one or both operating systems, select the hotfix that is listed under "Windows 7/Windows Server 2008 R2" on the page. Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to.
  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
    VersionProductMilestoneService branch
    6.1.760
    1.22xxx    		Windows 7 and Windows Server 2008 R2SP1LDR
  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows 7 and for Windows Server 2008 R2" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are critical to maintaining the state of the updated component. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x86-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1
File nameFile versionFile sizeDateTimePlatform
Appid-ppdlic.xrm-msNot applicable3,01312-Jul-201311:27Not applicable
Appid.sys6.1.7601.2238250,17612-Jul-201309:41x86
Appidapi.dll6.1.7601.2238250,68812-Jul-201311:01x86
Appidcertstorecheck.exe6.1.7601.2238216,89612-Jul-201309:41x86
Appidpolicyconverter.exe6.1.7601.2238297,79212-Jul-201309:41x86
Appidsvc.dll6.1.7601.2238229,69612-Jul-201309:41x86
Csrsrv.dll6.1.7601.2238238,91212-Jul-201311:02x86
Ntkrnlpa.exe6.1.7601.223823,973,05612-Jul-201311:12Not applicable
Ntoskrnl.exe6.1.7601.223823,917,76012-Jul-201311:12Not applicable
Apisetschema.dll6.1.7601.223826,65612-Jul-201311:01x86
Smss.exe6.1.7601.2238269,63212-Jul-201309:17x86
Apisetschema.dll6.1.7601.223826,65612-Jul-201311:01x86
Smss.exe6.1.7601.2238269,63212-Jul-201309:17x86
For all supported x64-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1
File nameFile versionFile sizeDateTimePlatform
Appid-ppdlic.xrm-msNot applicable3,01312-Jul-201312:21Not applicable
Appid.sys6.1.7601.2238261,95212-Jul-201310:15x64
Appidapi.dll6.1.7601.2238258,36812-Jul-201311:58x64
Appidcertstorecheck.exe6.1.7601.2238217,92012-Jul-201310:15x64
Appidpolicyconverter.exe6.1.7601.22382148,48012-Jul-201310:15x64
Appidsvc.dll6.1.7601.2238234,30412-Jul-201311:58x64
Csrsrv.dll6.1.7601.2238243,52012-Jul-201311:58x64
Ntoskrnl.exe6.1.7601.223825,554,11212-Jul-201312:07x64
Apisetschema.dll6.1.7601.223826,65612-Jul-201311:58x64
Smss.exe6.1.7601.22382112,64012-Jul-201309:34x64
Apisetschema.dll6.1.7601.223826,65612-Jul-201311:58x64
Smss.exe6.1.7601.22382112,64012-Jul-201309:34x64
Appidapi.dll6.1.7601.2238250,68812-Jul-201311:01x86
Apisetschema.dll6.1.7601.223826,65612-Jul-201311:01x86
Apisetschema.dll6.1.7601.223826,65612-Jul-201311:01x86
Ntkrnlpa.exe6.1.7601.223823,973,05612-Jul-201311:12Not applicable
Ntoskrnl.exe6.1.7601.223823,917,76012-Jul-201311:12Not applicable
For all supported IA-64-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1
File nameFile versionFile sizeDateTimePlatform
Appid-ppdlic.xrm-msNot applicable3,01312-Jul-201311:26Not applicable
Appid.sys6.1.7601.22382131,58412-Jul-201309:46IA-64
Appidapi.dll6.1.7601.22382116,73612-Jul-201311:01IA-64
Appidcertstorecheck.exe6.1.7601.2238239,42412-Jul-201309:46IA-64
Appidpolicyconverter.exe6.1.7601.22382282,62412-Jul-201309:46IA-64
Appidsvc.dll6.1.7601.2238274,24012-Jul-201311:01IA-64
Csrsrv.dll6.1.7601.2238294,72012-Jul-201311:02IA-64
Ntoskrnl.exe6.1.7601.2238211,125,69612-Jul-201311:09IA-64
Apisetschema.dll6.1.7601.223826,65612-Jul-201311:01IA-64
Smss.exe6.1.7601.22382207,87212-Jul-201309:03IA-64
Appidapi.dll6.1.7601.2238250,68812-Jul-201311:01x86
Apisetschema.dll6.1.7601.223826,65612-Jul-201311:01x86
Ntkrnlpa.exe6.1.7601.223823,973,05612-Jul-201311:12Not applicable
Ntoskrnl.exe6.1.7601.223823,917,76012-Jul-201311:12Not applicable

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
2393659 A DHCP client computer that has multiple network adapters and that is running Windows 7 or Windows Server 2008 R2 cannot renew a DHCP lease when the computer wakes

Additional file information

Additional file information for Windows 7 SP1 and Windows Server 2008 R2 SP1
Additional files for all supported x86-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1
File nameX86_a85517db085d7e0160de4527953f69ac_31bf3856ad364e35_6.1.7601.22382_none_a002d4b24763031b.manifest
File versionNot applicable
File size1,371
Date (UTC)12-Jul-2013
Time (UTC)17:57
PlatformNot applicable
File nameX86_db34bfe1b9ed65c605081ab9a41cf0e4_31bf3856ad364e35_6.1.7601.22382_none_20566ae144045c30.manifest
File versionNot applicable
File size1,371
Date (UTC)12-Jul-2013
Time (UTC)17:57
PlatformNot applicable
File nameX86_f72ecdbe89b4b8b71020ec805874dd44_31bf3856ad364e35_6.1.7601.22382_none_56c3a1c5ece9367e.manifest
File versionNot applicable
File size693
Date (UTC)12-Jul-2013
Time (UTC)17:57
PlatformNot applicable
File nameX86_f9aaf4699f5c880149f5410b573be240_31bf3856ad364e35_6.1.7601.22382_none_9f29d4ed00adcadc.manifest
File versionNot applicable
File size1,708
Date (UTC)12-Jul-2013
Time (UTC)17:57
PlatformNot applicable
File nameX86_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.22382_none_598f4a8029c1b7f0.manifest
File versionNot applicable
File size15,313
Date (UTC)12-Jul-2013
Time (UTC)11:35
PlatformNot applicable
File nameX86_microsoft-windows-csrsrv_31bf3856ad364e35_6.1.7601.22382_none_cbca713a1cf80db3.manifest
File versionNot applicable
File size2,513
Date (UTC)12-Jul-2013
Time (UTC)11:42
PlatformNot applicable
File nameX86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22382_none_6e739bd52bbd7e52.manifest
File versionNot applicable
File size16,151
Date (UTC)12-Jul-2013
Time (UTC)11:43
PlatformNot applicable
File nameX86_microsoft-windows-smss_31bf3856ad364e35_6.1.7601.22382_none_ae7de23190cc0ba4.manifest
File versionNot applicable
File size26,386
Date (UTC)12-Jul-2013
Time (UTC)11:43
PlatformNot applicable
File nameX86_microsoft-windows-smss_31bf3856ad364e35_7.1.7601.22382_none_9fee5e771bb2b473.manifest
File versionNot applicable
File size26,420
Date (UTC)12-Jul-2013
Time (UTC)11:40
PlatformNot applicable
Additional files for all supported x64-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1
File nameAmd64_3f341f1cecf6bacc07f28cc34d8ae3e8_31bf3856ad364e35_6.1.7601.22382_none_abb31ca052fe7577.manifest
File versionNot applicable
File size2,398
Date (UTC)12-Jul-2013
Time (UTC)17:57
PlatformNot applicable
File nameAmd64_4c4bca4fef87de6da096460893dfefdf_31bf3856ad364e35_6.1.7601.22382_none_dff78deaeb841302.manifest
File versionNot applicable
File size698
Date (UTC)12-Jul-2013
Time (UTC)17:57
PlatformNot applicable
File nameAmd64_7186cfc56eadcab0599b2bbf66a2af51_31bf3856ad364e35_6.1.7601.22382_none_0340f223d5f23fc9.manifest
File versionNot applicable
File size1,379
Date (UTC)12-Jul-2013
Time (UTC)17:57
PlatformNot applicable
File nameAmd64_8203ee238aa12df69d3cb117538ba8e9_31bf3856ad364e35_6.1.7601.22382_none_04c073991fa9d735.manifest
File versionNot applicable
File size1,377
Date (UTC)12-Jul-2013
Time (UTC)17:57
PlatformNot applicable
File nameAmd64_9bda798937d564259435a6b8d79213bf_31bf3856ad364e35_6.1.7601.22382_none_f8a8a99b4ff205ac.manifest
File versionNot applicable
File size1,036
Date (UTC)12-Jul-2013
Time (UTC)17:57
PlatformNot applicable
File nameAmd64_b42b7248a3416da9e7df88092f7db54d_31bf3856ad364e35_6.1.7601.22382_none_62b059cf7803febe.manifest
File versionNot applicable
File size1,717
Date (UTC)12-Jul-2013
Time (UTC)17:57
PlatformNot applicable
File nameAmd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.22382_none_b5ade603e21f2926.manifest
File versionNot applicable
File size15,317
Date (UTC)12-Jul-2013
Time (UTC)12:29
PlatformNot applicable
File nameAmd64_microsoft-windows-csrsrv_31bf3856ad364e35_6.1.7601.22382_none_27e90cbdd5557ee9.manifest
File versionNot applicable
File size2,515
Date (UTC)12-Jul-2013
Time (UTC)12:34
PlatformNot applicable
File nameAmd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22382_none_ca923758e41aef88.manifest
File versionNot applicable
File size15,291
Date (UTC)12-Jul-2013
Time (UTC)12:37
PlatformNot applicable
File nameAmd64_microsoft-windows-smss_31bf3856ad364e35_6.1.7601.22382_none_0a9c7db549297cda.manifest
File versionNot applicable
File size26,679
Date (UTC)12-Jul-2013
Time (UTC)12:36
PlatformNot applicable
File nameAmd64_microsoft-windows-smss_31bf3856ad364e35_7.1.7601.22382_none_fc0cf9fad41025a9.manifest
File versionNot applicable
File size26,713
Date (UTC)12-Jul-2013
Time (UTC)12:30
PlatformNot applicable
File nameWow64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.22382_none_c0029056167feb21.manifest
File versionNot applicable
File size3,356
Date (UTC)12-Jul-2013
Time (UTC)11:21
PlatformNot applicable
File nameWow64_microsoft-windows-csrsrv_31bf3856ad364e35_6.1.7601.22382_none_323db71009b640e4.manifest
File versionNot applicable
File size1,136
Date (UTC)12-Jul-2013
Time (UTC)11:20
PlatformNot applicable
File nameWow64_microsoft-windows-smss_31bf3856ad364e35_6.1.7601.22382_none_14f128077d8a3ed5.manifest
File versionNot applicable
File size8,429
Date (UTC)12-Jul-2013
Time (UTC)11:21
PlatformNot applicable
File nameWow64_microsoft-windows-smss_31bf3856ad364e35_7.1.7601.22382_none_0661a44d0870e7a4.manifest
File versionNot applicable
File size8,429
Date (UTC)12-Jul-2013
Time (UTC)11:21
PlatformNot applicable
File nameX86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22382_none_6e739bd52bbd7e52.manifest
File versionNot applicable
File size16,151
Date (UTC)12-Jul-2013
Time (UTC)11:43
PlatformNot applicable
Additional files for all supported IA-64-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1
File nameIa64_a1203830cffff57adbbb9de8561128e6_31bf3856ad364e35_6.1.7601.22382_none_a0143c08321a5211.manifest
File versionNot applicable
File size3,071
Date (UTC)12-Jul-2013
Time (UTC)17:57
PlatformNot applicable
File nameIa64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.22382_none_5990ee7629bfc0ec.manifest
File versionNot applicable
File size15,315
Date (UTC)12-Jul-2013
Time (UTC)11:33
PlatformNot applicable
File nameIa64_microsoft-windows-csrsrv_31bf3856ad364e35_6.1.7601.22382_none_cbcc15301cf616af.manifest
File versionNot applicable
File size2,514
Date (UTC)12-Jul-2013
Time (UTC)11:36
PlatformNot applicable
File nameIa64_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22382_none_6e753fcb2bbb874e.manifest
File versionNot applicable
File size15,289
Date (UTC)12-Jul-2013
Time (UTC)11:37
PlatformNot applicable
File nameIa64_microsoft-windows-smss_31bf3856ad364e35_6.1.7601.22382_none_ae7f862790ca14a0.manifest
File versionNot applicable
File size26,675
Date (UTC)12-Jul-2013
Time (UTC)11:37
PlatformNot applicable
File nameWow64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.22382_none_c0029056167feb21.manifest
File versionNot applicable
File size3,356
Date (UTC)12-Jul-2013
Time (UTC)11:21
PlatformNot applicable
File nameWow64_microsoft-windows-csrsrv_31bf3856ad364e35_6.1.7601.22382_none_323db71009b640e4.manifest
File versionNot applicable
File size1,136
Date (UTC)12-Jul-2013
Time (UTC)11:20
PlatformNot applicable
File nameWow64_microsoft-windows-smss_31bf3856ad364e35_6.1.7601.22382_none_14f128077d8a3ed5.manifest
File versionNot applicable
File size8,429
Date (UTC)12-Jul-2013
Time (UTC)11:21
PlatformNot applicable
File nameX86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.22382_none_6e739bd52bbd7e52.manifest
File versionNot applicable
File size16,151
Date (UTC)12-Jul-2013
Time (UTC)11:43
PlatformNot applicable

↑ Back to the top

References

For more information about how to use AppLocker, go to the following TechNet website:
How to use AppLocker
The following groups are considered to be high privileged groups:
  • Built-In Administrators
  • Power Users
  • Account Operators
  • Server Operators
  • Printer Operators
  • Backup Operators
  • RAS Servers Group
  • Windows NT 4.0 App Compat Group
  • Network Configuration Operators
  • Domain Administrators
  • Domain Controllers
  • Certificate Publishers
  • Schema Administrators
  • Enterprise Administrators
  • Group Policy Administrators

↑ Back to the top

Keywords: kb, kbautohotfix, kbqfe, kbhotfixserver, kbfix, kbsurveynew, kbexpertiseadvanced

↑ Back to the top

Article Info
Article ID : 2862565
Revision : 1
Created on : 1/7/2017
Published on : 9/10/2013
Exists online : False
Views : 173