Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. AppLocker incorrectly calculates the hash of certain files at runtime in Windows 7 or in Windows Server 2008 R2

AppLocker incorrectly calculates the hash of certain files at runtime in Windows 7 or in Windows Server 2008 R2

View products that this article applies to.

Symptoms

In Windows 7 or in Windows Server 2008 R2, AppLocker may incorrectly calculate the file hash at runtime for specific rare file types. Those files cannot run even though they are explicitly allowed to run by using an AppLocker rule that has a file hash condition. If the AppLocker rule explicitly rejects a file that is affected by this issue, AppLocker does not prevent the file from running.

↑ Back to the top

Cause

When you create a file hash rule, AppLocker calculates the file hash and adds this value into the rule configuration. At runtime, AppLocker calculates the hash of the file and matches it with the rule configuration. If the hash matches, AppLocker applies that rule. If AppLocker incorrectly calculates the file hash of some files at runtime, the rule comparison fails.

There is currently one known kind of file that can have this issue:
  • Executable files that have headers larger than 32 kilobytes (KB).
    Currently, the only known kind of executable that may have this large header are BIOS firmware update utilities that contain a real mode DOS portion for starting directly into the BIOS for updates.

↑ Back to the top

Resolution

If you experience this problem, hash rules must no longer be used for those specific files. Instead, path or publisher rules should be used.

To convert a hash file to a publisher rule for a given executable file

Note If the application has not been signed by using a trusted publisher, go to the "To convert a hash rule to a path rule" section.
    • If you use domain-based Group Policy settings, follow these steps:
      • Click Start, type GPMC.MSC in the Start Search box, and then press ENTER to edit your existing AppLocker Group Policy settings.
      • Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Application Control Policies, expand AppLocker, and then click Executable Rules.
    • If you use local Group Policy settings, follow these steps:
      • Click Start, type GPEDIT.MSC in the Start Search box, and then press ENTER.
      • Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Application Control Policies, expand AppLocker, and then click Executable Rules.
  2. Right-click the rule for the affected executable, and then click Delete.
  3. Right-Click Executable Rules, and then click Create New Rule.
  4. On the Permissions page, click to select the Allow or Deny option for users or groups as needed, and then click Next.
  5. On the Conditions page, click to select the Publisher option, and then click Next.
  6. On the Publisher page, browse and select the file, use the slider to select the detail of publisher information to be used, and then click Next.
  7. On the Exceptions page, add exceptions as needed, and then click Next.
  8. On the Name and Description page, enter the required information, and then click Create.
To convert a hash rule to a path rule
    • If you use domain-based Group Policy settings, follow these steps:
      • Click Start, type GPMC.MSC in the Start Search box, and then press ENTER to edit your existing AppLocker Group Policy settings.
      • Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Application Control Policies, expand AppLocker, and then click Executable Rules.
    • If you use local Group Policy settings, follow these steps:
      • Click Start, type GPEDIT.MSC in the Start Search box, and then press ENTER.
      • Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Application Control Policies, expand AppLocker, and then click Executable Rules.
  2. Right-click the rule for the affected executable, and then click Delete.
  3. Right-Click Executable Rules, and then click Create New Rule.
  4. On the Permissions page, click to select the Allow or Deny option for users or groups as needed, and then click Next.
  5. On the Conditions page, click to select the Path option, and then click Next.
  6. On the Publisher page, browse and select the file, use the slider to select the detail of publisher information to be used, and then click Next.
  7. On the Exceptions page, add exceptions as needed, and then click Next.
  8. On the Name and Description page, enter the required information, and then click Create.

↑ Back to the top

Keywords: KB975449, kbprb, kbsurveynew, kbexpertisebeginner, kbtshoot

↑ Back to the top

Article Info
Article ID : 975449
Revision : 2
Created on : 9/29/2009
Published on : 9/29/2009
Exists online : False
Views : 288