Q: How can we verify that a Software Restriction Policy (SRP) rule we defined for one of our applications is effectively applied?
Software Restriction Policy (SRP) rules generate events in the Windows application event log, but you can get more detail by enabling verbose trace logging.
April 4, 2012
A:The most obvious way for troubleshooting SRP behavior is by checking the application event logs on your systems. When an SRP rule is applied, Windowsautomatically generates events in the application event log. These events have an event ID between 865 and 868 and show the details of the process thattriggered the SRP rule. The different event IDs and their meanings are summarized in Table 1.
(Click table for larger view.)
If you want more detail than the event log shows, you can enable verbose trace logging of SRP. This process generates a special SRP log file thatrecords the rule that's used by SRP when it checks whether a specific program should be allowed to run.
To enable verbose trace logging of SRP, you must add a registry value named LogFileName of type REG_SZ to the following registry subkey:HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSaferCodeIdentifiers. As the LogFileName value, enter the path to the SRP log file -- forexample, c:logssrplog.txt.
You can also use the command line to enable and disable verbose SRP trace logging. To enable logging, enter
reg.exe add "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSaferCodeIdentifiers" /v LogFileName /d c:logssrplog.txt
To disable logging, enter
reg.exe delete "HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSaferCodeIdentifiers" /v LogFileName /f
About the Author
You May Also Like