Allowing an Unsigned Application to Run As Privileged


If the Block unsigned applications from running on device policy setting is enabled, then unsigned applications will not be allowed to run on the device. To allow an unsigned application to run on the device at the privileged level, you must use the Allow specified unsigned applications to run as privileged policy setting.

You use this policy setting to add the application's executable file name and hash value to a list of unsigned applications that are allowed to run at the privileged level. If the unsigned applications are contained in a .cab file, then you must add the file name and hash for each executable file inside the .cab file. An executable file is a file that has an .exe or .dll extension.

You can use the Revoke.exe command-line tool or the Allowlist.exe command-line tool to generate an SHA-1 base64 encoded hash of an application file. The behavior of both tools is the same when applied to a single executable file. However, when applied to a .cab file, Allowlist.exe will open the .cab file and generate a hash value for each file it contains as well as the .cab file itself. The tool displays two lists at the console. The first list contains the file names. The second list contains the hash values, which are displayed in the same order as the file names.


Currently, Allowlist.exe, when used with the -[xml] option, writes only the list of hash values, not the list of corresponding files to the specified .xml file.

Revoke.exe does not automatically generate the hash values for each executable file contained within the .cab file. You must manually run the tool for the .cab file and each of its internal executable files.

Revoke.exe is part of the Windows Mobile 6 Standard SDK; you can find it in \Windows Mobile 6 SDK\Tools\Security. Allowlist.exe is included in the MDM Server Tools suite. It is called MDM Application Hash Code Tool. For information about MDM Application Hash Code Tool, see the MDM Resource Kit Tools at this Microsoft Web site:

The following procedure shows you how to enable an unsigned application to run as a privileged application on a managed Windows Mobile device.

To allow an unsigned application to run as privileged

  1. In the Group Policy Management Console, expand Group Policy Objects and then locate the target GPO.

  2. Right-click the GPO, and then select Edit.

  3. In the Group Policy Object Editor, expand Computer Configuration/Administrative Templates/Windows Mobile Settings, and then select Application Disable.

  4. In the details pane, right-click Allow specified unsigned applications to run as privileged, and then select Properties.

  5. In the dialog box, on the Settings tab, choose Enabled, and then choose Show.

  6. In the Show Contents dialog box, choose Add.

  7. In the Add Item dialog box, in the Enter the name of the item to be added box, type the application hash value, and then in the Enter the value of the item to be added box, type the complete file name of the application.


    The complete file name includes the extension. For example MyExecutable or MyDll should be specified as MyExecutable.exe and MyDll.dll. The complete file name of the application is displayed in Task Manager. It is also displayed in the list of file names that is generated after running Allowlist.exe to produce application hash values.

  8. Choose OK. In the Show Contents dialog box, the application hash value will appear in the Value Name box and the file name will appear in the Value box.

  9. Choose OK two times to complete the procedure and close the program.

See Also

Other Resources