View the AppLocker Log in Event Viewer

Applies To: Windows 7, Windows Server 2008 R2

This topic describes the steps to view AppLocker policy events that are written to the AppLocker logs by using Event Viewer.

When AppLocker policy enforcement is set to Enforce rules, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to Audit only, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To view events in the AppLocker log by using Event Viewer

  1. Open Event Viewer. To do this, click Start, type eventvwr.msc in the Search programs and files box, and then press ENTER.

  2. In the console tree under Application and Services Logs\Microsoft\Windows, double-click AppLocker.

AppLocker events are listed in either the EXE and DLL log or the MSI and Script log. Event information includes the enforcement setting, file name, date and time, and user name. The logs can be exported to other file formats for further analysis.