Create a Rule that Uses a File Hash Condition

  • Article

Applies To: Windows 7, Windows Server 2008 R2

This topic shows how to create an AppLocker rule with a file hash condition in Windows Server 2008 R2 and Windows 7.

File hash rules use a system-computed cryptographic hash of the identified file.

For information about the file hash condition, see Understanding the File Hash Rule Condition in AppLocker.

You can perform this task by using Group Policy for an AppLocker policy in a Group Policy Object (GPO) or by using the Local Security Policy snap-in for an AppLocker policy on a local computer.

  • To create a new rule with a file hash condition by using Group Policy

  • To create a new rule with a file hash condition by using the Local Security Policy snap-in

To complete this procedure, you must have Edit Setting permission to edit a GPO. By default, members of the Domain Admins group, the Enterprise Admins group, and the Group Policy Creator Owners group have this permission.

To create a new rule with a file hash condition by using Group Policy

  1. Click Start, click Administrative Tools, and then click Group Policy Management to open the Group Policy Management Console (GPMC).

  2. Locate the GPO that contains the AppLocker policy to modify, right-click the GPO, and click Edit.

  3. In the console tree, double-click Application Control Policies, double-click AppLocker, and then click the rule collection that you want to create the rule for.

  4. On the Action menu, click Create New Rule.

  5. On the Before You Begin page, click Next.

  6. On the Permissions page, select the action (allow or deny) and the user or group that the rule should apply to, and then click Next.

  7. On the Conditions page, select the File hash rule condition, and then click Browse Files to locate the targeted application file.

Note

You can also click Browse Folders which calculates the hash for all the appropriate files relative to the rule collection. To remove hashes individually, click the Remove button.

  1. Click Next.

  2. On the Name and Description page, either accept the automatically generated rule name or type a new rule name, and then click Create.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To create a new rule with a file hash condition by using the Local Security Policy snap-in

  1. Click Start, type secpol.msc in the Search programs and files box, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. In the console tree, double-click Application Control Policies, double-click AppLocker, and then click the rule collection that you want to create the rule for.

  4. On the Action menu, click Create New Rule.

  5. On the Before You Begin page, click Next.

  6. On the Permissions page, select the action (allow or deny) and the user or group that the rule should apply to, and then click Next.

  7. On the Conditions page, select the File hash rule condition, and then click Browse Files to locate the targeted application file.

Note

You can also click Browse Folders which calculates the hash for all the appropriate files relative to the rule collection. To remove hashes individually, click the Remove button.

  1. Click Next.

  2. On the Name and Description page, either accept the automatically generated rule name or type a new rule name, and then click Create.