Q: How can we verify that a Software Restriction Policy (SRP) rule we defined for one of our applications is effectively applied?

A: The most obvious way for troubleshooting SRP behavior is by checking the application event logs on your systems. When an SRP rule is applied, Windows automatically generates events in the application event log. These events have an event ID between 865 and 868 and show the details of the process that triggered the SRP rule. The different event IDs and their meanings are summarized in Table 1.

(Click table for larger view.)

If you want more detail than the event log shows, you can enable verbose trace logging of SRP. This process generates a special SRP log file that records the rule that's used by SRP when it checks whether a specific program should be allowed to run.

To enable verbose trace logging of SRP, you must add a registry value named LogFileName of type REG_SZ to the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers. As the LogFileName value, enter the path to the SRP log file -- for example, c:\logs\srplog.txt.

You can also use the command line to enable and disable verbose SRP trace logging. To enable logging, enter

reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /v LogFileName /d c:\logs\srplog.txt

To disable logging, enter

reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /v LogFileName /f
TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.