A: The most obvious way for troubleshooting SRP behavior is by checking the application event logs on your systems. When an SRP rule is applied, Windows automatically generates events in the application event log. These events have an event ID between 865 and 868 and show the details of the process that triggered the SRP rule. The different event IDs and their meanings are summarized in Table 1.
(Click table for larger view.)
If you want more detail than the event log shows, you can enable verbose trace logging of SRP. This process generates a special SRP log file that records the rule that's used by SRP when it checks whether a specific program should be allowed to run.
To enable verbose trace logging of SRP, you must add a registry value named LogFileName of type REG_SZ to the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers. As the LogFileName value, enter the path to the SRP log file -- for example, c:\logs\srplog.txt.
You can also use the command line to enable and disable verbose SRP trace logging. To enable logging, enter
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /v LogFileName /d c:\logs\srplog.txt
To disable logging, enter
reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /v LogFileName /f
