While both technologies aim to restrict program execution, AppLocker operates in kernel mode while SRP functions in user mode. This fundamental difference impacts performance and security:
// Example of AppLocker rule in PowerShell
New-AppLockerPolicy -RuleType Publisher, Hash, Path -FileType EXE -User Everyone -OutputXML > AppLockerPolicy.xml
SRP allows custom file extensions through registry modifications:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"Extensions"=hex(7):2e,00,65,00,78,00,65,00,00,00,2e,00,6d,00,73,00,69,00,00,00,00,00
AppLocker's strength lies in its rule conditions:
- Publisher rules (based on digital signatures)
- Path rules (with network path support)
- Hash rules (more reliable than SRP's implementation)
For RDS environments, AppLocker provides better performance through:
- Rule caching at session startup
- Parallel rule processing
- Reduced registry overhead
Creating deny rules for cryptocurrency miners:
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-2346b2f1b27e" Name="Block unapproved miners" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
<Conditions>
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
AppLocker's logging integrates with Event Tracing for Windows (ETW), providing detailed execution attempts:
# Query AppLocker logs
Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -MaxEvents 50 |
Where-Object {$_.Id -eq 8002} |
Select-Object TimeCreated, Message
For organizations transitioning from SRP to AppLocker, Microsoft provides the AppLocker SRP Conversion Tool (AppLockerSRPConverter.exe) which automatically converts:
- Hash rules to AppLocker format
- Path rules with wildcard support
- Zone identifier rules
While both technologies aim to control program execution, AppLocker operates at kernel-mode through the Application Identity service (AppIDSvc), whereas SRP functions in user-mode via the Client Server Runtime Subsystem (csrss.exe). This fundamental difference gives AppLocker these advantages:
// Example PowerShell to check AppLocker status
Get-Service -Name AppIDSvc | Select-Object Status,StartType
Get-AppLockerPolicy -Effective -Xml
AppLocker introduces publisher rules using digital signatures, allowing for more flexible control:
<!-- Sample AppLocker Publisher Rule -->
<RuleCollection Type="Exe" EnforcementMode="Enabled">
<FilePathRule Id="123" Name="Allow signed by Microsoft" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="0.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePathRule>
</RuleCollection>
For terminal servers, consider these deployment patterns:
:: SRP registry path example
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"TransparentEnabled"=dword:00000001
"PolicyScope"=dword:00000001
While AppLocker doesn't natively support custom extensions, you can implement this via complementary techniques:
# PowerShell script to block custom extensions using SRP
$rule = New-Object -ComObject "Scripting.Dictionary"
$rule.Add("Description", "Block .xyz files")
$rule.Add("ItemData", "*.xyz")
$rule.Add("SaferFlags", 0)
$rule.Add("Type", "Hash")
$policy = New-Object -ComObject "WScript.Shell"
$policy.RegWrite("HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\123456", $rule.ItemData, "REG_SZ")
AppLocker provides superior logging through Event ID 8002-8006 in the AppLocker log (%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx), while SRP logs to Event ID 866 in the Application log.
When transitioning from SRP to AppLocker, use the ConvertFrom-SoftwareRestrictionPolicy cmdlet:
# Converting SRP to AppLocker
$srpPolicy = Get-Content -Path "C:\temp\SRP.inf" -Raw
ConvertFrom-SoftwareRestrictionPolicy -InfData $srpPolicy -AppLockerPolicy | Out-File "C:\temp\AppLocker.xml"