Application Control is a security feature that allows you to manage which processes/applications are permitted to run on a system. This way, you can accelerate your application approval or denial flow for files with a default ruling and create or modify flows for individual users. It provides two primary modes of operation:
- Block everything and define rules for the allowed processes/applications: This is a restrictive approach where you explicitly list the processes/applications that are allowed to run. Everything else is automatically blocked.
- Allow everything and define rules for the blocked processes/applications: This is a more permissive approach where you explicitly list the processes/applications that are blocked from running. Everything else is permitted.
The rules used to identify and manage these processes/applications are the same for both allow and block rules. The following sections detail each rule type and how to find the necessary information.
Software Name (File Description)
The Software name type represents the File Description of the executable file (e.g., notepad.exe). This is a straightforward and common method for creating a rule. To find it, right-click the executable file and select Properties, and go to the Details tab, where you can see the File Description.
Path
The Path type uses the full file path to the executable (e.g., C:\Windows\notepad.exe). This provides a more specific and secure way to create a rule, as it ensures the file is running from an expected or known location. To find it, right-click the executable file and select Properties. In the General tab, the Location field shows the full path to the executable.
MD5
The MD5 (Message Digest 5) type is a cryptographic hash that uniquely identifies a file. An MD5 hash is a 32-character hexadecimal string (e.g., c201d148408f9c06121b682e88a3854a). This is one of the most secure methods because it's based on the file's content. Any change, no matter how small, will result in a completely different MD5 hash, effectively blocking any tampered files. To find it, you'll need a dedicated hashing tool. Windows doesn't have a built-in GUI tool for this, but you can use PowerShell. Open PowerShell and use:
Get-FileHash -Path "C:\path\to\your\file.exe" -Algorithm MD5The output will show the MD5 hash in the Hash field.
Publisher (Company Name)
The Publisher type uses the company's name from the process's digital signature (e.g., Microsoft Corporation). This is a powerful and secure method that allows or blocks all files signed by a trusted or untrusted publisher or not signed, without needing to list each file individually. In the case of a file that is digitally signed, you can find the Publisher with the following steps: right-click the executable file, select Properties, go to the Digital Signatures tab, click a Signature, and then, the Details button. In the General tab, the Name of signer field shows the Publisher's name.
In the case of a file that is not digitally signed, you can find the Publisher using PowerShell. Run the following command lines:
# Get the version info for notepad.exe
$fileInfo = Get-Item "C:\Windows\notepad.exe"
# Access the VersionInfo property
$version = $fileInfo.VersionInfo
# Print the details
$version | Format-ListSignature (Thumbprint)
The Signature or Thumbprint type uses the unique cryptographic identifier of an application's digital certificate. This is the most secure and robust method for creating a rule. A thumbprint is a hash of the certificate itself, ensuring that only executables signed with that specific, trusted, or untrusted certificate are allowed or blocked. To find it, right-click the executable file and select Properties, go to the Digital Signatures tab, select the signature entry, and click Details. In the Digital Signature Details window, click View Certificate, go to the Details tab, and scroll down to the Thumbprint field. This is the value you need.
Wildcard Path
A Wildcard path type uses an asterisk (*) to allow or block a range of files or paths. This is useful for managing a large number of files in a specific folder or all files with a particular name, without having to list each one. For example, C:\Program Files\App\* would allow or block all applications in the "App" folder, and C:\Program Files\*\chrome.exe would apply the rule to chrome.exe regardless of the subfolder it's in. This is a conceptual rule, and this means you build it by identifying the common path or file name pattern you want to allow or block. For a directory, use \* at the end (e.g., C:\Users\username\Desktop\*). For a file name, use * as a placeholder for a variable part of the name (e.g., testing*.exe). You can also use Environment Variables (%My_Custom_Environment_Variable%). We are currently tracking all System Environment Variables, but only the following user Environment Variables: %LOCALAPPDATA%, %USERPROFILE%, and %USERNAME%.
The Wildcard path can contain a maximum of two * markers (which can be placed anywhere) and a single environment variable (inside its subject).
Command Line Arguments
The Command Line Arguments type is an advanced method that allows or blocks a file based on the specific command-line parameters used to launch it. For example, you might allow cmd.exe to run, but block it from running with specific arguments. This is useful for controlling the behavior of legitimate, but powerful, tools. To find it, you'll need to observe how a program is being launched to see its arguments. This is often done through monitoring tools or by checking the shortcuts' Target field, which may include arguments after the executable path. As an example, if you want to block Google Chrome from running in Incognito mode, which is usually ran by specifying the --incognito argument (C:\Program Files (x86)\Google\Chrome\chrome.exe --incognito), you just need create a Command Line Arguments type rule with the --incognito subject.