How to block access to system settings using AppLocker in Win10?

  applocker, windows, windows-10

All

What kind of rules should be created in AppLocker to block access to system settings(command: start ms-settings:) in Win10?

Below is the command I use to lock apps on win10. System Settings is inaccessible after running it.

But the System Settings is still locked after I removing all the deny rules in secpol.msc, why?
What should I do to just unlock System Settings and keep other app locked? Thanks.

cmd:

sc.exe config appidsvc start= auto 1>nul 2>nul

Powershell -ExecutionPolicy unrestricted "Set-AppLockerPolicy -XMLPolicy .AppLocker.xml"

AppLocker.xml:

<AppLockerPolicy Version="1">
  <RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Dll" EnforcementMode="NotConfigured">
    <FilePathRule Id="3737732c-99b7-41d4-9037-9cddfb0de0d0" Name="(Default Rule) All DLLs located in the Program Files folder" Description="Allows members of the Everyone group to load DLLs that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="ad2d943b-409f-4af0-ae89-b3cfe7d0c85b" Name="zipfldr.dll" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%SYSTEM32%zipfldr.dll" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="bac4b0bf-6f1b-40e8-8627-8545fa89c8b6" Name="(Default Rule) Microsoft Windows DLLs" Description="Allows members of the Everyone group to load DLLs located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="fe64f59f-6fca-45e5-a731-0f6715327c38" Name="(Default Rule) All DLLs" Description="Allows members of the local Administrators group to load all DLLs." UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*" />
      </Conditions>
    </FilePathRule>
  </RuleCollection>
  <RuleCollection Type="Exe" EnforcementMode="NotConfigured">
    <FilePublisherRule Id="5f61c356-0489-426d-aea8-3f331c94abff" Name="Signed by O=CISCO WEBEX LLC, L=SAN JOSE, S=CALIFORNIA, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePublisherCondition PublisherName="O=CISCO WEBEX LLC, L=SAN JOSE, S=CALIFORNIA, C=US" ProductName="*" BinaryName="*">
          <BinaryVersionRange LowSection="*" HighSection="*" />
        </FilePublisherCondition>
      </Conditions>
    </FilePublisherRule>
    <FilePathRule Id="05b20709-3152-4cea-8911-2324f1db83b8" Name="C:WindowsSystem32ROUTE.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="C:WindowsSystem32ROUTE.EXE" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="27a2117c-0edd-47a6-83b6-153169698bbf" Name="%SYSTEM32%ftp.exe" Description="ftp.exe" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%SYSTEM32%ftp.exe" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="31e0ea00-6d40-441c-8021-373ece6577c8" Name="%SYSTEM32%WindowsPowerShellv1.0powershell_ise.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%SYSTEM32%WindowsPowerShellv1.0powershell_ise.exe" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="4b3bf4a0-a712-498a-bdd7-b1badfcfebd1" Name="%WINDIR%SystemAppsMicrosoft.Windows.Cortana_cw5n1h2txyewy*" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%WINDIR%SystemAppsMicrosoft.Windows.Cortana_cw5n1h2txyewy*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="56af19bd-9be2-45f3-b9d2-39114c1b1055" Name="%SYSTEM32%WindowsPowerShellv1.0powershell_ise.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%SYSTEM32%WindowsPowerShellv1.0powershell_ise.exe" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="612f5074-cfc7-4c36-84ee-cb450eb7d432" Name="C:WindowsSystem32OptionalFeatures.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="C:WindowsSystem32OptionalFeatures.exe" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="6a55d975-59b8-4734-ad03-e321ddb00404" Name="C:WindowsSysWOW64ROUTE.EXE" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="C:WindowsSysWOW64ROUTE.EXE" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="7a883dea-896b-4cc0-88d0-b8d6b080f095" Name="%SYSTEM32%notepad.exe" Description="notepad.exe" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%SYSTEM32%notepad.exe" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="9508d499-5539-4e3a-b6d0-cc7262591b27" Name="%SYSTEM32%WindowsPowerShellv1.0powershell.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%SYSTEM32%WindowsPowerShellv1.0powershell.exe" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="9cc4948f-010d-440a-af7a-d5ed5481ee49" Name="%SYSTEM32%osk.exe" Description="osk.exe" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%SYSTEM32%osk.exe" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="a34c916c-e2d0-4a45-9627-14e510408da5" Name="%SYSTEM32%mspaint.exe" Description="mspaint.exe" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%SYSTEM32%mspaint.exe" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="a4da80a7-c7a9-4a10-89d5-13892c39454e" Name="%SYSTEM32%SnippingTool.exe" Description="SnippingTool.exe" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%SYSTEM32%SnippingTool.exe" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
      <Conditions>
        <FilePathCondition Path="%WINDIR%*" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="ac96c7d0-4b69-4935-8890-3189d9804cb8" Name="%SYSTEM32%subst.exe" Description="subst.exe" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%SYSTEM32%subst.exe" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="b655d189-a68b-453f-b250-274b40efd59f" Name="%WINDIR%SystemAppsMicrosoft.Windows.Cortana_cw5n1h2txyewySearchUI.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%WINDIR%SystemAppsMicrosoft.Windows.Cortana_cw5n1h2txyewySearchUI.exe" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="d24190e0-4abc-49b2-89f3-04a013321f9b" Name="%PROGRAMFILES%Windows NTAccessorieswordpad.exe" Description="wordpad.exe" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%PROGRAMFILES%Windows NTAccessorieswordpad.exe" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="e46cf12b-7806-4598-99ea-13e8320a45ca" Name="%SYSTEM32%msconfig.exe" Description="msconfig.exe" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%SYSTEM32%msconfig.exe" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="eb0b00fa-7523-4823-a189-56fe4d064818" Name="%SYSTEM32%WindowsPowerShellv1.0powershell.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%SYSTEM32%WindowsPowerShellv1.0powershell.exe" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="f8dca185-e33a-4d7b-9ef6-12ff948f37f6" Name="%WINDIR%ImmersiveControlPanelSystemSettings.exe" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
      <Conditions>
        <FilePathCondition Path="%WINDIR%ImmersiveControlPanelSystemSettings.exe" />
      </Conditions>
    </FilePathRule>
    <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
      <Conditions>
        <FilePathCondition Path="*" />
      </Conditions>
    </FilePathRule>
  </RuleCollection>
  <RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
  <RuleCollection Type="Script" EnforcementMode="NotConfigured" />
</AppLockerPolicy>

Source: Windows Questions

LEAVE A COMMENT