AppLocker / WDAC Event Logs
Location
C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx and C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtxDescription
AppLocker and Windows Defender Application Control (WDAC / Code Integrity) event logs record policy enforcement decisions for executable, DLL, script, and packaged app execution. AppLocker generates Event IDs 8003-8007 for blocked/allowed/audit events; Code Integrity logs capture WDAC violations.
Forensic Value
AppLocker audit-mode logs (Event ID 8003) provide a complete record of every executable, script, and DLL that ran on the system, serving as a comprehensive execution history even when Sysmon is not deployed. Blocked execution events (Event ID 8004) reveal attempted execution of unauthorized binaries, which may indicate attacker tools that were prevented from running. WDAC Code Integrity events (Event ID 3089, 3099) detect unsigned or improperly signed code execution attempts, catching tampered system binaries and malicious drivers. The combination of path, hash, and publisher information in these events enables rapid identification of anomalous executables across an enterprise.
Tools Required
Collection Commands
EvtxECmd
EvtxECmd.exe -d "C:\Windows\System32\winevt\Logs\" --inc "AppLocker,CodeIntegrity" --csv C:\output\ --csvf applocker_wdac.csv
PowerShell
Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" | Export-Csv C:\output\applocker_exe_dll.csv -NoTypeInformation
KAPE
kape.exe --tsource C: --tdest C:\output --target EventLogs