You are here:   Research
  |  Login

Welcome to my blog, quickest way to find articles is usually to search for them.

Search in All Title Contents

PSScriptPolicyTest script gets blocked by AppLocker in the event log. Why and what are those files?!

Jun 07 2017

If you are using AppLocker (which you should) and have enabled the function “MSI and Scripts” in AppLocker to whitelist only signed PowerShell scripts you will get some errors in the event log even though your scripts are signed. Checking the event viewer log for AppLocker events you will see that the logged on user tried to run 2 different scripts starting with __PSScriptPolicyTest and the extensions .ps1 and psm1. The full name is something like  __PSScriptPolicyTest_bavjba32.xjg.ps1 where the name is __PSScriptPolicyTest_<8-random-numbers-and-letters>.<3-random-numbers-and-letters>.ps1/psm1


In my case I had a PowerShell logon script that was signed and allowed in AppLocker. The script itself ran as expected but the 2 PSScriptPolicyTest scripts was blocked in the log at the same time.



Troubleshooting this a little bit more I noticed that they are not signed and since they are located in “Appdata\Local\Temp” we did not want to allow them by path (since the user have writing rights in that folder). The files got removed immediately after being created but I managed to capture them and the only content that was in them the was the number one:


The good thing is that it is always the same content and since AppLocker does not take the filename into account when creating a file hash I looked in the event log and saw that it was always the same file hash being blocked:


  - RuleAndFileData 
   PolicyName SCRIPT 
   RuleId {00000000-0000-0000-0000-000000000000} 
   RuleName - 
   RuleSddl - 
   TargetProcessId 7360 
   FileHash 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B 
   Fqbn - 
   TargetLogonId 0x2f813c 

Once this hash was added to the whitelist:


Nothing was blocked in the event log any more and the logon script still ran without any issues.

Deep Dive

So what are those files really for? I have not found any official documentation about this behaviour so until I get some official confirmation that this is how it works it is just my assumptions.

Well it seems that these 2 script are being used to determine which Language Mode PowerShell is allowed to run in when using AppLocker! So by allowing them in the GPO the constraint mode was completely disabled for the user.


Since this is not wanted behaviour I removed the file hash for the PSScriptPolicyTest scripts so they got blocked by AppLocker again. After the GPO had been updated I checked Language mode for the user again:


Now it was back to the expected setting again.


  • __PSScriptPolicyTest*.ps1/psm1 files are used to determine which Language Mode PowerShell will run in.
  • Do NOT allow them (whitelist) in AppLocker since this will circumvent the Constraint mode security feature.
  • If you are troubleshooting AppLocker the Errors in the event log for the 2 PSScriptPolicyTest scripts with the file hash 6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B can be safely ignored.

Hope this helps!


Deployment News

Happy deployment, and thanks for reading!

What our lawyers makes us say:

This information is provided "AS IS" with no warranties, confers no rights and is not supported by the authors or Deployment Artist.

Copyright © 2017 by Deployment Artist (the company behind deployment research). All rights reserved. No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

Shorthand: Don't pass off our work as yours, it's not nice.

Blog Archive


Where you can meet us!

Live Stream Recordings
ConfigMgr 1806 and W10 OSD

5 Days - Mega Geek Week 
(multiple classes, ConfigMgr, OSD etc.)
- Johan Arwidmark, Mikael Nystrom...
Jun 10, 2019, Chicago, IL, US

4 Days - Windows 10 OSD Classes
- Johan Arwidmark
May 20, 2019, San Diego, CA, US
Jun 17, 2019, Culemborg, NL
Jul 8, 2019, Phoenix, AZ, US

5 days - ConfigMgr Classes
- Johan Arwidmark and Kent Agerlund
Apr 8, 2019, Chicago, IL, US
Apr 22, 2019, Houston, TX, US

Video-based trainings

MDT, Windows 10 and ConfigMgr Books

Contact Info