How to Use AppLocker to Allow or Block DLL Files from Running in Windows 10


AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps (aka: Microsoft Store apps), and packaged app installers.

AppLocker defines DLL rules to include only the .dll and .ocx file formats.

The following table lists the default rules that are available for the DLL rule collection.

Any DLL file not allowed by the default rules below will automatically be blocked by default unless you create a new rule to allow it for a user or group.

If you want to block a DLL file allowed by the default rules below, you will need to create a new rule to block (deny) it for a user or group.

Purpose Name User Rule condition type
Allows members of the local Administrators group to run all DLLs (Default Rule) All DLLs BUILTIN\Administrators Path: *
Allow all users to run DLLs in the Windows folder (Default Rule) Microsoft Windows DLLs Everyone Path: %windir%*
Allow all users to run DLLs in the Program Files folder (Default Rule) All DLLs located in the Program Files folder Everyone Path: %programfiles%*

Important: If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps.

Caution: When DLL rules are used, AppLocker must check each DLL that an app loads. Therefore, users may experience a reduction in performance if DLL rules are used.

See also:

This tutorial will show you how to use AppLocker to allow or block specified DLL (.dll and .osx) files to run for all or specific users and groups in Windows 10 Enterprise and Windows 10 Education.

You must be signed in as an administrator to use AppLocker.



Here's How:

1. Open an elevated command prompt.

2. Copy and paste the command below into the elevated command prompt, press Enter, and close the elevated command prompt when it has finished. (see screenshot below)

This command is to make sure the Application Identity service is enabled, set to Automatic, and running. AppLocker cannot enforce rules if this service is not running.

sc config "AppIDSvc" start=auto & net start "AppIDSvc"

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-1.png

3. Open Local Security Policy (secpol.msc).

4. Expand open Application Control Policies in the left pane of the Local Security Policy window, click/tap on AppLocker, and click/tap on the Configure rule enforcement link on the right side. (see screenshot below)

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-2.jpg

5. Click/tap on the Advanced tab, check the Enable the DLL rule collection box, and click/tap on Apply. (see screenshot below)

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-3.png

6. Click/tap on the Enforcement tab, check the Configured box under DLL rules, and click/tap on OK. (see screenshot below)

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-4.png

7. Expand open AppLocker in the left pane of the Local Security Policy window, right click or press and hold on DLL Rules, and click/tap on Create Default Rules. (see screenshots below)

If this step is not done, AppLocker will block all DLL files from running by default unless allowed by a created rule.

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-5.jpg Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-6.jpg

8. Right click or press and hold on DLL Rules, and click/tap on Create New Rule. (see screenshot below)

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-7.jpg

9. Click/tap on Next. (see screenshot below)

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-8.jpg

10. If you would like to specify a user or group to enforce this rule on, click/tap on Select. (see screenshot below)

The default setting is Everyone for all users and groups.

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-9a.jpg

A) Click/tap on the Advanced button. (see screenshot below)

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-9b.png

B) Click/tap on the Find Now button. (see screenshot below)

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-9c.png

C) Select a user or group you want, and click/tap on OK. (see screenshot below)

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-9d.jpg

D) Click/tap on OK. (see screenshot below)

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-9e.png

11. Select (dot) Allow or Deny for what you want, and click/tap on Next. (see screenshot below)

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-10.jpg

12. Select (dot) Path, and click/tap on Next. (see screenshot below)

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-11.jpg

13. Do step 14 (file) or step 15 (folder/drive) below for the file or folder path you want to specify to allow or block.


 14. To Specify a DLL File Path to Allow or Block

A) Click/tap on the Browse Files button. (see screenshot below)

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-12a.jpg

B) Select if you want to allow or block a .dll or .ocx file in the drop menu at the bottom right corner. (see screenshot below)

C) Navigate to and select the .dll or .ocx file you want to allow or block.

D) Click/tap on Open, and go to step 16 below.

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-12b.jpg


 14. To Specify a Folder or Drive Path to Allow or Block All DLL Files in the Folder or Drive

A) Click/tap on the Browse Folders button. (see screenshot below)

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-13a.jpg

B) Navigate to and select a folder or drive you want to allow or block all DLL (.dll and .osx) files in.

C) Click/tap on OK, and go to step 16 below.

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-13b.png]

16. Click/tap on Next. (see screenshots below)

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-12c.jpg Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-13c.jpg

17. Click/tap on Next. (see screenshots below)

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-12d.jpg Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-13d.jpg

18. Click/tap on Create. (see screenshots below)

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-12e.jpg Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-13e.jpg

19. Your new rule for "DLL Rules" will now be created. (see screenshot below)

Use AppLocker to Allow or Block DLL Files from Running in Windows 10-block_dll_in_applocker-14.jpg

20. Repeat steps 8 to 19 if you would like to create another new rule to allow or block another DLL file for a user or group.

21. When finished, you can close the Local Security Policy window.


That's it,
Shawn