Guide | How To Easy Application Control on Windows

[cartaphilus]

App Install Control - Easy Application Control on Windows
Post updated/corrected 05.05.2024

1. Can be easily applied in a few seconds (on Windows 11 the Smart App Control must be set to OFF).
2. Blocks files originating from the Internet Zone (files downloaded from the Internet - files with MotW).
   Default Block List includes over 100 file types (executables, scripts, scriptlets, shortcuts, etc.).
3. Allows popular documents, media files, and other files usually downloaded by home users (except application installers).
4. Does not affect already installed applications and software auto-updates.
5. Cannot break anything (installed software, Windows Updates, etc.).
6. No whitelisting, but the blocked file can be easily unblocked from the right-click Explorer context menu.
7. Allows application installations from Microsoft Store and gaming platforms (Steam, Epic Games, etc.).
8. Does not protect from malware distributed via removable drives shared with other people.

Default list of blocked file types (Windows 11):
.ade, .adp, .app, .appref-ms, .asp, .bas, .bat, .cer, .chm, .cmd, .cnt, .com, .cpl, .crt, .csh, .der, .exe, .fxp, .gadget, .grp, .hlp, .hpj, .hta, .img, .inf, .ins, .iso, .isp, .its, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mcf, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc, .msh, .msh1, .msh1xml, .msh2, .msh2xml, .mshxml, .msi, .msp, .mst, .msu, .ops, .pcd, .pif, .pl, .plg, .prf, .prg, .printerexport, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .psd1, .psm1, .pst, .reg, .scf, .scr, .sct, .shb, .shs, .slk, .theme, .tmp, .vb, .vbp, .vbs, .vhd, .vhdx, .vsmacros, .vsw, .webpnp, .website, .ws, .wsc, .wsf, .wsh, .xnk

Those files are probably related to the IE Unsafe File List:
https://learn.microsoft.com/en-us/t...rivacy/information-about-the-unsafe-file-list

It is possible to extend the Block List to include other filetypes by editing the Registry key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\CodeIdentifiers
Details can be found in the post:
https://malwaretips.com/threads/easy-application-control-on-windows.130803/post-1085791

It would be recommended to add:
.accda, .accdu, .cab, .csv, .diagcab, .dqy, .ecf, .elf, .fon, .ime, .iqy, .jar, .mdf, .mdn, .oqy, .pa, .ppa, .ppam, .rqy, .rtf, .settingcontent-ms, .wll, .wwl, .xla, .xll, .xlm


View attachment 283170



How to tweak it.

View attachment 283169


How to unblock the file.

View attachment 283168

Easy Application Control can cover almost all initial attack vectors at home if one uses Microsoft Defender + ConfigureDefender, Windows built-in applications (archiver, email-client, etc.), and MS Office. See also:
https://malwaretips.com/threads/easy-application-control-on-windows.130803/post-1085906

If one is using ESET instead of defender then does this security setting still block attacks? What is lost by not using defender?

Thank you

 

[Andy Ful]

If one is using ESET instead of defender then does this security setting still block attacks?

Yes.

What is lost by not using defender?

Defender.

The advantage of using Microsoft Defender over Eset is when you use Defender with advanced settings (ASR rules, Network Protection), especially with Microsoft Office and Adobe Acrobat Reader.

 

[Andy Ful]

Updated the info in OP:
On Windows 11, App Install Control works as explained when SAC is in Evaluate Mode or OFF.

 

[Studynxx]

Super interesting, will read later today

 

[bazang]

I noticed that on Windows 10 22H2 with updates until November 2023 the list of protected file types is far smaller:
.appref-ms, .bat, .chm, .cmd, .com, .cpl, .exe, .gadget, .hta, .js, .jse, .msc, .msp, .printerexport, .ps1, .scr, .settingcontent-ms, .vb, .vbs, .wsf

In my latest testing of

Edition - Windows 11 Pro
Version - 24H2
OS build - 26100.3775
Experience - Windows Feature Experience Pack 1000.26100.66.0

Both enabled:
- Smart App Control (SAC)
- Choose where to get apps= Microsoft Store Only

Not blocking .bat, .cmd, .wsf (and I stopped after testing these - I did not explore all possible script execution file types)

Edit: Looking at one of Andy's posts, it appears SAC must be turned OFF or in EVALUATION. So what I am reporting might be expected behaviors.

 

[bazang]

It is possible to extend the Block List to include other filetypes by editing the Registry key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\CodeIdentifiers

I noticed on most recent Windows 11 build from April 2025 (and Smart App Control enabled), adding executable file types to this well-known registry key does not block any of the added Executable File Types.

Because you have explored a lot of Microsoft security behaviors via Microsoft security configuration permutation testing, do you know if SAC results in CodeIdentifiers being nullified?

Unfortunately, I have been testing on a production system and do not have the time to install virtualization software and create a testing VM - which I do not do on production systems anyways. I have a dedicated set of test machines but am currently out-of-country so have no physical access at this time. If I had direct physical access to those systems then I'd do my own testing and only report disparities from your prior findings.

Over time, I will state that between Windows 11 builds, I have seen various security features (to include registry and other tweaks) change from functional to non-functional and back to functional. Not much of that, but nevertheless enough that I've had to make various reports to Microsoft Government.

 

[Andy Ful]

Edit: Looking at one of Andy's posts, it appears SAC must be turned OFF or in EVALUATION.

Yes. It still works as explained in the OP.

I noticed on most recent Windows 11 build from April 2025 (and Smart App Control enabled), adding executable file types to this well-known registry key does not block any of the added Executable File Types.

Why should it work?
SAC ON ---> Easy Application Control (Install App Control) does not work ----> adding executable files does not make sense.

Because you have explored a lot of Microsoft security behaviors via Microsoft security configuration permutation testing, do you know if SAC results in CodeIdentifiers being nullified?

When Windows 11 is freshly installed, it turns on AppLocker, automatically turning off SRP. If the user activates AppLocker on Windows 10, the same can happen. However, SRP can be turned ON again as follows:

Full Disclosure: SRP on Windows 11

seclists.org

 

[bazang]

Why should it work?
SAC ON ---> Easy Application Control (Install App Control) does not work ----> adding executable files does not make sense.

SAC allows malicious script execution. Not good. This is not good.

 

[Andy Ful]

SAC allows malicious script execution. Not good. This is not good.

Not exactly. It blocks scripts downloaded from the Internet (files with MotW).
If one needs more, then SRP, AppLocker, or WDAC can be used with SAC. The script Interpreters and LOLBins can also be blocked via Windows Exploit Protection.

 

[bazang]

Not exactly. It blocks scripts downloaded from the Internet (files with MotW).

That is the problem. Security features that rely upon the MotW flag are not good (I get the arguments for it, but the risks are too high given users' typical behaviors). It is easy for threat actors to evade the MotW flag using various methods.

If the malware is a fully-contained script package requiring no additional downloads, SAC will allow it to execute and run. Game Over. One of my favorite tests is running malware from a USB Flash Drive - emulating flash drive sharing, which is culturally done at a high extent amongst particular user demographics.

I have participated on various Dark Web forums where ways to bypass this or that are a regular discussion. Some of the parties or entities on those boards definitely know their stuff and have probed and figured-out Windows security features. They already know that they do not have to work very hard when the target is a home user. Most of the threat actors are not interested in low-value targets though, but nevertheless there is an active underground of "spray & pray" campaigners.

 

[Andy Ful]

That is the problem. Security features that rely upon the MotW flag are not good (I get the arguments for it, but the risks are too high given users' typical behaviors). It is easy for threat actors to evade the MotW flag using various methods.

MotW-based security is not perfect. Various methods (archives, disk images, etc.) were used to evade MotW, but Microsoft finally patched them.
Bypassing SAC via MotW is rare in widespread attacks.

If the malware is a fully-contained script package requiring no additional downloads, SAC will allow it to execute and run. Game Over. One of my favorite tests is running malware from a USB Flash Drive - emulating flash drive sharing, which is culturally done at a high extent amongst particular user demographics.

Fully contained fileless attacks (no EXEs, DLLs, or MSI files in any infection stage) via flash drives are very rare. Such attacks mainly rely on PE files at the later inflection chains (shortcuts, scripts, and LOLBins can be an initial attack vector), so SAC can still block the final PE payload.
Here is an example of a recent LOSTCASE campaign (the flash drive variant could start from the green box with a shortcut):

The malware, the company said, was observed in January, March, and April 2025 in attacks on current and former advisors to Western governments and militaries, as well as journalists, think tanks, and NGOs. In addition, individuals connected to Ukraine have also been singled out.

SAC can block the final payload (unsigned DLL loader) both from the web and flash drive.

I have participated on various Dark Web forums where ways to bypass this or that are a regular discussion. Some of the parties or entities on those boards definitely know their stuff and have probed and figured-out Windows security features. They already know that they do not have to work very hard when the target is a home user. Most of the threat actors are not interested in low-value targets though, but nevertheless there is an active underground of "spray & pray" campaigners.

If the target was the particular home user, SAC (and most of the security used at home) cannot help much. The attacker can use a combination of phishing and fileless attack (like Click-Fix) to infect the target. But as you noticed, most threat actors do not bother.

 

[Andy Ful]

The opening post has been updated.
EAC seems to work best on Windows 11 (impressive default Block List, which can be extended).
It works even if SRP is disabled.
EAC does not affect the already installed stuff and auto-updates (local files do not have MotW).
Using UniGetUI or Ninite makes EAC non-intrusive when installing /updating applications.

 

[Andy Ful]

The Ninite website can be added to the Trusted Zone via Internet Options, and then the downloaded app installers are ignored by Easy Application Control (no need to Unblock the downloaded executable). This method can be useful for casual users. Ninite includes well-selected and highly reputable applications that can be recommended for everyone.

A big advantage of Ninite is the ability to create one installer that can quickly install many applications at once. Furthermore, the user can save the link to the website created by Ninite to update the installer in the future (no need to remember which applications were installed by Ninite). For example, the website Ninite 7-Zip Evernote foobar2000 IrfanView Revo VLC Unattended Silent Installer and Updater will download the updated installer for 7-Zip + Evernote + Foobar 2000 + IrfanView + Revo Uninstaller + VLC.

 

[rashmi]

@Andy Ful, Windows installation does not set the security settings for all zones in Internet Options to the default level. I always reset the security settings to their default for all zones. Is it ok?

 

[Andy Ful]

@Andy Ful, Windows installation does not set the security settings for all zones in Internet Options to the default level. I always reset the security settings to their default for all zones. Is it ok?

It does not affect Easy Application Control.
What do you mean by Windows installation? The fresh Windows installation sets the default settings. Windows Updates and Upgrades usually keep the settings from the previous installation.

 

[rashmi]

What do you mean by Windows installation? The fresh Windows installation sets the default settings.

I always perform a fresh installation when Windows 11 releases a major update. I never see "reset all zones..." grayed out after a Windows installation. It remains grayed out once I apply it.

 

[Andy Ful]

I always perform a fresh installation when Windows 11 releases a major update. I never see "reset all zones..." grayed out after a Windows installation. It remains grayed out once I apply it.

It is obvious that after a fresh Windows installation, all settings (including Internet zones) are set to default when the user applies Microsoft recommendations. I am not sure why you see the "Reset all zones ..." button as non-grayed out. I never checked this just after the fresh installation. I think that some Internet settings might be changed by tweaking the Windows settings, without using the "Internet Options" interface.

Edit.
It is also possible that default settings in "Internet Options" are adjusted to the older Windows versions (like Windows 7), and can slightly differ from default settings in Windows 11.

 

[rashmi]

It is obvious that after a fresh Windows installation, all settings (including Internet zones) are set to default when the user applies Microsoft recommendations. I am not sure why you see the "Reset all zones ..." button as non-grayed out. I never checked this just after the fresh installation. I think that some Internet settings might be changed by tweaking the Windows settings, without using the "Internet Options" interface.

Edit.
It is also possible that default settings in "Internet Options" are adjusted to the older Windows versions (like Windows 7), and can slightly differ from default settings in Windows 11.

I manage several Windows 10 and 11 systems, and in my experience, none of them had the "reset all zones..." option grayed out after a fresh installation of Windows. After installing Windows, I first reset all zones to their default settings, then change the DNS on the system, and finally install Windows updates. After installing Windows updates, I configure the Windows Settings panel, Explorer, Group Policy, remove optional/more Windows features, etc., manually. The "reset all zones..." option remains grayed out on all systems, even after making all these changes.

 

[Andy Ful]

I manage several Windows 10 and 11 systems, and in my experience, none of them had the "reset all zones..." option grayed out after a fresh installation of Windows. After installing Windows, I first reset all zones to their default settings, ...

Do you suspect that the Internet settings after a fresh Windows installation are somewhat worse than after using "Reset all zones ..."?
The opposite might be true as well. The "Internet Options" interface is very old (probably from Vista times).

 

[Andy Ful]

I checked "Internet Options" on the freshly installed Windows 11. All settings are set to default (the Default buttons are greyed out), except for the "Local intranet" zone. That is why the "Reset all zones ..." button is not greyed out. I found only one difference:

.Net framework reliant components:
Run components not signed with Authenticode (Default = Enable, Fresh Installation setting = Disable)
Run components not signed with Authenticode (Default = Enable, Fresh Installation setting = Disable)

In the home environment, the difference is unimportant.