Create a hash rule

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To create a hash rule

  1. Open Software Restriction Policies.

  2. In either the console tree or the details pane, right-click Additional Rules, and then click New Hash Rule.

  3. Click Browse to find a file, or paste a precalculated hash in File hash.

  4. In Security level, click either Disallowed or Unrestricted.

  5. In Description, type a description for this rule, and then click OK.


  • Different administrative credentials are required to perform this procedure, depending on your environment:

    • If you create a hash rule on your local computer: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

    • If you create a hash rule on a computer that is joined to a domain: To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Software Restriction Policies, see "Open Software Restriction Policies" in Related Topics.

  • It may be necessary to create a new software restriction policy setting for the Group Policy object (GPO) if you have not already done so. For information about how to create new software restriction policies, see Related Topics.

  • A hash rule can be created for a virus or a Trojan horse to prevent them from running.

  • If you want other people to use a hash rule so that a virus cannot run, calculate the hash of the virus by using software restriction policies, and then e-mail the hash value to the other people. Never e-mail the virus itself.

  • If a virus has been sent through e-mail, you can also create a path rule to prevent execution of e-mail attachments. For more information, see "Create a path rule" in Related Topics.

  • A file that is renamed or moved to another folder results in the same hash. Any change to the file itself results in a different hash.

  • The only file types that are affected by hash rules are those that are listed in Designated File Types in the details pane for Software Restriction Policies. There is one list of designated file types that is shared by all rules. For more information, see "Add or delete a designated file type" in Related Topics.

  • For software restriction policies to take effect, users must update policy settings by logging off from and logging on to their computers.

  • When more than one software restriction policies rule is applied to policy settings, there is a precedence of rules for handling conflicts. For more information see, "Precedence of software restriction policies" in Related Topics.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also


Open Software Restriction Policies
Create new software restriction policies
Software Restriction Policies
Security levels and additional rules
Create a path rule
Add or delete a designated file type
Precedence of software restriction policies rules