Software Restriction Policies Troubleshooting

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Troubleshooting

What problem are you having?

  • Users receive a message that says "Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator." Or, on the command line, a message says "The system cannot execute the specified program."

  • Modified software restriction policies are not taking effect.

  • You have added a rule to software restriction policies, and you cannot log on to your computer.

  • A new policy setting is not applying to a specific file name extension.

Users receive a message that says "Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator." Or, on the command line, a message says "The system cannot execute the specified program."

Cause:  The default security level (or a rule) was created so that the software program is set as Disallowed, and as a result it will not start.

Solution:  Look in the event log for an in-depth description of the message. The event log message indicates what software program is set as Disallowed and what rule is applied to the program.

See also:  Software Restriction Policies

Modified software restriction policies are not taking effect.

Cause:  Software restriction policies that are specified in a domain through Group Policy override any policy settings that are configured locally. This may imply that there is a policy setting from the domain that is overriding your policy setting. For more information, see Group Policy (pre-GPMC).

Cause:  Group Policy may not have refreshed its policy settings. Group Policy applies changes to policy settings periodically; therefore, it is likely that the policy changes that were made in the directory have not yet been refreshed.

Solution:  You can refresh policy settings with the command-line utility gpupdate or by logging off from and then logging back on to your computer. For best results, run gpupdate, and then log off from and log back on to your computer. For more information, see Gpupdate.

The security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there are any changes.

Cause:  The local computer on which you changed software restriction policies for the network cannot contact a domain controller.

Solution:  To successfully modify policy for a network, the computer on which you modify software restriction policies must be able to contact a domain controller to update policy for the network. If the computer on which you are working cannot contact the domain controller, software restriction policies are not applied. If your computer is a member of a domain, local software restriction policies are not applied unless the computer can contact the domain controller to ensure that network policy does not override local policy.

You have added a rule to software restriction policies, and you cannot log on to your computer.

Cause:  Your computer accesses many software programs and files when it starts. It is possible to inadvertently set one of these programs or files to Disallowed. Because the computer cannot access the program or file, it cannot start properly.

Solution:  Start the computer in Safe Mode, log on as a local administrator, and then change software restriction policies to allow the program or file to run.

A new policy setting is not applying to a specific file name extension.

Cause:  The file name extension is not in the list of designated file types for software restriction policies.

Solution:  Add the file name extension to the list of supported file types.

For more information, see Add or delete a designated file type.