Application Execution Prevention Best Practice

Application Execution Prevention Best Practice #TK-KB14

Written by Giuseppe

Last published at: March 21st, 2020

Application Execution Prevention is a system-level function that can prevent a system from operating correctly until the active ThinKiosk profile is corrected and reloaded.  By default, ThinKiosk applications will be allowed once verified by a signed security certificate.  Blocking all applications without any rules defined will ask to insert a rule to allow windows application.  All applications launched via any method are filtered by AEP (if AEP is enabled and ThinKiosk is running).

There are different options you can use to allow/ disallow certain applications to run within your ThinKiosk session, here follow some example.

The first step is to enable "Block the executable if it does not match any of the configured rules below"

If enabled, and no other rules are created in the list, the console will auto-create a rule for you to prevent incorrect system operation.

This rule will only allow execution for Windows OS binary applications. Example are MS Paint, Calculator, Resource Monitor, Internet Explorer and more.

Alternatively, you can add an extra set of rules, using, a certificate thumbprint, considered more secure, which allows execution for a Citrix Receiver or VMWare client.

Note: a certificate thumbprint value could be different from the one shown above. 

To simply retrieve the certificate thumbprint, press the browse button and click the executable you want to include. The certificate thumbprint value will be automatically retrieved for you and the form will be populated. Click Add and OK.

The list of rules above will only allow the Citrix Receiver, the VMware Client and all Windows binary, the others will be blocked and a message will be displayed.

Additionally, when creating a rule, there are relationships and conditions you can use to match or not a specific file name, size of the file, last modified date and time, Windows OS binary and all the other options in the profile editor.

An example of the rule can be seen in the screenshot below. The rule will deny, the locally installed MSPaint application, from executing.  When the user accessing that application will click on the icon, they will be prompted with a dialog message. 

Application Execution Prevention Processing Example

Application execution prevention rule processing is sequenced by the relationship between each condition in the rule and the preceding condition.  For ‘and’ conditions the conditional test must all pass.   For ‘or’ conditions they are examined as a “one of many” situation.  The 1st condition in the rule will ignore the ‘relationship’ field as there are no preceding conditions.  In the following example, we show a rule to allow only 2 very specific versions of “Calculator” given the filename and sizes.


First, we want to ensure the correct filename, so we add a condition to verify the filename.  “Image Name” represents the full path and filename and the only condition where the upper/lower case does not matter.

Secondly, we want to allow 2 possible file sizes as either of the 2.  To do this we add another condition to test the file size as shown below.  The value to check was obtained using the “Browse” action and selecting the required binary – the editor will automatically select the appropriate value and populate the field.

Finally, we need to add a second size to allow.  The difference is we must select a relationship of ‘or’ to indicate “the 1st size or the 2nd size”.  In the image below, we see all 3 conditions added.  This can be read as “(image name) AND (1st size OR 2nd size)”.