Disabling XP Mode Feature in Windows 7 with AppLocker

For security reasons many enterprise admins will want to block the XP Mode within Windows 7 environments.

Microsoft recently has announced that April 2014 will be end of support for Windows XP. This means no more service patches for XP machines which leaves the doors open to hackers and intruders. Many corporations are planning to or have already migrated from XP to Windows 7 in order to avoid security risks with unsupported XP. Windows 7 has been an excellent upgrade; however, one potential backdoor will still remain open even after migration to Windows 7. The infamous XP-Mode that has been offered by Microsoft as a free download feature for Windows 7 Professional brings backwards compatibility at the price of XP’s security risks.

By ending support for XP, the virtual machine that XP-Mode installs on your PC will also remain unsupported. Users may add this feature (and its associated security risks) to their Windows 7 workstations in order to be able to run their older XP only applications. This scenario sounds like a nightmare for system administrators with thousands of workstations to manage.

Many different techniques can be used to block XP Mode. In our environment we are having excellent success using AppLocker to block access.

Create a Deny rule for AppLocker:

1. Make sure that the service called AppIDSvc (display name: Application Identity) is set on manual and is stopped.

2. Start Group Policy management console

3. Open Computer Configuration -> Windows Settings ->
Application Control Policies -> AppLocker

4. Right click on Executable Rules and select Create New Rule

5. Select Next to skip the introduction Create Executable Rules dialog box screen.

6. Under Permissions select the Deny action.

7. Under Conditions select Path.

8. Enter %SYSTEM32%\VMWindow.exe as path and click Next.

9. On the following screen add Exceptions if needed. If not, just click Next.

10. Click the Create button as shown here.

11. Answer Yes when you are asked if you would like to create the default rules now.

12. Go back to the menu tree on left and click on AppLocker. Select Configure Rule Enforcement.

13. Under the Enforcement tab of Applocker Properties be sure that Enforce Rules is selected and that Configured is checked.

This completes the AppLocker setup for disabling XP mode. However, to get it to actually work you will need to start the service called “AppIDSvc” (display name: Application Identity) and set it to start automatically. This service has to be active for AppLocker to work. You may need to reboot the target machine for the settings to take affect.

The Conversation

Follow the reactions below and share your own thoughts.