Authorize files and folders

You can make exceptions to the global blocking of files by authorizing access to specific files and folders. Authorization can be global, or it can be provided on an application level.

  • Grant global access to specific files either through the Authorized Files section, or by authorizing files from the various security logs.
  • Many applications need to start up other, legitimate executables or to access specific files in order to function properly. For example, some application Help features will call on an executable. If that executable is blocked, the user cannot access the Help. You could authorize these files and executables on a global level, but this may be undesirable. Instead, you can grant a specific application (rather than all users) the right to access a specific file. This application is then allowed to access the file, but other applications or users are not. You can set access to a file for an application on the tab Security > Authorized Files for the specific application.
  • With the security restrictions on Files and Folders, you can block certain file types. You can still authorize individual files of this type on global level (Security > Authorized Files) or on application level (at Managed Applications on an application's Security > Authorized Files tab).
  • Authorized file security can be enhanced by checking the executable's file hash. To check file hashes, the Managed Applications security option Only allow authorized file hashes (at Security > Applications > Managed Applications, on the Settings tab) must be enabled and allowed/denied file hashes must be configured.
    • Files hashes can be added, edited, or deleted for Authorized files on application level (at Composition > Applications, on the Security > Authorized Files tab when selecting an Authorized file) and on global level (at Security > Applications > Managed Applications, from the context menu on the Log tab and at Security > Authorized Files, when editing an Authorized file).
    • File hash calculation is done using the Secure Hash Algorithm "SHA-256".
    • File hashes are not displayed in the Authorized files overview (at Security > Authorized Files), but are returned when searching for specific file hashes. If the option Show all Authorized Files is checked, also the file hashes on application-level are included in the search when searching for a specific file hash.
    • On the Authorized Files tab, select Import file hashes from the context menu to import either a comma delimited CSV file or a tab delimited TXT file. File hashes can also be imported using the command-line option Pwrtech.exe /importhashes=<file> /createifnotexists. For <file>, the full path to a CSV (comma delimited) or TXT file (tab delimited) must be specified. See Import file hashes in the Command-line Options section for more information and examples of import files.
  • You can easily move authorized files from one application to another; from an application to the Authorized Files node; and from the Authorized Files node to a specific application. To do so, right-click one or more selected authorized files and choose Move.

When adding an authorized file or folder to the Global Authorized Files, use the following formats:




File or folder with this name


Only this folder


All files and sub-folders in folder C:\WINDOWS\inf


All files with the extension .txt in folder C:\Windows\inf and its subfolders


Only the file Readme.txt in folder C:\Windows\inf

  • Authorized Files contains a default rule for the system process svchost.exe. In some operating systems, this process causes applications to start when double-clicking a file that is associated with it, even when the application is blocked by a security rule. This security rule determines whether svchost.exe is allowed to start other unmanaged applications or file associations (such as e.g. Windows Media Player and MP3 files) indirectly. In new Workspace Control environments, the rule is disabled by default. In environments that are upgraded from a previous version of Workspace Control, the rule is enabled by default.
    • If you enable Only allow authorized file hashes (at Security > Applications > Managed Applications, on the Settings tab) and want to make sure that Windows universal apps on Microsoft Windows 10 are blocked by Managed Application Security, do one of the following:
      • Disable the default rule for svchost.exe.
      • Enable the default rule for svchost.exe, but disable Allow any, except denied hashes (on the File Hashes tab of the rule).