What log can help me determine why an application (MSI, etc.) was ALLOWED, ELEVATED or BLOCKED?

The log file you want to look in is %appdata%\local\PolicyPak\PolicyPak Least Privilege Manager and is called ppUser_Operational.log.


Once you locate and open the PolicyPak Least Privilege Manager Operational Log… you are looking for the following highlighted items:

  1. Time / Date Stamp.
  2. The item which succeeded in being ALLOWED, ELEVATED, or BLOCKED.
  3. The POLICY OBJECT (GPO) name.
  4. The POLICY name (that is, the name you gave it inside PolicyPak Least Privilege Manager).
  5. The RESULT.


An “Allow” example (where SecureRun is pre-blocking everything)… could look like..