View Details About an Active Policy

Use the cytool policy query <process> command to view details about policies associated with a specific process on Windows endpoints. Specifying the process name displays details about the intended policy whereas specifying the process ID (PID) displays details about the active policy that is currently applied to the process. The output is helpful when you want to verify that a policy is implemented in the way you intended to configure it.
To view policy details, you must enter the supervisor (uninstall) password when prompted.
  1. Open a command prompt as an administrator and navigate to the Traps folder (see Access Cytool).
  2. To view the active policy for a process, use the following command:
    C:\Program Files\Palo Alto Networks\Traps>cytool policy query <process>
    where <process> is either the process name or PID. For example, to view details about a policy for notepad, enter cytool policy query notepad. The following example displays policy details for a process with PID 1234.
    C:\Program Files\Palo Alto Networks\Traps> cytool policy query 1234
    Enter supervisor password:
    Generic
    Enable 0x00000001
    SuspendOnce 0x00000001
    AdvancedHooks 0x00000001
    [...]

Related Documentation