Installer and Root Hash are used within some events generated by the App Control Agent.

The Installer field contains the name (not the path) of the file that created the file referenced by a File Name and/or File Hash – in other words, the root parent or “installer” of that file.

In many cases, the Installer is the same as the Process Name, but not always. For example, for file approval events, the process running is often (by definition) the same as the installer that is approving the file being written. In the case of execution block events, the process running may or may not be the same as the process that wrote the file in the first place.

For example, consider what happens when the installer setup123.exe writes the file myapp.exe. When myapp.exe is first written on a computer running an App Control Agent, a “New file on network” event is generated, and both its Process Name field and its Installer field reference setup123.exe. If myapp.exe is later launched from a command prompt and is blocked, the Process Name field may be cmd.exe while the Installer field is still setup123.exe.

The Root Hash field is the SHA-256 hash value of the Installer file.