> ## Documentation Index
> Fetch the complete documentation index at: https://docs.idemeum.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Events deep dive

> Deep dive into how allowlisting events work for major use cases. 

## How allowlisting events work

<Note>
  Let's review the major cases of events that you will encounter in idemeum. Here we assume both `Allowlisting` and `Endpoint Privilege Management` are enabled.
</Note>

### Launch app without elevation

Let's say there is no rule for `cmd.exe`. You launch `cmd.exe`, and it gets blocked. There is one execution event generated.

<img src="https://mintcdn.com/idemeum/11V4Whz_pyaKPeh_/images/image1.png?fit=max&auto=format&n=11V4Whz_pyaKPeh_&q=85&s=4f4c223cda41c181bfb63d7fb951db5d" alt="Image1" width="1350" height="418" data-path="images/image1.png" />

Now you create a rule for `cmd.exe` to allow execution, but not allowing child processes. You launch `cmd.exe`, and it is allowed.

<img src="https://mintcdn.com/idemeum/11V4Whz_pyaKPeh_/images/image2.png?fit=max&auto=format&n=11V4Whz_pyaKPeh_&q=85&s=6110b68056e9e512fc70d05546b4393f" alt="Image2" width="1350" height="418" data-path="images/image2.png" />

Let's now explore [application fencing](/documentation/products/allowlisting/application-fencing). You have a rule for `cmd.exe` to allow execution, but not allowing any child processes. You launch `tor.exe` from `cmd.exe`. The TOR launch is blocked. And in the event you can see the message that child process is denied.

<Warning>
  Even if you have a direct rule for `TOR` to allow it, when launching `TOR` from `cmd`, `TOR` will still be blocked becase of application fencing control.
</Warning>

<img src="https://mintcdn.com/idemeum/11V4Whz_pyaKPeh_/images/image3.png?fit=max&auto=format&n=11V4Whz_pyaKPeh_&q=85&s=fe71b06834f4f281f81fb6d8680f3866" alt="Image3" width="1350" height="418" data-path="images/image3.png" />

Now you edit the existing rule for `cmd.exe` to also allow child processes. You launch `tor.exe` from `cmd.exe`. The execution is allowed. And the badge now shows `Child allowed`.

<img src="https://mintcdn.com/idemeum/11V4Whz_pyaKPeh_/images/image5.png?fit=max&auto=format&n=11V4Whz_pyaKPeh_&q=85&s=74338a7565017ae6daeebbfafac47b5f" alt="Image5" width="1404" height="548" data-path="images/image5.png" />

### Launch app with elevation

Let's say you do not have a rule for `notepad++.exe`. Execution is not allowed, and elevation is not allowed. When you trigger `notepad++` installation, the elevation screen is presented and the application is blocked. One event is generated with both execution and elevation denied.

<img src="https://mintcdn.com/idemeum/11V4Whz_pyaKPeh_/images/image6.png?fit=max&auto=format&n=11V4Whz_pyaKPeh_&q=85&s=5a22203bec01a6c497874c497d34a819" alt="Image6" width="1350" height="422" data-path="images/image6.png" />

Now you have created a rule for `notepad++.exe`. You allow execution and configure the application to automatically elevate. When you trigger `notepad++` installation, elevation screen is presented and then allowed. Installation goes through. There are two events generated - one for elevation, and one for successful execution.

<img src="https://mintcdn.com/idemeum/11V4Whz_pyaKPeh_/images/image7.png?fit=max&auto=format&n=11V4Whz_pyaKPeh_&q=85&s=f98c7cbf62a2e1e511dd1cc64f8f9efd" alt="Image7" width="1350" height="424" data-path="images/image7.png" />