Get-AppLockerFileInformation
Applies To: Windows 7, Windows Server 2008 R2
This topic for the IT professional describes how to use Windows PowerShell to retrieve information from an AppLocker event log in Windows Server 2008 R2 and Windows 7.
The Get-AppLockerFileInformation cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information.
Syntax
Get-AppLockerFileInformation [-Path <String[]>] [<CommonParameters>]
Get-AppLockerFileInformation [-Directory] <String> [-FileType <AppLockerFileType[]>] [-Recurse <Boolean>] [<CommonParameters>]
Get-AppLockerFileInformation -EventLog <Boolean> [-LogPath <String>] [-EventType <AppLockerEventType>] [-Statistics <Boolean>] [<CommonParameters>]
Parameters
| Parameter | Description |
|---|---|
Path <String[]> |
List of paths to the files from which the file information is retrieved. |
Directory <String> |
Specifies the directory containing the files from which the file information is retrieved. To search all subfolders and files in the directory, include the Recurse parameter in the string. |
FileType <AppLockerFileType[]> |
Specifies the generic file type to search for. All files with the specified file name extension are included. The file type options are: Exe, Script, Windows Installer, or DLL. |
Recurse <Boolean> |
Searches all subfolders and files in the directory specified by the Directory parameter. |
EventLog <Boolean> |
Specifies that the file information is retrieved from an event log. |
LogPath <String> |
Specifies the log name or file path of the event log where the AppLocker events are located. If this parameter is not specified, the local Microsoft-Windows-AppLocker/EXE and DLL channel is used by default. |
EventType <AppLockerEventType[]> |
Filters the AppLocker events by the event type. The event type options are: Allowed, Denied, or Audited. The event types correspond to the Informational, Error, and Warning level events in the AppLocker event logs. |
Statistics <Boolean> |
Provides the number of times that a file is listed in the event log after applying the optional filters. |
Examples
Gets the file information for all executable files and scripts in the directory C:\Windows\System32.
C:\PS>Get-AppLockerFileInformation -Directory C:\Windows\System32\ -Recurse -FileType exe, script
Gets the file information for the Winword.exe file in the path C:\Program Files\Microsoft Office\.
C:\PS>Get-AppLockerFileInformation -Path 'C:\Program Files\Microsoft Office\Winword.exe'
Gets the file information for all audited events in the local Microsoft-Windows-AppLocker/EXE and DLL Applocker event log.
C:\PS>Get-AppLockerFileInformation -EventLog –LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited
Gets the statistics for all allowed script events in the local Microsoft-Windows-AppLocker/MSI and Script event log. The cmdlet provides the number of times that a script or Windows Installer file is listed in the event log.
C:\PS>Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/MSI and Script" -EventType Allow -Statistics
Gets the file information for all audited events in the local event log, creates a new AppLocker policy from the warning events in the local event log, and then sets the AppLocker policy for the TestGPO Group Policy object (GPO).
C:\PS>Get-AppLockerFileInformation -EventLog –LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited | New-AppLockerPolicy -RuleType Publisher, Hash, Path -User
Everyone | Set-AppLockerPolicy -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com"