Export (0) Print
Expand All

Review AppLocker Events with Get-AppLockerFileInformation

Updated: November 9, 2009

Applies To: Windows 7, Windows Server 2008 R2

This topic describes the steps to list files for analysis that are either blocked or will be blocked by an AppLocker policy.

For both event subscriptions and local events, you can use the Get-AppLockerFileInformation Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if the Audit only enforcement setting is applied) and how many times the event has occurred for each file.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

noteNote
If the AppLocker logs are not on the local computer, you will need permission to view the logs. If the output is saved to a file, you will need permission to read that file.

  1. Open a Command Prompt window.

  2. At the command prompt, type PowerShell, and then press ENTER.

  3. Run the following command to review how many times a file would have been blocked from running if rules were enforced:

    Get-AppLockerFileInformation –EventLog –Logname "Microsoft-Windows-AppLocker\EXE and DLL" –EventType Audited –Statistics

    noteNote
    For an event subscription, specify the path to the forwarded event log for the Logname parameter.

  4. Run the following command to review how many times a file has been allowed to run or prevented from running:

    Get-AppLockerFileInformation –EventLog –Logname "Microsoft-Windows-AppLocker\EXE and DLL" –EventType Allowed –Statistics

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft