Review AppLocker Events with Get-AppLockerFileInformation

Applies To: Windows 7, Windows Server 2008 R2

This topic describes the steps to list files for analysis that are either blocked or will be blocked by an AppLocker policy.

For both event subscriptions and local events, you can use the Get-AppLockerFileInformation Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if the Audit only enforcement setting is applied) and how many times the event has occurred for each file.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

Note

If the AppLocker logs are not on the local computer, you will need permission to view the logs. If the output is saved to a file, you will need permission to read that file.

To review AppLocker events with Get-AppLockerFileInformation

  1. Open a Command Prompt window.

  2. At the command prompt, type PowerShell, and then press ENTER.

  3. Run the following command to review how many times a file would have been blocked from running if rules were enforced:

    Get-AppLockerFileInformation –EventLog –Logname "Microsoft-Windows-AppLocker\EXE and DLL" –EventType Audited –Statistics

Note

For an event subscription, specify the path to the forwarded event log for the Logname parameter.

  1. Run the following command to review how many times a file has been allowed to run or prevented from running:

    Get-AppLockerFileInformation –EventLog –Logname "Microsoft-Windows-AppLocker\EXE and DLL" –EventType Allowed –Statistics