Export (0) Print
Expand All

Get-AppLockerFileInformation

Windows Server 2012 R2 and Windows 8.1

Updated: October 17, 2013

Applies To: Windows 8.1, Windows PowerShell 4.0, Windows Server 2012 R2

Get-AppLockerFileInformation

Gets the file information necessary to create AppLocker rules from a list of files or an event log.

Syntax

Parameter Set: ByFilePath
Get-AppLockerFileInformation [[-Path] <List<String>> ] [ <CommonParameters>]

Parameter Set: ByAppx
Get-AppLockerFileInformation [[-Packages] <List<AppxPackage>> ] [ <CommonParameters>]

Parameter Set: ByDirectory
Get-AppLockerFileInformation -Directory <String> [-FileType <List<AppLockerFileType>> ] [-Recurse] [ <CommonParameters>]

Parameter Set: ByEventLog
Get-AppLockerFileInformation -EventLog [-EventType <List<AppLockerEventType>> ] [-LogPath <String> ] [-Statistics] [ <CommonParameters>]




Detailed Description

The Get-AppLockerFileInformation cmdlet gets the AppLocker file information from a list of files or an event log. File information includes the publisher information, file hash, and file path.

The file information from an event log may not contain all of the publisher information, file hash, and file path fields. Files that are not signed will not have any publisher information.

Parameters

-Directory<String>

Specifies the directory containing the files for which to get the file information. If all subfolders and files in the specified directory are to be searched, then include the Recurse parameter


Aliases

none

Required?

true

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-EventLog

Specifies that the file information is retrieved from the event log.


Aliases

none

Required?

true

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-EventType<List<AppLockerEventType>>

Specifies the event type by which to filter the events. The acceptable values for this parameter are:  Allowed, Denied, or Audited. The event types correspond to the Informational, Error, and Warning level events in the AppLocker event logs.


Aliases

none

Required?

false

Position?

named

Default Value

Allowed, Denied, Audited

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-FileType<List<AppLockerFileType>>

Specifies the generic file type for which to search. All files having the appropriate file name extension will be included.
The acceptable values for this parameter are:  EXE, Script, MSI, and DLL.


Aliases

none

Required?

false

Position?

named

Default Value

Exe, Script, MSI, Dll

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-LogPath<String>

Specifies the log name or file path of the event log where the AppLocker events are located. If this parameter is not specified, the local Microsoft-Windows-AppLocker/EXE and DLL channel is used by default.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-Packages<List<AppxPackage>>

Specifies a list of installed packaged applications, from which the file information is retrieved.


Aliases

none

Required?

false

Position?

1

Default Value

none

Accept Pipeline Input?

true (ByValue, ByPropertyName)

Accept Wildcard Characters?

false

-Path<List<String>>

Specifies a list of paths to the files from which the file information is retrieved. Supports regular expressions.


Aliases

none

Required?

false

Position?

1

Default Value

none

Accept Pipeline Input?

true (ByValue, ByPropertyName)

Accept Wildcard Characters?

false

-Recurse

Specifies that all files and folders within the specified directory will be searched.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-Statistics

Specifies the statistics to retrieve on the files included in the event log. Calculates a simple sum of the number of times a file is included in the event log based upon specified parameters.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

<CommonParameters>

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see    about_CommonParameters.

Inputs

The input type is the type of the objects that you can pipe to the cmdlet.

  • None

Outputs

The output type is the type of the objects that the cmdlet emits.

  • Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.FileInformation
  • System.String

Examples

EXAMPLE 1

This example gets the file information for all the .exe files and scripts under %windir%\system32.


PS C:\> Get-AppLockerFileInformation -Directory C:\Windows\system32\ -Recurse -FileType exe, script

EXAMPLE 2

This example gets the file information for the file specified by the path.


 

PS C:\> Get-AppLockerFileInformation -Path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" | Format-List
Path      : %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE 
Publisher : CN=WINDOWS MAIN BUILD LAB ACCOUNT\WINDOWS® INTERNET EXPLORER\IEXPLORE.EXE,10.0.8421.0 
Hash      : SHA256 0x5F374C2DD91A6F9E9E96F149EE221EC0454649F50E1AF6D3DAEFB849FB7C551C 
AppX      : False 

 

PS C:\> Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe" | Format-List
Path      : %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE 
Publisher : CN=WINDOWS MAIN BUILD LAB ACCOUNT\WINDOWS® INTERNET EXPLORER\IEXPLORE.EXE,10.0.8421.0 
Hash      : SHA256 0x5F374C2DD91A6F9E9E96F149EE221EC0454649F50E1AF6D3DAEFB849FB7C551C 
AppX      : False 

EXAMPLE 3

This example outputs the file information for all the packaged applications installed on this machine for all users.


PS C:\> Get-AppXPackage –AllUsers | Get-AppLockerFileInformation
Path      : windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy.appx 
Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, 
            C=US\windows.immersivecontrolpanel\APPX,6.2.0.0 
Hash      : 
AppX      : True 
 
Path      : windows.RemoteDesktop_1.0.0.0_neutral_neutral_cw5n1h2txyewy.appx 
Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, 
            C=US\windows.RemoteDesktop\APPX,1.0.0.0 
Hash      : 
AppX      : True 
 
Path      : WinStore_1.0.0.0_neutral_neutral_cw5n1h2txyewy.appx 
Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US\WinStore\APPX,1.0.0.0 
Hash      : 
AppX      : True 

EXAMPLE 4

This example outputs the file information for all the Audited events in the local event log. Audited events correspond to the Warning event in the AppLocker audit log.


PS C:\> Get-AppLockerFileInformation -EventLog -EventType Audited

EXAMPLE 5

This example displays statistics for all the Allowed events in the local event log. For each file in the event log, the cmdlet will sum the number of times the event type occurred.


PS C:\> Get-AppLockerFileInformation -EventLog -EventType Allow -Statistics

EXAMPLE 6

This example creates a new AppLocker policy from the warning events in the local event log and sets the policy of a test Group Policy Object (GPO).


PS C:\> Get-AppLockerFileInformation -EventLog -EventType Audited | New-AppLockerPolicy -RuleType Publisher, Hash, Path -User Everyone -Optimize | Set-AppLockerPolicy -LDAP LDAP://TestGPO

Related topics

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft