Get-AppLockerFileInformation

Gets the AppLocker file information from a list of files or an event log.
Get-AppLockerFileInformation [-Path*] <String[]> [<CommonParameters>]
Get-AppLockerFileInformation [-Directory*] <String> [-FileType <AppLockerFileType[]>] [-Recurse <Boolean>][<CommonParameters>]
Get-AppLockerFileInformation -EventLog* <Boolean> [-LogPath <String>] [-EventType <AppLockerEventType[]>][-Statistics <Boolean>] [<CommonParameters>]

The Get-AppLockerFileInformation cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information.

Parameters
-Path <String[]>

  • This value is required
  • Accepts pipeline input ByValue

List of paths to the files from which the file information is retrieved. Supports regular expressions.

-Directory <String>

  • This value is required

Specifies the directory containing the files from which the file information is retrieved. To search all subfolders and files in the directory, include the Recurse parameter.

-FileType <AppLockerFileType[]>

  • Default value is Exe

Specifies the generic file type to search for. The file type options are: Exe, Script, WindowsInstaller, or Dll.

-Recurse <Boolean>

Searches all subfolders and files in the directory specified by the Directory parameter.

-EventLog <Boolean>

  • This value is required

Specifies that the file information is retrieved from an event log.

-LogPath <String>

  • Default value is Microsoft-Windows-AppLocker/EXE and DLL

Specifies the log name or file path of the event log where the AppLocker events are located. If this parameter is not specified, the local Microsoft-Windows-AppLocker/EXE and DLL channel is used by default.

-EventType <AppLockerEventType[]>

  • Default value is Allowed

Filters the AppLocker events by the event type. The event type options are: Allowed, Denied, or Audited. The event types correspond to the Informational, Error, and Warning level events in the AppLocker event logs.

-Statistics <Boolean>

Provides the number of times that a file is listed in the event log after applying the optional filters.

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,ErrorAction, ErrorVariable, WarningAction, WarningVariable,OutBuffer, PipelineVariable, and OutVariable.

Outputs

FileInformation[]

Examples
  1.  
    C:PS> Get-AppLockerFileInformation -Directory C:WindowsSystem32 -Recurse -FileType Exe, Script
    
       Gets the file information for all of the executable files and scripts in the directory C:WindowsSystem32.
  2.  
    C:PS> Get-AppLockerFileInformation -Path "C:Program FilesMicrosoft OfficeWinword.exe"
    
       Gets the file information for the Winword.exe file in the path C:Program FilesMicrosoft Office.
  3.  
    C:PS> Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited
    
       Gets the file information for all of the audited events in the local Microsoft-Windows-AppLocker/EXE and DLL 
       AppLocker event log.
  4.  
    C:PS> Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/MSI and Script" -EventType Allowed -Statistics
    
       Gets the statistics for all of the allowed script events in the local Microsoft-Windows-AppLocker/MSI and Script 
       event log. The cmdlet provides the number of times that a script or Windows Installer file is listed in the event 
       log.
  5.  
    C:PS> Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited | New-AppLockerPolicy -RuleType Publisher, Hash, Path -User Everyone | Set-AppLockerPolicy -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com"
    
       Gets the file information from all of the audited events in the local Microsoft-Windows-AppLocker/EXE and DLL 
       event log, creates a new AppLocker policy for the files from the audited events, and then sets the AppLocker 
       policy for the specified Group Policy Object (GPO).
Additional Notes
 
Related Links

Get-AppLockerPolicy
Get-AppLockerPolicy
Set-AppLockerPolicy
New-AppLockerPolicy
Test-AppLockerPolicy