Test-AppLockerPolicy

Tests whether the input files are allowed to run for a given user based on the specified AppLocker policy.
Test-AppLockerPolicy [-PolicyObject*] <AppLockerPolicy> -Path* <String[]> [-User <String>] [-Filter<PolicyDecision[]>] [<CommonParameters>]
Test-AppLockerPolicy [-XMLPolicy*] <String> -Path* <String[]> [-User <String>] [-Filter <PolicyDecision[]>][<CommonParameters>]

The Test-AppLockerPolicy cmdlet uses the specified AppLocker policy to test whether a specified list of files are allowed to run on the local computer for a specific user.

Parameters
-PolicyObject <AppLockerPolicy>

  • This value is required
  • Accepts pipeline input ByValue

Specifies the policy object that contains the AppLocker policy. It can be obtained from Get-AppLockerPolicy or New-AppLockerPolicy.

-XMLPolicy <String>

  • This value is required

The XML file path that contains AppLocker policy.

-Path <String[]>

  • This value is required
  • Accepts pipeline input ByValue

Specifies the list of file paths to test. Supports regular expressions.

-User <String>

  • Default value is Everyone

Defines the user or group to be used for testing the rules in the specified AppLocker policy. You must provide the value in one of the following formats: DNS user name (domainusername) User Principal Name (username@domain.com) SAM user name (username) Security identifier (S-1-5-21-3165297888-301567370-576410423-1103)

-Filter <PolicyDecision[]>

  • Default value is Allowed

Filters the output by the policy decision for each input file. The policy decision options include: Allowed, Denied, DeniedByDefault, and AllowedByDefault. By default, all policy decisions are displayed.

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,ErrorAction, ErrorVariable, WarningAction, WarningVariable,OutBuffer, PipelineVariable, and OutVariable.

Outputs

AppLockerPolicyDecision

Examples
  1.  
    C:PS> Test-AppLockerPolicy -XMLPath C:Policy.xml -Path C:WindowsSystem32calc.exe, C:WindowsSystem32notepad.exe -User Everyone
    
       Uses the AppLocker policy in C:Policy.xml to test whether calc.exe and notepad.exe are allowed to run for users 
       who are members of the Everyone group. If you do not specify a group, the Everyone group is used by default.
  2.  
    C:PS> Get-ChildItem C:WindowsSystem32 -filter *.exe -recurse | Convert-Path | Test-AppLockerPolicy c:Policy.xml -User S-1-5-21-3165297888-301567370-576410423-1103 -Filter DeniedByDefault
    
       Gets the list of all executable files under C:WindowsSystem32, obtains the full path for each file using the 
       Convert-Path cmdlet, and then uses the AppLocker policy specified in C:Policy.xml to test whether the user with 
       the specified SID is denied access to run the files by default. A policy decision of DeniedByDefault occurs when 
       there are rules in the rule collection, but there are no explicit allow or deny rule that apply to the specified 
       file and user.
  3.  
    C:PS> Get-AppLockerPolicy -Local | Test-AppLockerPolicy -Path C:WindowsSystem32*.exe -User domainsaradavis -Filter Denied | Format-List -Property Path > C:DeniedFiles.txt
    
       Gets the local AppLocker policy, uses the policy to determine which executables in C:WindowsSystem32 Sara Davis 
       is explicitly denied access to run, and then redirects the list to a text file.
Additional Notes
 To test AppLocker rules for a nested group, you should specify a representative member of the nested group for 
 the User parameter. For example, a rule that allows the Everyone group to run calc.exe may not appear to apply 
 correctly when you specify the nested Finance group for the User parameter. Instead, you should specify a 
 representative member of the Finance group for the User parameter.
Related Links

Get-AppLockerPolicy
Set-AppLockerPolicy
New-AppLockerPolicy
Get-AppLockerFileInformation