Review AppLocker Events with Get-AppLockerFileInformation
Applies To: Windows 7, Windows Server 2008 R2
This topic describes the steps to list files for analysis that are either blocked or will be blocked by an AppLocker policy.
For both event subscriptions and local events, you can use the Get-AppLockerFileInformation Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if the Audit only enforcement setting is applied) and how many times the event has occurred for each file.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
Note
If the AppLocker logs are not on the local computer, you will need permission to view the logs. If the output is saved to a file, you will need permission to read that file.
To review AppLocker events with Get-AppLockerFileInformation
Open a Command Prompt window.
At the command prompt, type PowerShell, and then press ENTER.
Run the following command to review how many times a file would have been blocked from running if rules were enforced:
Get-AppLockerFileInformation –EventLog –Logname "Microsoft-Windows-AppLocker\EXE and DLL" –EventType Audited –Statistics
Note
For an event subscription, specify the path to the forwarded event log for the Logname parameter.
Run the following command to review how many times a file has been allowed to run or prevented from running:
Get-AppLockerFileInformation –EventLog –Logname "Microsoft-Windows-AppLocker\EXE and DLL" –EventType Allowed –Statistics