Get-AppLockerFileInformation
Get-AppLockerFileInformation
Gets the AppLocker file information from a list of files or an event log.
Syntax
Get-AppLockerFileInformation [-Path] <String[]> [<CommonParameters>]
Get-AppLockerFileInformation [-Directory] <String> [-FileType <AppLockerFileType[]>] [-Recurse <Boolean>] [<CommonParameters>]
Get-AppLockerFileInformation -EventLog <Boolean> [-LogPath <String>] [-EventType <AppLockerEventType[]>] [-Statistics <Boolean>] [<CommonParameters>]
Detailed Description
The Get-AppLockerFileInformation cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information.
Parameters
-Path <String[]>
List of paths to the files from which the file information is retrieved. Supports regular expressions.
Attributes
| Name | Value |
|---|---|
Required? |
true |
Accept wildcard characters? |
false |
Accept Pipeline Input? |
true (ByValue) |
Position? |
1 |
-Directory <String>
Specifies the directory containing the files from which the file information is retrieved. To search all subfolders and files in the directory, include the Recurse parameter.
Attributes
| Name | Value |
|---|---|
Required? |
true |
Accept wildcard characters? |
false |
Accept Pipeline Input? |
false |
Position? |
1 |
-FileType <AppLockerFileType[]>
Specifies the generic file type to search for. The file type options are: Exe, Script, WindowsInstaller, or Dll.
Attributes
| Name | Value |
|---|---|
Required? |
false |
Accept wildcard characters? |
false |
Accept Pipeline Input? |
false |
Position? |
named |
-Recurse <Boolean>
Searches all subfolders and files in the directory specified by the Directory parameter.
Attributes
| Name | Value |
|---|---|
Required? |
false |
Accept wildcard characters? |
false |
Accept Pipeline Input? |
false |
Position? |
named |
-EventLog <Boolean>
Specifies that the file information is retrieved from an event log.
Attributes
| Name | Value |
|---|---|
Required? |
true |
Accept wildcard characters? |
false |
Accept Pipeline Input? |
false |
Position? |
named |
-LogPath <String>
Specifies the log name or file path of the event log where the AppLocker events are located. If this parameter is not specified, the local Microsoft-Windows-AppLocker/EXE and DLL channel is used by default.
Attributes
| Name | Value |
|---|---|
Required? |
false |
Accept wildcard characters? |
false |
Accept Pipeline Input? |
false |
Position? |
named |
-EventType <AppLockerEventType[]>
Filters the AppLocker events by the event type. The event type options are: Allowed, Denied, or Audited. The event types correspond to the Informational, Error, and Warning level events in the AppLocker event logs.
Attributes
| Name | Value |
|---|---|
Required? |
false |
Accept wildcard characters? |
false |
Accept Pipeline Input? |
false |
Position? |
named |
-Statistics <Boolean>
Provides the number of times that a file is listed in the event log after applying the optional filters.
Attributes
| Name | Value |
|---|---|
Required? |
false |
Accept wildcard characters? |
false |
Accept Pipeline Input? |
false |
Position? |
named |
-CommonParameter
This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see About Common Parameter
Input and Return Types
The input type is the type of the objects that you can pipe to the cmdlet. The return type is the type of the objects that the cmdlet emits.
Input Type |
. |
Return Type |
FileInformation[]. |
Notes
Examples
EXAMPLE 1
C:\PS>Get-AppLockerFileInformation -Directory C:\Windows\System32\ -Recurse -FileType Exe, Script
Gets the file information for all of the executable files and scripts in the directory C:\Windows\System32.
EXAMPLE 2
C:\PS>Get-AppLockerFileInformation -Path "C:\Program Files\Microsoft Office\Winword.exe"
Gets the file information for the Winword.exe file in the path C:\Program Files\Microsoft Office\.
EXAMPLE 3
C:\PS>Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited
Gets the file information for all of the audited events in the local Microsoft-Windows-AppLocker/EXE and DLL AppLocker event log.
EXAMPLE 4
C:\PS>Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/MSI and Script" -EventType Allowed -Statistics
Gets the statistics for all of the allowed script events in the local Microsoft-Windows-AppLocker/MSI and Script event log. The cmdlet provides the number of times that a script or Windows Installer file is listed in the event log.
EXAMPLE 5
C:\PS>Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited | New-AppLockerPolicy -RuleType Publisher, Hash, Path -User Everyone | Set-AppLockerPolicy -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com"
Gets the file information from all of the audited events in the local Microsoft-Windows-AppLocker/EXE and DLL event log, creates a new AppLocker policy for the files from the audited events, and then sets the AppLocker policy for the specified Group Policy Object (GPO).
See Also
Reference
Get-AppLockerPolicy
Set-AppLockerPolicy
New-AppLockerPolicy
Test-AppLockerPolicy