![]() NAME Get-AppLockerFileInformation SYNOPSIS Gets the AppLocker file information from a list of files or an event log. SYNTAX Get-AppLockerFileInformation [-Path] Get-AppLockerFileInformation [-Directory] Get-AppLockerFileInformation -EventLog cs DESCRIPTION The Get-AppLockerFileInformation cmdlet retrieves the AppLocker file information from a list of files or from an ev ent log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information. PARAMETERS -Path List of paths to the files from which the file information is retrieved. Supports regular expressions. Required? true Position? 1 Default value Accept pipeline input? true (ByValue) Accept wildcard characters? false -Directory Specifies the directory containing the files from which the file information is retrieved. To search all subfol ders and files in the directory, include the Recurse parameter. Required? true Position? 1 Default value Accept pipeline input? false Accept wildcard characters? false -FileType Specifies the generic file type to search for. The file type options are: Exe, Script, WindowsInstaller, or Dll . Required? false Position? named Default value Exe, Script, WindowsInstaller, Dll Accept pipeline input? false Accept wildcard characters? false -Recurse Searches all subfolders and files in the directory specified by the Directory parameter. Required? false Position? named Default value Accept pipeline input? false Accept wildcard characters? false -EventLog Specifies that the file information is retrieved from an event log. Required? true Position? named Default value Accept pipeline input? false Accept wildcard characters? false -LogPath Specifies the log name or file path of the event log where the AppLocker events are located. If this parameter is not specified, the local Microsoft-Windows-AppLocker/EXE and DLL channel is used by default. Required? false Position? named Default value Microsoft-Windows-AppLocker/EXE and DLL Accept pipeline input? false Accept wildcard characters? false -EventType Filters the AppLocker events by the event type. The event type options are: Allowed, Denied, or Audited. The ev ent types correspond to the Informational, Error, and Warning level events in the AppLocker event logs. Required? false Position? named Default value Allowed, Denied, Audited Accept pipeline input? false Accept wildcard characters? false -Statistics Provides the number of times that a file is listed in the event log after applying the optional filters. Required? false Position? named Default value Accept pipeline input? false Accept wildcard characters? false This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer and OutVariable. For more information, type, "get-help about_commonparameters". INPUTS OUTPUTS FileInformation[] NOTES -------------------------- EXAMPLE 1 -------------------------- C:\PS>Get-AppLockerFileInformation -Directory C:\Windows\System32\ -Recurse -FileType Exe, Script Gets the file information for all of the executable files and scripts in the directory C:\Windows\System32. -------------------------- EXAMPLE 2 -------------------------- C:\PS>Get-AppLockerFileInformation -Path "C:\Program Files\Microsoft Office\Winword.exe" Gets the file information for the Winword.exe file in the path C:\Program Files\Microsoft Office\. -------------------------- EXAMPLE 3 -------------------------- C:\PS>Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited Gets the file information for all of the audited events in the local Microsoft-Windows-AppLocker/EXE and DLL AppLoc ker event log. -------------------------- EXAMPLE 4 -------------------------- C:\PS>Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/MSI and Script" -EventType Allow ed -Statistics Gets the statistics for all of the allowed script events in the local Microsoft-Windows-AppLocker/MSI and Script ev ent log. The cmdlet provides the number of times that a script or Windows Installer file is listed in the event log . -------------------------- EXAMPLE 5 -------------------------- C:\PS>Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited | New-AppLockerPolicy -RuleType Publisher, Hash, Path -User Everyone | Set-AppLockerPolicy -LDAP "LDAP://DC13.Conto so.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com" Gets the file information from all of the audited events in the local Microsoft-Windows-AppLocker/EXE and DLL event log, creates a new AppLocker policy for the files from the audited events, and then sets the AppLocker policy for the specified Group Policy Object (GPO). RELATED LINKS Online version: http://go.microsoft.com/fwlink/?LinkID=144109 Get-AppLockerPolicy Get-AppLockerPolicy Set-AppLockerPolicy New-AppLockerPolicy Test-AppLockerPolicy |