powershellscripts.com

Tutorials  PowerShell Cmdlet Help for Get-AppLockerFileInformation



NAME
Get-AppLockerFileInformation

SYNOPSIS
Gets the AppLocker file information from a list of files or an event log.

SYNTAX
Get-AppLockerFileInformation [-Path] []

Get-AppLockerFileInformation [-Directory] [-FileType ] [-Recurse ] [ arameters>]

Get-AppLockerFileInformation -EventLog [-LogPath ] [-EventType ] [-Statisti
cs ] []


DESCRIPTION
The Get-AppLockerFileInformation cmdlet retrieves the AppLocker file information from a list of files or from an ev
ent log. File information that is retrieved can include publisher information, file hash information, and file path
information. File information from an event log may not contain all of these fields. Files that are not signed do
not have any publisher information.


PARAMETERS
-Path
List of paths to the files from which the file information is retrieved. Supports regular expressions.

Required? true
Position? 1
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false

-Directory
Specifies the directory containing the files from which the file information is retrieved. To search all subfol
ders and files in the directory, include the Recurse parameter.

Required? true
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? false

-FileType
Specifies the generic file type to search for. The file type options are: Exe, Script, WindowsInstaller, or Dll
.

Required? false
Position? named
Default value Exe, Script, WindowsInstaller, Dll
Accept pipeline input? false
Accept wildcard characters? false

-Recurse
Searches all subfolders and files in the directory specified by the Directory parameter.

Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false

-EventLog
Specifies that the file information is retrieved from an event log.

Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false

-LogPath
Specifies the log name or file path of the event log where the AppLocker events are located. If this parameter
is not specified, the local Microsoft-Windows-AppLocker/EXE and DLL channel is used by default.

Required? false
Position? named
Default value Microsoft-Windows-AppLocker/EXE and DLL
Accept pipeline input? false
Accept wildcard characters? false

-EventType
Filters the AppLocker events by the event type. The event type options are: Allowed, Denied, or Audited. The ev
ent types correspond to the Informational, Error, and Warning level events in the AppLocker event logs.

Required? false
Position? named
Default value Allowed, Denied, Audited
Accept pipeline input? false
Accept wildcard characters? false

-Statistics
Provides the number of times that a file is listed in the event log after applying the optional filters.

Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false


This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer and OutVariable. For more information, type,
"get-help about_commonparameters".

INPUTS



OUTPUTS
FileInformation[]


NOTES





-------------------------- EXAMPLE 1 --------------------------

C:\PS>Get-AppLockerFileInformation -Directory C:\Windows\System32\ -Recurse -FileType Exe, Script


Gets the file information for all of the executable files and scripts in the directory C:\Windows\System32.





-------------------------- EXAMPLE 2 --------------------------

C:\PS>Get-AppLockerFileInformation -Path "C:\Program Files\Microsoft Office\Winword.exe"


Gets the file information for the Winword.exe file in the path C:\Program Files\Microsoft Office\.





-------------------------- EXAMPLE 3 --------------------------

C:\PS>Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited


Gets the file information for all of the audited events in the local Microsoft-Windows-AppLocker/EXE and DLL AppLoc
ker event log.





-------------------------- EXAMPLE 4 --------------------------

C:\PS>Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/MSI and Script" -EventType Allow
ed -Statistics


Gets the statistics for all of the allowed script events in the local Microsoft-Windows-AppLocker/MSI and Script ev
ent log. The cmdlet provides the number of times that a script or Windows Installer file is listed in the event log
.





-------------------------- EXAMPLE 5 --------------------------

C:\PS>Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited
| New-AppLockerPolicy -RuleType Publisher, Hash, Path -User Everyone | Set-AppLockerPolicy -LDAP "LDAP://DC13.Conto
so.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com"


Gets the file information from all of the audited events in the local Microsoft-Windows-AppLocker/EXE and DLL event
log, creates a new AppLocker policy for the files from the audited events, and then sets the AppLocker policy for
the specified Group Policy Object (GPO).






RELATED LINKS
Online version: http://go.microsoft.com/fwlink/?LinkID=144109
Get-AppLockerPolicy
Get-AppLockerPolicy
Set-AppLockerPolicy
New-AppLockerPolicy
Test-AppLockerPolicy