powershellscripts.com

Tutorials  PowerShell Cmdlet Help for Test-AppLockerPolicy



NAME
Test-AppLockerPolicy

SYNOPSIS
Tests whether the input files are allowed to run for a given user based on the specified AppLocker policy.

SYNTAX
Test-AppLockerPolicy [-PolicyObject] -Path [-User ] [-Filter >] []

Test-AppLockerPolicy [-XMLPolicy] -Path [-User ] [-Filter ] [ arameters>]


DESCRIPTION
The Test-AppLockerPolicy cmdlet uses the specified AppLocker policy to test whether a specified list of files are a
llowed to run on the local computer for a specific user.


PARAMETERS
-PolicyObject
Specifies the policy object that contains the AppLocker policy. It can be obtained from Get-AppLockerPolicy or
New-AppLockerPolicy.

Required? true
Position? 1
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false

-XMLPolicy
The XML file path that contains AppLocker policy.

Required? true
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? false

-Path
Specifies the list of file paths to test. Supports regular expressions.

Required? true
Position? named
Default value
Accept pipeline input? true (ByValue)
Accept wildcard characters? false

-User
Defines the user or group to be used for testing the rules in the specified AppLocker policy. You must provide
the value in one of the following formats:
DNS user name (domain\username)
User Principal Name (username@domain.com)
SAM user name (username)
Security identifier (S-1-5-21-3165297888-301567370-576410423-1103)

Required? false
Position? named
Default value Everyone
Accept pipeline input? false
Accept wildcard characters? false

-Filter
Filters the output by the policy decision for each input file. The policy decision options include: Allowed, D
enied, DeniedByDefault, and AllowedByDefault. By default, all policy decisions are displayed.

Required? false
Position? named
Default value Allowed, Denied, DeniedByDefault, AllowedByDefault
Accept pipeline input? false
Accept wildcard characters? false


This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer and OutVariable. For more information, type,
"get-help about_commonparameters".

INPUTS



OUTPUTS
AppLockerPolicyDecision


NOTES


To test AppLocker rules for a nested group, you should specify a representative member of the nested group for
the User parameter. For example, a rule that allows the Everyone group to run calc.exe may not appear to apply
correctly when you specify the nested Finance group for the User parameter. Instead, you should specify a repre
sentative member of the Finance group for the User parameter.


-------------------------- EXAMPLE 1 --------------------------

C:\PS>Test-AppLockerPolicy -XMLPath C:\Policy.xml -Path C:\Windows\System32\calc.exe, C:\Windows\System32\notepad.
exe -User Everyone


Uses the AppLocker policy in C:\Policy.xml to test whether calc.exe and notepad.exe are allowed to run for users wh
o are members of the Everyone group. If you do not specify a group, the Everyone group is used by default.





-------------------------- EXAMPLE 2 --------------------------

C:\PS>Get-ChildItem C:\Windows\System32 -filter *.exe -recurse | Convert-Path | Test-AppLockerPolicy c:\Policy.xml
-User S-1-5-21-3165297888-301567370-576410423-1103 -Filter DeniedByDefault


Gets the list of all executable files under C:\Windows\System32, obtains the full path for each file using the Conv
ert-Path cmdlet, and then uses the AppLocker policy specified in C:\Policy.xml to test whether the user with the sp
ecified SID is denied access to run the files by default. A policy decision of DeniedByDefault occurs when there ar
e rules in the rule collection, but there are no explicit allow or deny rule that apply to the specified file and u
ser.





-------------------------- EXAMPLE 3 --------------------------

C:\PS>Get-AppLockerPolicy -Local | Test-AppLockerPolicy -Path C:\Windows\System32\*.exe -User domain\saradavis -Fil
ter Denied | Format-List -Property Path > C:\DeniedFiles.txt


Gets the local AppLocker policy, uses the policy to determine which executables in C:\Windows\System32 Sara Davis i
s explicitly denied access to run, and then redirects the list to a text file.






RELATED LINKS
Online version: http://go.microsoft.com/fwlink/?LinkID=144113
Get-AppLockerPolicy
Set-AppLockerPolicy
New-AppLockerPolicy
Get-AppLockerFileInformation