PowerShell Logo Small

Get-AppLockerFileInformation



This is the built-in help made by Microsoft for the command 'Get-AppLockerFileInformation', in PowerShell version 5 - as retrieved from Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Gets the file information necessary to create AppLocker rules from a list of files or an event log.

SYNTAX


Get-AppLockerFileInformation [[-Path] [<List<String>>]] [-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend}] [-InformationVariable
[<System.String>]] [<CommonParameters>]
Get-AppLockerFileInformation [-FileType {Exe | Dll | WindowsInstaller | Script | Appx}] [-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore |
Suspend}] [-InformationVariable [<System.String>]] [-Recurse] -Directory <String> [<CommonParameters>]
Get-AppLockerFileInformation [-EventType [<List<AppLockerEventType>>]] [-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend}]
[-InformationVariable [<System.String>]] [-LogPath [<String>]] [-Statistics] -EventLog [<CommonParameters>]
Get-AppLockerFileInformation [[-Packages] [<List<AppxPackage>>]] [-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend}] [-InformationVariable
[<System.String>]] [<CommonParameters>]



Search powershellhelp.space

DESCRIPTION


The Get-AppLockerFileInformation cmdlet gets the AppLocker file information from a list of files or an event log. File information includes the publisher information, file
hash, and file path.


The file information from an event log may not contain all of the publisher information, file hash, and file path fields. Files that are not signed will not have any
publisher information.



<

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/?linkid=287248
Get-AppLockerPolicy
New-AppLockerPolicy
Set-AppLockerPolicy
Test-AppLockerPolicy
Get-AppxPackage

REMARKS

<

Examples


EXAMPLE 1

PS C:\>Get-AppLockerFileInformation -Directory C:\Windows\system32\ -Recurse -FileType exe, script



This example gets the file information for all the .exe files and scripts under %windir%\system32.






EXAMPLE 2

PS C:\>Get-AppLockerFileInformation -Path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" | Format-List
Path : %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE
Publisher : CN=WINDOWS MAIN BUILD LAB ACCOUNT\WINDOWS® INTERNET EXPLORER\IEXPLORE.EXE,10.0.8421.0
Hash : SHA256 0x5F374C2DD91A6F9E9E96F149EE221EC0454649F50E1AF6D3DAEFB849FB7C551C
AppX : False


PS C:\>Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe" | Format-List
Path : %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE
Publisher : CN=WINDOWS MAIN BUILD LAB ACCOUNT\WINDOWS® INTERNET EXPLORER\IEXPLORE.EXE,10.0.8421.0
Hash : SHA256 0x5F374C2DD91A6F9E9E96F149EE221EC0454649F50E1AF6D3DAEFB849FB7C551C
AppX : False



This example gets the file information for the file specified by the path.






EXAMPLE 3

PS C:\>Get-AppXPackage –AllUsers | Get-AppLockerFileInformation
Path : windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy.appx
Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington,
C=US\windows.immersivecontrolpanel\APPX,6.2.0.0
Hash :
AppX : True

Path : windows.RemoteDesktop_1.0.0.0_neutral_neutral_cw5n1h2txyewy.appx
Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington,
C=US\windows.RemoteDesktop\APPX,1.0.0.0
Hash :
AppX : True

Path : WinStore_1.0.0.0_neutral_neutral_cw5n1h2txyewy.appx
Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US\WinStore\APPX,1.0.0.0
Hash :
AppX : True



This example outputs the file information for all the packaged applications installed on this machine for all users.






EXAMPLE 4

PS C:\>Get-AppLockerFileInformation -EventLog -EventType Audited



This example outputs the file information for all the Audited events in the local event log. Audited events correspond to the Warning event in the AppLocker audit log.






EXAMPLE 5

PS C:\>Get-AppLockerFileInformation -EventLog -EventType Allow -Statistics



This example displays statistics for all the Allowed events in the local event log. For each file in the event log, the cmdlet will sum the number of times the event type
occurred.






EXAMPLE 6

PS C:\>Get-AppLockerFileInformation -EventLog -EventType Audited | New-AppLockerPolicy -RuleType Publisher, Hash, Path -User Everyone -Optimize | Set-AppLockerPolicy -LDAP
LDAP://TestGPO



This example creates a new AppLocker policy from the warning events in the local event log and sets the policy of a test Group Policy Object (GPO).