This is the built-in help made by Microsoft for the command 'Get-AppLockerFileInformation', in PowerShell version 5 - as retrieved from
Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.
For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.
Gets the file information necessary to create AppLocker rules from a list of files or an event log.
Get-AppLockerFileInformation [[-Path] [<List<String>>]] [-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend}] [-InformationVariable
[<System.String>]] [<CommonParameters>]
Get-AppLockerFileInformation [-FileType {Exe | Dll | WindowsInstaller | Script | Appx}] [-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore |
Suspend}] [-InformationVariable [<System.String>]] [-Recurse] -Directory <String> [<CommonParameters>]
Get-AppLockerFileInformation [-EventType [<List<AppLockerEventType>>]] [-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend}]
[-InformationVariable [<System.String>]] [-LogPath [<String>]] [-Statistics] -EventLog [<CommonParameters>]
Get-AppLockerFileInformation [[-Packages] [<List<AppxPackage>>]] [-InformationAction {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend}] [-InformationVariable
[<System.String>]] [<CommonParameters>]
The Get-AppLockerFileInformation cmdlet gets the AppLocker file information from a list of files or an event log. File information includes the publisher information, file
hash, and file path.
The file information from an event log may not contain all of the publisher information, file hash, and file path fields. Files that are not signed will not have any
publisher information.
<
Online Version: http://go.microsoft.com/fwlink/?linkid=287248
Get-AppLockerPolicy
New-AppLockerPolicy
Set-AppLockerPolicy
Test-AppLockerPolicy
Get-AppxPackage
<
EXAMPLE 1
PS C:\>Get-AppLockerFileInformation -Directory C:\Windows\system32\ -Recurse -FileType exe, script
This example gets the file information for all the .exe files and scripts under %windir%\system32.
EXAMPLE 2
PS C:\>Get-AppLockerFileInformation -Path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" | Format-List
Path : %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE
Publisher : CN=WINDOWS MAIN BUILD LAB ACCOUNT\WINDOWS® INTERNET EXPLORER\IEXPLORE.EXE,10.0.8421.0
Hash : SHA256 0x5F374C2DD91A6F9E9E96F149EE221EC0454649F50E1AF6D3DAEFB849FB7C551C
AppX : False
PS C:\>Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe" | Format-List
Path : %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE
Publisher : CN=WINDOWS MAIN BUILD LAB ACCOUNT\WINDOWS® INTERNET EXPLORER\IEXPLORE.EXE,10.0.8421.0
Hash : SHA256 0x5F374C2DD91A6F9E9E96F149EE221EC0454649F50E1AF6D3DAEFB849FB7C551C
AppX : False
This example gets the file information for the file specified by the path.
EXAMPLE 3
PS C:\>Get-AppXPackage –AllUsers | Get-AppLockerFileInformation
Path : windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy.appx
Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington,
C=US\windows.immersivecontrolpanel\APPX,6.2.0.0
Hash :
AppX : True
Path : windows.RemoteDesktop_1.0.0.0_neutral_neutral_cw5n1h2txyewy.appx
Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington,
C=US\windows.RemoteDesktop\APPX,1.0.0.0
Hash :
AppX : True
Path : WinStore_1.0.0.0_neutral_neutral_cw5n1h2txyewy.appx
Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US\WinStore\APPX,1.0.0.0
Hash :
AppX : True
This example outputs the file information for all the packaged applications installed on this machine for all users.
EXAMPLE 4
PS C:\>Get-AppLockerFileInformation -EventLog -EventType Audited
This example outputs the file information for all the Audited events in the local event log. Audited events correspond to the Warning event in the AppLocker audit log.
EXAMPLE 5
PS C:\>Get-AppLockerFileInformation -EventLog -EventType Allow -Statistics
This example displays statistics for all the Allowed events in the local event log. For each file in the event log, the cmdlet will sum the number of times the event type
occurred.
EXAMPLE 6
PS C:\>Get-AppLockerFileInformation -EventLog -EventType Audited | New-AppLockerPolicy -RuleType Publisher, Hash, Path -User Everyone -Optimize | Set-AppLockerPolicy -LDAP
LDAP://TestGPO
This example creates a new AppLocker policy from the warning events in the local event log and sets the policy of a test Group Policy Object (GPO).