Condividi tramite


Get-AppLockerFileInformation

Get-AppLockerFileInformation

Gets the AppLocker file information from a list of files or an event log.

Syntax

Get-AppLockerFileInformation [-Path] <String[]> [<CommonParameters>]


Get-AppLockerFileInformation [-Directory] <String> [-FileType <AppLockerFileType[]>] [-Recurse <Boolean>] [<CommonParameters>]


Get-AppLockerFileInformation -EventLog <Boolean> [-LogPath <String>] [-EventType <AppLockerEventType[]>] [-Statistics <Boolean>] [<CommonParameters>]

Detailed Description

The Get-AppLockerFileInformation cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information.

Parameters

-Path <String[]>

List of paths to the files from which the file information is retrieved. Supports regular expressions.

Attributes

Name Value

Required?

true

Accept wildcard characters?

false

Accept Pipeline Input?

true (ByValue)

Position?

1

-Directory <String>

Specifies the directory containing the files from which the file information is retrieved. To search all subfolders and files in the directory, include the Recurse parameter.

Attributes

Name Value

Required?

true

Accept wildcard characters?

false

Accept Pipeline Input?

false

Position?

1

-FileType <AppLockerFileType[]>

Specifies the generic file type to search for. The file type options are: Exe, Script, WindowsInstaller, or Dll.

Attributes

Name Value

Required?

false

Accept wildcard characters?

false

Accept Pipeline Input?

false

Position?

named

-Recurse <Boolean>

Searches all subfolders and files in the directory specified by the Directory parameter.

Attributes

Name Value

Required?

false

Accept wildcard characters?

false

Accept Pipeline Input?

false

Position?

named

-EventLog <Boolean>

Specifies that the file information is retrieved from an event log.

Attributes

Name Value

Required?

true

Accept wildcard characters?

false

Accept Pipeline Input?

false

Position?

named

-LogPath <String>

Specifies the log name or file path of the event log where the AppLocker events are located. If this parameter is not specified, the local Microsoft-Windows-AppLocker/EXE and DLL channel is used by default.

Attributes

Name Value

Required?

false

Accept wildcard characters?

false

Accept Pipeline Input?

false

Position?

named

-EventType <AppLockerEventType[]>

Filters the AppLocker events by the event type. The event type options are: Allowed, Denied, or Audited. The event types correspond to the Informational, Error, and Warning level events in the AppLocker event logs.

Attributes

Name Value

Required?

false

Accept wildcard characters?

false

Accept Pipeline Input?

false

Position?

named

-Statistics <Boolean>

Provides the number of times that a file is listed in the event log after applying the optional filters.

Attributes

Name Value

Required?

false

Accept wildcard characters?

false

Accept Pipeline Input?

false

Position?

named

-CommonParameter

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see About Common Parameter

Input and Return Types

The input type is the type of the objects that you can pipe to the cmdlet. The return type is the type of the objects that the cmdlet emits.

Input Type

.

Return Type

FileInformation[].

Notes

Examples

EXAMPLE 1

C:\PS>Get-AppLockerFileInformation -Directory C:\Windows\System32\ -Recurse -FileType Exe, Script

Gets the file information for all of the executable files and scripts in the directory C:\Windows\System32.

EXAMPLE 2

C:\PS>Get-AppLockerFileInformation -Path "C:\Program Files\Microsoft Office\Winword.exe"

Gets the file information for the Winword.exe file in the path C:\Program Files\Microsoft Office\.

EXAMPLE 3

C:\PS>Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited

Gets the file information for all of the audited events in the local Microsoft-Windows-AppLocker/EXE and DLL AppLocker event log.

EXAMPLE 4

C:\PS>Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/MSI and Script" -EventType Allowed -Statistics

Gets the statistics for all of the allowed script events in the local Microsoft-Windows-AppLocker/MSI and Script event log. The cmdlet provides the number of times that a script or Windows Installer file is listed in the event log.

EXAMPLE 5

C:\PS>Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited | New-AppLockerPolicy -RuleType Publisher, Hash, Path -User Everyone | Set-AppLockerPolicy -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com"

Gets the file information from all of the audited events in the local Microsoft-Windows-AppLocker/EXE and DLL event log, creates a new AppLocker policy for the files from the audited events, and then sets the AppLocker policy for the specified Group Policy Object (GPO).

See Also

Reference

Get-AppLockerPolicy
Set-AppLockerPolicy
New-AppLockerPolicy
Test-AppLockerPolicy