Поделиться через


"AaronLocker" moved to GitHub

"AaronLocker" is a robust, practical, and free PowerShell-based application whitelisting solution for Windows, built on Windows AppLocker. Earlier posts with description here and here.

Rather than continuing to attach zip files to blog posts, I have moved the "AaronLocker" materials, including scripts and documentation, to GitHub: https://github.com/Microsoft/AaronLocker. Among other things, this will make it easier to upload changes as I make them rather than building up a whole package first. I'll continue to post here to announce significant changes, but the materials now have a permanent home instead of whatever the latest blog post URL is.

Changes since the previous version include:

  • The generated rule set now includes an inoperative rule that contains the date and time the rule set was generated to help differentiate policy versions, and to associate an in-use policy with a policy rule file with the same timestamp in its filename. You can retrieve this time stamp from the policy even after it has been imported into Group Policy:
  • Added Get-AaronLockerTimestamp.ps1 to retrieve the generated timestamp from local policy, effective policy, or a saved policy XML file.
  • Added DownloadAccesschk.ps1 to download the current version of AccessChk.exe from Sysinternals.
  • Improvements to the workbook produced by Generate-EventWorkbook.ps1 (three user-focused tabs).
  • Added -Objects switch to Get-AppLockerEvents.ps1 to output PSCustomObjects instead of CSV.
  • Scan-Directories.ps1 produces more data, recognizes additional “default” root directories.

AaronLocker.docx is also on GitHub and explains everything in detail.