Powershell Commandlets

Powershell Commandlets
AppLocker Module
Compiled by Les Lewis
This information was taken directly from the Get-Help files within the AppLocker commandlets.
This is for informational use, placed into an easy to read format.
Page |1
Table of Contents
What is it used for? ..................................................................................................................................... 4
Get-AppLockerFileInformation .................................................................................................................... 6
SYNOPSIS ............................................................................................................................................... 6
SYNTAX .................................................................................................................................................... 6
DESCRIPTION ......................................................................................................................................... 6
PARAMETERS ........................................................................................................................................... 6
INPUTS .................................................................................................................................................... 9
OUTPUTS.................................................................................................................................................. 9
RELATED LINKS .................................................................................................................................. 11
Get-AppLockerPolicy ................................................................................................................................ 12
SYNOPSIS ............................................................................................................................................. 12
SYNTAX .................................................................................................................................................. 12
DESCRIPTION ....................................................................................................................................... 12
PARAMETERS ......................................................................................................................................... 12
INPUTS .................................................................................................................................................. 14
OUTPUTS................................................................................................................................................ 14
RELATED LINKS .................................................................................................................................. 15
New-AppLockerPolicy ............................................................................................................................... 16
SYNOPSIS ............................................................................................................................................. 16
SYNTAX .................................................................................................................................................. 16
DESCRIPTION ....................................................................................................................................... 16
PARAMETERS ......................................................................................................................................... 16
INPUTS .................................................................................................................................................. 19
OUTPUTS................................................................................................................................................ 19
RELATED LINKS .................................................................................................................................. 20
Set-AppLockerPolicy ................................................................................................................................. 21
SYNOPSIS ............................................................................................................................................. 21
SYNTAX .................................................................................................................................................. 21
DESCRIPTION ....................................................................................................................................... 21
PARAMETERS ......................................................................................................................................... 21
INPUTS .................................................................................................................................................. 23
OUTPUTS................................................................................................................................................ 23
RELATED LINKS .................................................................................................................................. 23
Test-AppLockerPolicy ............................................................................................................................... 25
Page |2
SYNOPSIS ............................................................................................................................................. 25
SYNTAX .................................................................................................................................................. 25
DESCRIPTION ....................................................................................................................................... 25
PARAMETERS ......................................................................................................................................... 25
INPUTS .................................................................................................................................................. 27
OUTPUTS................................................................................................................................................ 27
RELATED LINKS .................................................................................................................................. 28
Page |3
What is it used for?
Exposes Windows Installer functionality to Windows PowerShell
Page |4
Page |5
Get-AppLockerFileInformation
SYNOPSIS
Gets the file information necessary to create AppLocker rules from
a list of files or an event log.
SYNTAX
Get-AppLockerFileInformation [[-Path] <List<String>>] [-
InformationAction {SilentlyContinue | Stop | Continue | Inquire |
Ignore | Suspend}] [-InformationVariable <System.String>]
[<CommonParameters>]
Get-AppLockerFileInformation [-FileType {Exe | Dll |

WindowsInstaller | Script | Appx}] [-InformationAction
{SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend}]
[-InformationVariable <System.String>] [-Recurse] -Directory
<String> [<CommonParameters>]
Get-AppLockerFileInformation [-EventType
<List<AppLockerEventType>>] [-InformationAction {SilentlyContinue |
Stop | Continue | Inquire | Ignore | Suspend}] [-
InformationVariable <System.String>] [-LogPath <String>] [-
Statistics] -EventLog [<CommonParameters>]
Get-AppLockerFileInformation [[-Packages] <List<AppxPackage>>] [-

Ignore | Suspend}] [-InformationVariable <System.String>]
DESCRIPTION
The Get-AppLockerFileInformation cmdlet gets the AppLocker file
information from a list of files or an event log. File information
includes the publisher information, file hash, and file path.
The file information from an event log may not contain all of the
publisher information, file hash, and file path fields. Files that
are not signed will not have any publisher information.
PARAMETERS
-Directory <String>
Specifies the directory that contains the files for which to get
the file information. If all subfolders and files in the specified
directory are to be searched, then include the Recurse parameter
Required? true
Position? named
Default value none
Accept pipeline input? false
Page |6
Accept wildcard characters? false
-EventLog <SwitchParameter>
Specifies that the file information is retrieved from the event
log.
Required? true
Position? named
Default value none
-EventType [<List<AppLockerEventType>>]
Specifies the event type by which to filter the events. The
acceptable values for this parameter are: Allowed, Denied, or
Audited. The event types correspond to the Informational, Error,
and Warning level events in the AppLocker event logs.
Required? false
Position? named
Default value none
-FileType [<List<AppLockerFileType>>]
Specifies the generic file type for which to search. All files
having the appropriate file name extension will be included.
The acceptable values for this parameter are: EXE, Script, MSI, and
DLL.
Required? false
Position? named
Default value none
-InformationAction [<System.Management.Automation.ActionPreference>]
Specifies how this cmdlet responds to an information event. The
acceptable values for this parameter are:
-- SilentlyContinue
-- Stop
-- Continue
-- Inquire
-- Ignore
-- Suspend
Required? false
Position? named
Default value none
-InformationVariable [<System.String>]
Page |7
Specifies a variable in which to store an information event
message.
Required? false
Position? named
Default value none
-LogPath [<String>]
Specifies the log name or file path of the event log where the
AppLocker events are located. By default, if this parameter is not
specified, the local Microsoft-Windows-AppLocker/EXE and DLL
channel is used.
Required? false
Position? named
Default value none
-Packages [<List<AppxPackage>>]
Specifies a list of installed packaged applications, from which the
file information is retrieved.
Required? false
Position? 1
Default value none
Accept pipeline input? true (ByValue, ByPropertyName)
-Path [<List<String>>]
Specifies a list of paths to the files from which the file
information is retrieved. Supports regular expressions.
Required? false
Position? 1
Default value none
-Recurse [<SwitchParameter>]
Specifies that all files and folders in the specified directory
will be searched.
Required? false
Position? named
Default value none
-Statistics [<SwitchParameter>]
Page |8
Specifies the statistics to retrieve on the files included in the
event log. Calculates a simple sum of the number of times a file is
included in the event log based on specified parameters.
Required? false
Position? named
Default value none
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information,
see about_CommonParameters
(http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.FileI
nformation
System.String
EXAMPLE 1
PS C:\>Get-AppLockerFileInformation -Directory C:\Windows\system32\

-Recurse -FileType exe, script
This example gets the file information for all the .exe files and
scripts under %windir%\system32.
EXAMPLE 2
PS C:\>Get-AppLockerFileInformation -Path "C:\Program Files

(x86)\Internet Explorer\iexplore.exe" | Format-List
Path : %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE
Publisher : CN=WINDOWS MAIN BUILD LAB ACCOUNT\WINDOWS® INTERNET
EXPLORER\IEXPLORE.EXE,10.0.8421.0
Hash : SHA256
0x5F374C2DD91A6F9E9E96F149EE221EC0454649F50E1AF6D3DAEFB849FB7C551C
AppX : False
Page |9
PS C:\>Get-AppLockerFileInformation -Path "C:\Program
Files\Internet Explorer\iexplore.exe" | Format-List
Path : %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE
Publisher : CN=WINDOWS MAIN BUILD LAB ACCOUNT\WINDOWS® INTERNET
EXPLORER\IEXPLORE.EXE,10.0.8421.0
Hash : SHA256
0x5F374C2DD91A6F9E9E96F149EE221EC0454649F50E1AF6D3DAEFB849FB7C551C
AppX : False
This example gets the file information for the file specified by
the path.
EXAMPLE 3
PS C:\>Get-AppXPackage –AllUsers | Get-AppLockerFileInformation

Path :
windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy
.appx
Publisher : CN=Microsoft Windows, O=Microsoft Corporation,
L=Redmond, S=Washington,
C=US\windows.immersivecontrolpanel\APPX,6.2.0.0
Hash :
AppX : True
Path :
windows.RemoteDesktop_1.0.0.0_neutral_neutral_cw5n1h2txyewy.appx
L=Redmond, S=Washington, C=US\windows.RemoteDesktop\APPX,1.0.0.0
Hash :
AppX : True
Path : WinStore_1.0.0.0_neutral_neutral_cw5n1h2txyewy.appx
L=Redmond, S=Washington, C=US\WinStore\APPX,1.0.0.0
Hash :
AppX : True
This example outputs the file information for all the packaged
applications installed on this machine for all users.
EXAMPLE 4
PS C:\>Get-AppLockerFileInformation -EventLog -EventType Audited
This example outputs the file information for all the Audited
events in the local event log. Audited events correspond to the
Warning event in the AppLocker audit log.
EXAMPLE 5
P a g e | 10
PS C:\>Get-AppLockerFileInformation -EventLog -EventType Allow -
Statistics
This example displays statistics for all the Allowed events in the
local event log. For each file in the event log, the cmdlet will
sum the number of times the event type occurred.
EXAMPLE 6
PS C:\>Get-AppLockerFileInformation -EventLog -EventType Audited |

New-AppLockerPolicy -RuleType Publisher, Hash, Path -User Everyone
-Optimize | Set-AppLockerPolicy -LDAP LDAP://TestGPO
This example creates a new AppLocker policy from the warning events
in the local event log and sets the policy of a test Group Policy
Object (GPO).
RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/?linkid=287248
Get-AppLockerPolicy
New-AppLockerPolicy
Set-AppLockerPolicy
Test-AppLockerPolicy
Get-AppxPackage
P a g e | 11
Get-AppLockerPolicy
SYNOPSIS
Gets the local, the effective, or a domain AppLocker policy.
SYNTAX
Get-AppLockerPolicy [-InformationAction {SilentlyContinue | Stop |
Continue | Inquire | Ignore | Suspend}] [-InformationVariable
<System.String>] [-Xml] -Local [<CommonParameters>]

<System.String>] [-Xml] -Domain -Ldap <String> [<CommonParameters>]

<System.String>] [-Xml] -Effective [<CommonParameters>]
DESCRIPTION
The Get-AppLockerPolicy cmdlet retrieves the AppLocker policy from
the local Group Policy Object (GPO), a specified Group Policy
Object (GPO), or the effective policy on the computer.
By default, the output is an AppLockerPolicy object. If the Xml

parameter is used, then the output will be the AppLocker policy as
an XML-formatted string.
PARAMETERS
-Domain <SwitchParameter>
Gets the AppLocker policy from the GPO specified by the path given
in the Ldap parameter.
Required? true
Position? named
Default value none
-Effective <SwitchParameter>
Gets the effective AppLocker policy on the local computer. The
effective policy is the merge of the local AppLocker policy and any
applied AppLocker domain policies on the local computer.
Required? true
Position? named
Default value none
P a g e | 12
-- SilentlyContinue
-- Stop
-- Continue
-- Inquire
-- Ignore
-- Suspend
Required? false
Position? named
Default value none
message.
Required? false
Position? named
Default value none
-Ldap <String>
Specifies the LDAP path of the GPO and must specify a unique GPO.
Required? true
Position? named
Default value none
-Local <SwitchParameter>
Gets the AppLocker policy from the local GPO.
Required? true
Position? named
Default value none
-Xml [<SwitchParameter>]
Specifies that the AppLocker policy be output as an XML-formatted
string.
Required? false
Position? named
Default value none
P a g e | 13
<CommonParameters>
INPUTS
None
OUTPUTS
Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.AppLo
ckerPolicy
AppLockerPolicy
System.String
EXAMPLE 1
PS C:\>Get-AppLockerPolicy -Local
Version RuleCollections
RuleCollectionTypes
------- ---------------
-------------------
1 {}
{}
This example gets the local AppLocker policy as an AppLockerPolicy

object.
EXAMPLE 2
PS C:\>Get-AppLockerPolicy -Domain -LDAP

"LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-
00C04FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com"
This example gets the AppLocker policy of the unique GPO specified
by the LDAP path as an AppLockerPolicy object.
EXAMPLE 3
PS C:\>Get-AppLockerPolicy -Effective -Xml | Set-Content

('c:\temp\curr.xml')
P a g e | 14
This example gets the effective policy on the computer, and then
sends it in XML-format to the specified file on an existing path.
EXAMPLE 4
PS C:\>Get-AppLockerPolicy -Local | Test-AppLockerPolicy -Path

C:\Windows\System32\*.exe -User Everyone
This example gets the local AppLocker policy on the computer, and
then tests the policy using the Test-AppLockerPolicy cmdlet to test
whether the .exe files in C:\Windows\System32 will be allowed to
run by the Everyone group.
RELATED LINKS
New-AppLockerPolicy
Set-AppLockerPolicy
P a g e | 15
New-AppLockerPolicy
SYNOPSIS
Creates a new AppLocker policy from a list of file information and
other rule creation options.
SYNTAX
New-AppLockerPolicy [-FileInformation] <List<FileInformation>> [-
IgnoreMissingFileInformation] [-InformationAction {SilentlyContinue
| Stop | Continue | Inquire | Ignore | Suspend}] [-
InformationVariable <System.String>] [-Optimize] [-RuleNamePrefix
<String>] [-RuleType <List<RuleType>>] [-ServiceEnforcement
<System.String>] [-User <String>] [-Xml] [<CommonParameters>]
DESCRIPTION
The New-AppLockerPolicy cmdlet uses a list of file information to
automatically generate a list of rules for a given user or group.
Rules can be generated based on publisher, hash, or path
information.
Run the Get-AppLockerFileInformation cmdlet to create the list of

file information.
By default, the output is an AppLockerPolicy object. If the Xml

parameter is specified, the output will be the AppLocker policy as
an XML-formatted string.
PARAMETERS
-FileInformation <List<FileInformation>>
Specifies a file that can contain publisher, path, and hash
information. Some information may be missing, such as publisher
information for an unsigned file.
Required? true
Position? 1
Default value none
-IgnoreMissingFileInformation [<SwitchParameter>]
Specifies that, if a rule cannot be created for a file because of
missing file information, then evaluation of the remaining file
information will continue and a warning log of the files skipped
will be generated.
Required? false
Position? named
Default value none
P a g e | 16
-- SilentlyContinue
-- Stop
-- Continue
-- Inquire
-- Ignore
-- Suspend
Required? false
Position? named
Default value none
message.
Required? false
Position? named
Default value none
-Optimize [<SwitchParameter>]
Specifies that similar rules will be grouped together.
Required? false
Position? named
Default value none
-RuleNamePrefix [<String>]
Specifies a name to add as the prefix for each rule that is
created.
Required? false
Position? named
Default value none
-RuleType [<List<RuleType>>]
Specifies the type of rules to create from the file information.
Publisher, path, or hash rules can be created from the file
information.
P a g e | 17
Multiple rule types may be specified. Therefore, that there are
backup rule types if the necessary file information is not
available.
For example, if Publisher, Hash is specified for this parameter,

then the hash rules are applied when publisher information is not
available.
Required? false
Position? named
Default value none
-ServiceEnforcement [<System.String>]
Specifies whether the AppLocker policy for EXE and DLL rule
collections applies to non-interactive processes. The acceptable
values for this parameter are:
-- NotConfigured
-- Enabled
-- ServicesOnly
Required? false
Position? named
Default value none
-User [<String>]
Specifies the user or group to which the rules are applied. The
-- DNS user name (domain\username)

-- User Principal Name (username@domain.com)
-- SAM user name (username)
-- Security identifier (S-1-5-21-3165297888-301567370-576410423-
1103)
Required? false
Position? named
Default value none
-Xml [<SwitchParameter>]
Specifies that the output of the AppLocker policy be as an XML-
formatted string.
Required? false
Position? named
Default value none
P a g e | 18
<CommonParameters>
This cmdlet supports the common parameters: Verbose,
Debug,ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, pipelineVariable, and OutVariable. For more information,
INPUTS
Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.FileI
nformation
OUTPUTS
ckerPolicy
AppLockerPolicy
System.String
EXAMPLE 1
C:\PS>Get-ChildItem C:\Windows\System32\*.exe | Get-

AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher,
Hash -User Everyone -RuleNamePrefix System32
Version RuleCollections RuleCollectionTypes

------- --------------- -------------------
1
{Microsoft.Security.ApplicationId.Po... {Exe}
This example creates an AppLocker policy that contains allow rules

for all of the executable files in C:\Windows\System32. The policy
contains publisher rules for those files with publisher information
and hash rules for those that do not. The rules are prefixed with
System32: and the rules apply to the Everyone group.
EXAMPLE 2
C:\PS>Get-ChildItem C:\Windows\System32\*.exe | Get-

AppLockerFileInformation | New-AppLockerPolicy -RuleType Path -User
Everyone -Optimize -XML <AppLockerPolicy
Version="1"><RuleCollection Type="Exe"
EnforcementMode="NotConfigured"><FilePathRule Id="31B2F340-016D
P a g e | 19
-11D2-945F-00C04FB984F9" Name="%SYSTEM32%\*" Description="" 10
UserOrGroupSid="S-1-5-21-3165297888-301567370-576410423-13"
Action="cAllow"><Conditions><FilePathCondition Path="%SYSTEM32%\*"
/></Conditions></FilePathRule></RuleCollection> </AppLockerPolicy>
This example creates an XML-formatted AppLocker policy for all of

the executable files in C:\Windows\System32. The policy contains
only path rules, the rules are applied to the Everyone group, and
the Optimize parameter indicates that similar rules are grouped
together where possible.
EXAMPLE 3
C:\PS>Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-

Windows-AppLocker/EXE and DLL" -EventType Audited | New-
AppLockerPolicy -RuleType Publisher,Hash -User domain\FinanceGroup
-IgnoreMissingFileInformation | Set-AppLockerPolicy -LDAP
"LDAP://DC13.TailspinToys.com/CN={31B2F340-016D-11D2-945F-
00C04FB984F9},CN=Policies,CN=System,DC=WingTipToys,DC=com"
This example creates a new AppLocker policy from the audited events
in the local Microsoft-Windows-AppLocker/EXE and DLL event log. All
of the rules will be applied to the domain\FinanceGroup group.
Publisher rules are created when the publisher information is
available, and hash rules are created if the publisher information
is not available. If only path information is available for a file,
then the file is skipped because the IgnoreMissingFileInformation
parameter is specified, and the file is included in the warning
log. If the IgnoreMissingFileInformation parameter is not specified
when file information is missing, then the cmdlet exits because it
cannot create the specified rule type. After the new AppLocker
policy is created, the AppLocker policy of the specified Group
Policy Object (GPO) is set. The existing AppLocker policy in the
specified GPO will be overwritten.
RELATED LINKS
Get-AppLockerPolicy
Set-AppLockerPolicy
P a g e | 20
Set-AppLockerPolicy
SYNOPSIS
Sets the AppLocker policy for the specified GPO.
SYNTAX
Set-AppLockerPolicy [-XmlPolicy] <String> [-InformationAction
{SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend}]
[-InformationVariable <System.String>] [-Ldap <String>] [-Merge]
Set-AppLockerPolicy [-PolicyObject] <AppLockerPolicy> [-

Ignore | Suspend}] [-InformationVariable <System.String>] [-Ldap
<String>] [-Merge] [<CommonParameters>]
DESCRIPTION
The Set-AppLockerPolicy cmdlet sets the specified GPO to contain
the specified AppLocker policy. If no Lightweight Directory Access
Protocol (LDAP) is specified, then the default is the local GPO.
The input values for the AppLocker policy can be an AppLockerPolicy

object or an XML-formatted file that contains the AppLocker policy.
PARAMETERS
-- SilentlyContinue
-- Stop
-- Continue
-- Inquire
-- Ignore
-- Suspend
Required? false
Position? named
Default value none
message.
Required? false
Position? named
P a g e | 21
Default value none
-Ldap [<String>]
Specifies the LDAP path of the GPO. It must specify a unique GPO.
If this parameter is not specified, then the local AppLocker policy
is set.
Required? false
Position? named
Default value none
-Merge [<SwitchParameter>]
Merges the rules in the specified AppLocker policy with the
AppLocker rules in the target GPO specified in the LDAP path. The
merging of policies will remove rules with duplicate rule IDs, and
the enforcement setting specified by the AppLocker policy in the
target GPO will be preserved. If the Merge parameter is not
specified, then the new policy will overwrite the existing policy.
Required? false
Position? named
Default value none
-PolicyObject <AppLockerPolicy>
Specifies the AppLockerPolicy object that contains the AppLocker
policy. Can be obtained from the Get-AppLockerPolicy and the
New-AppLockerPolicy cmdlets.
Required? true
Position? 1
Default value none
-XmlPolicy <String>
Specifies the path where the XML-formatted file that contains the
AppLocker policy is saved.
Required? true
Position? 1
Default value none
<CommonParameters>
P a g e | 22
INPUTS
ckerPolicy
AppLockerPolicy
System.String
OUTPUTS
None
EXAMPLE 1
PS C:\> Set-AppLockerPolicy -XMLPolicy C:\Policy.xml
This example sets the local AppLocker policy to the policy

specified in C:\Policy.xml.
EXAMPLE 2
PS C:\> Set-AppLockerPolicy -XMLPolicy C:\Policy.xml -LDAP

00C04FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com"
This example sets the GPO specified in the LDAP path to contain the
AppLocker policy that is specified in C:\Policy.xml.
EXAMPLE 3
PS C:\> Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP

00C04FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com" -Merge
This example gets the local AppLocker policy, and then merges the
policy with the existing AppLocker policy in the GPO specified in
the LDAP path. For more information on how two policies are merged,
see the Merge parameter description.
RELATED LINKS
P a g e | 23
Get-AppLockerPolicy
New-AppLockerPolicy
P a g e | 24
SYNOPSIS
Specifies the AppLocker policy to determine whether the input files
will be allowed to run for a given user.
SYNTAX
Test-AppLockerPolicy [-XmlPolicy] <String> [-Filter
<List<PolicyDecision>>] [-InformationAction {SilentlyContinue |
InformationVariable <System.String>] [-User <String>] -Path
<List<String>> [<CommonParameters>]
Test-AppLockerPolicy [-XmlPolicy] <String> [-Filter

InformationVariable <System.String>] [-User <String>] -Packages
<List<AppxPackage>> [<CommonParameters>]
Test-AppLockerPolicy [-PolicyObject] <AppLockerPolicy> [-Filter

InformationVariable <System.String>] [-User <String>] -Path
<List<String>> [<CommonParameters>]
DESCRIPTION
The Test-AppLockerPolicy cmdlet specifies the AppLocker policy to
determine whether a list of files is allowed to run on the local
computer for a specified user.
To test AppLocker rules for a nested group, a representative member

of the nested group should be specified for the User parameter. For
example, a rule that allows the Everyone group to run calc.exe may
not appear to apply correctly when the nested Finance group for the
User parameter is specified. Instead, a representative member of
the Finance group should be specified for the User parameter.
PARAMETERS
-Filter [<List<PolicyDecision>>]
Specifies the policy decision by which to filter the output for
each input file. The acceptable values for this parameter are:
Allowed, Denied, DeniedByDefault, or AllowedByDefault.
Required? false
Position? named
Default value none
P a g e | 25
-- SilentlyContinue
-- Stop
-- Continue
-- Inquire
-- Ignore
-- Suspend
Required? false
Position? named
Default value none
message.
Required? false
Position? named
Default value none
-Packages <List<AppxPackage>>
Specifies a list of installed packaged applications, from which the
file information is retrieved.
Required? true
Position? named
Default value none
-Path <List<String>>
Specifies the list of the file paths to test. Regular expressions
are supported.
Required? true
Position? named
Default value none
-PolicyObject <AppLockerPolicy>
Specifies the Applocker policy. Can be obtained from the Get-
AppLockerPolicy or the New-AppLockerPolicy cmdlet.
Required? true
Position? 1
P a g e | 26
Default value none
-User [<String>]
Defines the user or group to be used for testing the rules in a
specified AppLocker policy. The acceptable values for this
parameter are:
-- DNS user name (domain\username)

-- User Principal Name (username@domain.com)
-- SAM user name (username)
-- Security identifier (S-1-5-21-3165297888-301567370-576410423-
1103)
Required? false
Position? named
Default value none
-XmlPolicy <String>
Specifies the file path and name of the XML-formatted file that
contains the AppLocker policy.
Required? true
Position? 1
Default value none
<CommonParameters>
INPUTS
ckerPolicy
AppLockerPolicy
OUTPUTS
Microsoft.Security.ApplicationId.PolicyManagement.AppLockerPolicyDe
cision
P a g e | 27
EXAMPLE 1
PS C:\>Test-AppLockerPolicy -XMLPath C:\Policy.xml -Path

c:\windows\system32\calc.exe, C:\windows\system32\notepad.exe -User
Everyone
This example reports if calc.exe and notepad.exe will be allowed to

run for Everyone under the policy specified by C:\Policy.xml.
EXAMPLE 2
PS C:\>Get-ChildItem C:\windows\system32\*.exe | Test-

AppLockerPolicy c:\Policy.xml -Filter DeniedByDefault
This example lists the executables under C:\Windows\System32 that

everyone will be denied by the policy specified by C:\Policy.xml
because there is no explicit rule for the file.
EXAMPLE 3
PS C:\>Get-AppLockerPolicy -Local | Test-AppLockerPolicy -Path

C:\Windows\System32\*.exe -User contoso\saradavis -Filter Denied |
Format-List -Property | Set-Content (ꞌC:\temp\DeniedFiles.txtꞌ)
This example gets the local AppLocker policy, uses the policy to
determine which executables in C:\Windows\System32 that
contoso\saradavis is explicitly denied access to run, and then
redirects the list to a text file.
EXAMPLE 4
PS C:\>Get-AppxPackage –AllUsers | Test-AppLockerPolicy –XmlPolicy

.\SamplePolicy.xml
This example lists all the packages installed on this computer, for
all the users, and tests them against a saved policy.
RELATED LINKS
Get-AppLockerPolicy
New-AppLockerPolicy
Set-AppLockerPolicy
Get-AppxPackage
P a g e | 28

Powershell Commandlets - AppLocker Module

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Powershell Commandlets - AppLocker Module

Cargado por

Copyright:

Formatos disponibles

Compiled by Les Lewis

This is for informational use, placed into an easy to read format.

Get-AppLockerFileInformation [-FileType {Exe | Dll |

Get-AppLockerFileInformation [[-Packages] <List<AppxPackage>>] [-

PS C:\>Get-AppLockerFileInformation -Directory C:\Windows\system32\

PS C:\>Get-AppLockerFileInformation -Path "C:\Program Files

PS C:\>Get-AppXPackage –AllUsers | Get-AppLockerFileInformation

PS C:\>Get-AppLockerFileInformation -EventLog -EventType Audited

PS C:\>Get-AppLockerFileInformation -EventLog -EventType Audited |

Get-AppLockerPolicy [-InformationAction {SilentlyContinue | Stop |

Get-AppLockerPolicy [-InformationAction {SilentlyContinue | Stop |

By default, the output is an AppLockerPolicy object. If the Xml

This example gets the local AppLocker policy as an AppLockerPolicy

PS C:\>Get-AppLockerPolicy -Domain -LDAP

PS C:\>Get-AppLockerPolicy -Effective -Xml | Set-Content

PS C:\>Get-AppLockerPolicy -Local | Test-AppLockerPolicy -Path

Run the Get-AppLockerFileInformation cmdlet to create the list of

By default, the output is an AppLockerPolicy object. If the Xml

For example, if Publisher, Hash is specified for this parameter,

-- DNS user name (domain\username)

C:\PS>Get-ChildItem C:\Windows\System32\*.exe | Get-

Version RuleCollections RuleCollectionTypes

This example creates an AppLocker policy that contains allow rules

C:\PS>Get-ChildItem C:\Windows\System32\*.exe | Get-

This example creates an XML-formatted AppLocker policy for all of

C:\PS>Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-

Set-AppLockerPolicy [-PolicyObject] <AppLockerPolicy> [-

The input values for the AppLocker policy can be an AppLockerPolicy

PS C:\> Set-AppLockerPolicy -XMLPolicy C:\Policy.xml

This example sets the local AppLocker policy to the policy

PS C:\> Set-AppLockerPolicy -XMLPolicy C:\Policy.xml -LDAP

PS C:\> Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP

Test-AppLockerPolicy [-XmlPolicy] <String> [-Filter

Test-AppLockerPolicy [-PolicyObject] <AppLockerPolicy> [-Filter

To test AppLocker rules for a nested group, a representative member

-- DNS user name (domain\username)

PS C:\>Test-AppLockerPolicy -XMLPath C:\Policy.xml -Path

This example reports if calc.exe and notepad.exe will be allowed to

PS C:\>Get-ChildItem C:\windows\system32\*.exe | Test-

This example lists the executables under C:\Windows\System32 that

PS C:\>Get-AppLockerPolicy -Local | Test-AppLockerPolicy -Path

PS C:\>Get-AppxPackage –AllUsers | Test-AppLockerPolicy –XmlPolicy

También podría gustarte