Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
100 lines (75 sloc) 3.99 KB
Function Get-ApplockerBlocks {
Displays the exe's \ scripts that are blocked or would be blocked by Applocker policies for a given computer.
Queries the applocker event logs for appropriate events relating to blocked or would have been blocked apps\scripts etc
.PARAMETER ComputerName
The name of the computer whose applocker event logs you wish to query
The event log you wish to query - if you leave this parameter out then the default log of: 'EXE and DLL' is used.
Specifies whether you wish to see the logs from an 'Audit Only' applocker policy, an 'Enforced' applocker policy or both
.PARAMETER OnlyDisplayUniqueRules
Groups by the message property in order to only show unique rules rather than a whole load of the same rule over and over...
Get-ApplockerBlocks -ComputerName MyComputer
See which EXE's and DLL's would have been prevented had the applocker policy been enforced
Get-ApplockerBlocks -ComputerName MyComputer -LogType MSIandSCRIPT -Mode Enforced
See which MSI's and Scripts have been prevented from running via an enforced applocker policy
"MyComputer" | Get-ApplockerBlocks -LogType EXEandDLL -Mode Both
See which EXE's and DLL's have been blocked and would have been blocked. View all event log entries for both blocked exe's \DLL's as well as the audit mode entries (you may have previously had audit mode turned on in your policy)
You can pipe computer names to this function
Author: OH
Twitter: @ozthe2
[string]$LogType = "EXEandDLL",
[string]$Mode = "Audit",
switch ($logtype) {
"MSIandSCRIPT" {$log = "Microsoft-Windows-AppLocker/MSI and Script"}
"Packagedapp-Deployment" {$log = "Microsoft-Windows-AppLocker/Packaged app-Deployment"}
"Packagedapp-Execution" {$log = "Microsoft-Windows-AppLocker/Packaged app-Execution"}
default {$log = "Microsoft-Windows-AppLocker/EXE and DLL"}
}#end switch
}#end begin
foreach ($Computer in $ComputerName) {
if ($OnlyDisplayUniqueRules) {
Switch ($Mode) {
"Audit" {Get-WinEvent -LogName $log -ComputerName $computer | where {$_.leveldisplayname -eq 'Warning'} | group message | select name}
"Enforced" {Get-WinEvent -LogName $log -ComputerName $computer | where {$_.leveldisplayname -eq 'Error'} | group message | select name}
default {Get-WinEvent -LogName $log -ComputerName $computer | where {$_.leveldisplayname -eq 'Warning' -or $_.leveldisplayname -eq 'Error'} | group message | select name}
}#end switch
} else {
Switch ($Mode) {
"Audit" {Get-WinEvent -LogName $log -ComputerName $computer | where {$_.leveldisplayname -eq 'Warning'}}
"Enforced" {Get-WinEvent -LogName $log -ComputerName $computer | where {$_.leveldisplayname -eq 'Error'}}
default {Get-WinEvent -LogName $log -ComputerName $computer | where {$_.leveldisplayname -eq 'Warning' -or $_.leveldisplayname -eq 'Error'}}
}#end switch
} # end foreach
}#end process