Wanneer je wil controleren of apps geblokkeerd zijn door applocker doorzoek je eventvwr Microsoft > Windows > Applocker uiteraard. Dat kan ook sneller met powershell:
# Define the log name
$logName = "Microsoft-Windows-AppLocker/EXE and DLL"
# Get events with ID 8004 from the specified log
$events = Get-WinEvent -LogName $logName -FilterXPath "*[System[EventID=8004]]" -ErrorAction SilentlyContinue
if ($events) {
Write-Host "Events with ID 8004 from $logName"
foreach ($event in $events) {
Write-Host "Event ID: $($event.Id)"
Write-Host "Level: $($event.LevelDisplayName)"
Write-Host "Time Created: $($event.TimeCreated)"
Write-Host "Message: $($event.Message)"
Write-Host "-----------"
}
} else {
Write-Host "No events with ID 8004 found in $logName."
}
Ben je nog aan het testen en heb je applocker in Audit-mode draaien zoek dan op EventID 8003:
# Define the log name
$logName = "Microsoft-Windows-AppLocker/EXE and DLL"
# Get events with ID 8003 from the specified log
$events = Get-WinEvent -LogName $logName -FilterXPath "*[System[EventID=8003]]" -ErrorAction SilentlyContinue
if ($events) {
Write-Host "Events with ID 8003 from $logName"
foreach ($event in $events) {
Write-Host "Event ID: $($event.Id)"
Write-Host "Level: $($event.LevelDisplayName)"
Write-Host "Time Created: $($event.TimeCreated)"
Write-Host "Message: $($event.Message)"
Write-Host "-----------"
}
} else {
Write-Host "No events with ID 8003 found in $logName."
}