logo powershell

Apps geblokkeerd door Applocker

Wanneer je wil controleren of apps geblokkeerd zijn door applocker doorzoek je eventvwr Microsoft > Windows > Applocker uiteraard. Dat kan ook sneller met powershell:

# Define the log name
$logName = "Microsoft-Windows-AppLocker/EXE and DLL"

# Get events with ID 8004 from the specified log
$events = Get-WinEvent -LogName $logName -FilterXPath "*[System[EventID=8004]]" -ErrorAction SilentlyContinue

if ($events) {
    Write-Host "Events with ID 8004 from $logName"
    foreach ($event in $events) {
        Write-Host "Event ID: $($event.Id)"
        Write-Host "Level: $($event.LevelDisplayName)"
        Write-Host "Time Created: $($event.TimeCreated)"
        Write-Host "Message: $($event.Message)"
        Write-Host "-----------"
    }
} else {
    Write-Host "No events with ID 8004 found in $logName."
}

Ben je nog aan het testen en heb je applocker in Audit-mode draaien zoek dan op EventID 8003:

# Define the log name
$logName = "Microsoft-Windows-AppLocker/EXE and DLL"

# Get events with ID 8003 from the specified log
$events = Get-WinEvent -LogName $logName -FilterXPath "*[System[EventID=8003]]" -ErrorAction SilentlyContinue

if ($events) {
Write-Host "Events with ID 8003 from $logName"
foreach ($event in $events) {
Write-Host "Event ID: $($event.Id)"
Write-Host "Level: $($event.LevelDisplayName)"
Write-Host "Time Created: $($event.TimeCreated)"
Write-Host "Message: $($event.Message)"
Write-Host "-----------"
}
} else {
Write-Host "No events with ID 8003 found in $logName."
}