# AppLocker - Walkthrough

# Get-AppLockerFileInformation

# Get-App<wbr>Locker<wbr>File<wbr>Information</wbr></wbr></wbr>

<div class="display-flex-tablet justify-content-space-between-tablet" id="bkmrk-reference-feedback">- Reference

<div class="margin-block-xxs display-none-print" id="bkmrk-feedback"></div></div><div class="metadata" id="bkmrk-module%3A-applocker"><dl class="attributeList"><dt>Module:</dt><dd>[AppLocker](https://learn.microsoft.com/en-us/powershell/module/applocker/?view=windowsserver2025-ps)</dd></dl></div>Gets the file information necessary to create AppLocker rules from a list of files or an event log.

## Syntax

<div class="codeHeader" id="bkmrk-powershellcopy"><span class="language">PowerShell</span><div class="successful-copy-alert position-absolute right-0 top-0 left-0 bottom-0 display-flex align-items-center justify-content-center has-text-success-invert has-background-success is-transparent">  
</div></div>```
Get-AppLockerFileInformation
   [[-Path] <System.Collections.Generic.List`1[System.String]>]
   [<CommonParameters>]
```

<div class="codeHeader" id="bkmrk-powershellcopy-1"><span class="language">PowerShell</span><div class="successful-copy-alert position-absolute right-0 top-0 left-0 bottom-0 display-flex align-items-center justify-content-center has-text-success-invert has-background-success is-transparent">  
</div></div>```
Get-AppLockerFileInformation
   [[-Packages] <System.Collections.Generic.List`1[Microsoft.Windows.Appx.PackageManager.Commands.AppxPackage]>]
   [<CommonParameters>]
```

<div class="codeHeader" id="bkmrk-powershellcopy-2"><span class="language">PowerShell</span><div class="successful-copy-alert position-absolute right-0 top-0 left-0 bottom-0 display-flex align-items-center justify-content-center has-text-success-invert has-background-success is-transparent">  
</div></div>```
Get-AppLockerFileInformation
   -Directory <String>
   [-FileType <System.Collections.Generic.List`1[Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.AppLockerFileType]>]
   [-Recurse]
   [<CommonParameters>]
```

<div class="codeHeader" id="bkmrk-powershellcopy-3"><span class="language">PowerShell</span><div class="successful-copy-alert position-absolute right-0 top-0 left-0 bottom-0 display-flex align-items-center justify-content-center has-text-success-invert has-background-success is-transparent">  
</div></div>```
Get-AppLockerFileInformation
   [-EventLog]
   [-LogPath <String>]
   [-EventType <System.Collections.Generic.List`1[Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.AppLockerEventType]>]
   [-Statistics]
   [<CommonParameters>]
```

## Description

The **Get-AppLockerFileInformation** cmdlet gets the AppLocker file information from a list of files or an event log. File information includes the publisher information, file hash, and file path.

The file information from an event log may not contain all of the publisher information, file hash, and file path fields. Files that are not signed will not have any publisher information.

## Examples

### Example 1: Get file information for .exe files and scripts

<div id="bkmrk-powershellcopy-4"><div class="codeHeader" id="bkmrk-powershellcopy-5"><span class="language">PowerShell</span><div class="successful-copy-alert position-absolute right-0 top-0 left-0 bottom-0 display-flex align-items-center justify-content-center has-text-success-invert has-background-success is-transparent">  
</div></div></div>```
PS C:\> Get-AppLockerFileInformation -Directory C:\Windows\system32\ -Recurse -FileType exe, script
```

This example gets the file information for all the .exe files and scripts under %windir%\\system32.

### Example 2: Get file information for a file

<div id="bkmrk-powershellcopy-6"><div class="codeHeader" id="bkmrk-powershellcopy-7"><span class="language">PowerShell</span><div class="successful-copy-alert position-absolute right-0 top-0 left-0 bottom-0 display-flex align-items-center justify-content-center has-text-success-invert has-background-success is-transparent">  
</div></div></div>```
PS C:\> Get-AppLockerFileInformation -Path "C:\Program Files (x86)\Internet Explorer\iexplore.exe" | Format-List
Path      : %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE
Publisher : CN=WINDOWS MAIN BUILD LAB ACCOUNT\WINDOWS® INTERNET EXPLORER\IEXPLORE.EXE,10.0.8421.0
Hash      : SHA256 0x5F374C2DD91A6F9E9E96F149EE221EC0454649F50E1AF6D3DAEFB849FB7C551C
AppX      : False


PS C:\> Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe" | Format-List
Path      : %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE
Publisher : CN=WINDOWS MAIN BUILD LAB ACCOUNT\WINDOWS® INTERNET EXPLORER\IEXPLORE.EXE,10.0.8421.0
Hash      : SHA256 0x5F374C2DD91A6F9E9E96F149EE221EC0454649F50E1AF6D3DAEFB849FB7C551C
AppX      : False
```

This example gets the file information for the file specified by the path.

### Example 3: Get file information for all packaged applications for all users

<div id="bkmrk-powershellcopy-8"><div class="codeHeader" id="bkmrk-powershellcopy-9"><span class="language">PowerShell</span><div class="successful-copy-alert position-absolute right-0 top-0 left-0 bottom-0 display-flex align-items-center justify-content-center has-text-success-invert has-background-success is-transparent">  
</div></div></div>```
PS C:\> Get-AppXPackage -AllUsers | Get-AppLockerFileInformation
Path      : windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy.appx
Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington,
            C=US\windows.immersivecontrolpanel\APPX,6.2.0.0
Hash      :
AppX      : True

Path      : windows.RemoteDesktop_1.0.0.0_neutral_neutral_cw5n1h2txyewy.appx
Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington,
            C=US\windows.RemoteDesktop\APPX,1.0.0.0
Hash      :
AppX      : True

Path      : WinStore_1.0.0.0_neutral_neutral_cw5n1h2txyewy.appx
Publisher : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US\WinStore\APPX,1.0.0.0
Hash      :
AppX      : True
```

This example outputs the file information for all the packaged applications installed on this computer for all users.

### Example 4: Get file information for Audited events

<div id="bkmrk-powershellcopy-10"><div class="codeHeader" id="bkmrk-powershellcopy-11"><span class="language">PowerShell</span><div class="successful-copy-alert position-absolute right-0 top-0 left-0 bottom-0 display-flex align-items-center justify-content-center has-text-success-invert has-background-success is-transparent">  
</div></div></div>```
PS C:\> Get-AppLockerFileInformation -EventLog -EventType Audited
```

This example outputs the file information for all the Audited events in the local event log. Audited events correspond to the Warning event in the AppLocker audit log.

### Example 5: Get statistics for Allowed events

<div id="bkmrk-powershellcopy-12"><div class="codeHeader" id="bkmrk-powershellcopy-13"><span class="language">PowerShell</span><div class="successful-copy-alert position-absolute right-0 top-0 left-0 bottom-0 display-flex align-items-center justify-content-center has-text-success-invert has-background-success is-transparent">  
</div></div></div>```
PS C:\> Get-AppLockerFileInformation -EventLog -EventType Allow -Statistics
```

This example displays statistics for all the Allowed events in the local event log. For each file in the event log, the cmdlet will sum the number of times the event type occurred.

### Example 6: Create an AppLocker policy

<div id="bkmrk-powershellcopy-14"><div class="codeHeader" id="bkmrk-powershellcopy-15"><span class="language">PowerShell</span><div class="successful-copy-alert position-absolute right-0 top-0 left-0 bottom-0 display-flex align-items-center justify-content-center has-text-success-invert has-background-success is-transparent">  
</div></div></div>```
PS C:\> Get-AppLockerFileInformation -EventLog -EventType Audited | New-AppLockerPolicy -RuleType Publisher, Hash, Path -User Everyone -Optimize | Set-AppLockerPolicy -LDAP LDAP://TestGPO
```

This example creates a new AppLocker policy from the warning events in the local event log and sets the policy of a test Group Policy Object (GPO).

## Parameters

### -Directory

Specifies the directory that contains the files for which to get the file information. If all subfolders and files in the specified directory are to be searched, then include the *Recurse* parameter

<div class="parameterInfo" id="bkmrk-expand-table-type%3A-s"><div class="buttons buttons-right margin-bottom-none margin-top-sm"></div><div class="has-inner-focus"><table class="table stack table-sm margin-top-none"><tbody><tr><td>Type:</td><td><span class="no-loc xref">String</span></td></tr><tr><td>Position:</td><td>Named</td></tr><tr><td>Default value:</td><td>None</td></tr><tr><td>Required:</td><td>True</td></tr><tr><td>Accept pipeline input:</td><td>False</td></tr><tr><td>Accept wildcard characters:</td><td>False</td></tr></tbody></table>

</div></div>### -EventLog

Specifies that the file information is retrieved from the event log.

<div class="parameterInfo" id="bkmrk-expand-table-type%3A-s-1"><div class="buttons buttons-right margin-bottom-none margin-top-sm"></div><div class="has-inner-focus"><table class="table stack table-sm margin-top-none"><tbody><tr><td>Type:</td><td><span class="no-loc xref">SwitchParameter</span></td></tr><tr><td>Position:</td><td>Named</td></tr><tr><td>Default value:</td><td>None</td></tr><tr><td>Required:</td><td>True</td></tr><tr><td>Accept pipeline input:</td><td>False</td></tr><tr><td>Accept wildcard characters:</td><td>False</td></tr></tbody></table>

</div></div>### -EventType

Specifies the event type by which to filter the events. The acceptable values for this parameter are: Allowed, Denied, or Audited. The event types correspond to the Informational, Error, and Warning level events in the AppLocker event logs.

<div class="parameterInfo" id="bkmrk-expand-table-type%3A-l"><div class="buttons buttons-right margin-bottom-none margin-top-sm"></div><div class="has-inner-focus"><table class="table stack table-sm margin-top-none"><tbody><tr><td>Type:</td><td>[List&lt;T&gt;](https://learn.microsoft.com/en-us/dotnet/api/system.collections.generic.list-1)\[<span class="no-loc xref">Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.AppLockerEventType</span>\]</td></tr><tr><td>Accepted values:</td><td>Allowed, Denied, Audited</td></tr><tr><td>Position:</td><td>Named</td></tr><tr><td>Default value:</td><td>None</td></tr><tr><td>Required:</td><td>False</td></tr><tr><td>Accept pipeline input:</td><td>False</td></tr><tr><td>Accept wildcard characters:</td><td>False</td></tr></tbody></table>

</div></div>### -FileType

Specifies the generic file type for which to search. All files having the appropriate file name extension will be included. The acceptable values for this parameter are:

<div class="parameterInfo" id="bkmrk-exe-dll-windowsinsta">- Exe
- Dll
- WindowsInstaller
- Script
- Appx.

<div class="buttons buttons-right margin-bottom-none margin-top-sm"></div><div class="has-inner-focus"><table class="table stack table-sm margin-top-none"><tbody><tr><td>Type:</td><td>[List&lt;T&gt;](https://learn.microsoft.com/en-us/dotnet/api/system.collections.generic.list-1)\[<span class="no-loc xref">Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.AppLockerFileType</span>\]</td></tr><tr><td>Accepted values:</td><td>Exe, Dll, WindowsInstaller, Script, Appx</td></tr><tr><td>Position:</td><td>Named</td></tr><tr><td>Default value:</td><td>None</td></tr><tr><td>Required:</td><td>False</td></tr><tr><td>Accept pipeline input:</td><td>False</td></tr><tr><td>Accept wildcard characters:</td><td>False</td></tr></tbody></table>

</div></div>### -LogPath

Specifies the log name or file path of the event log where the AppLocker events are located. By default, if this parameter is not specified, the local Microsoft-Windows-AppLocker/EXE and DLL channel is used.

<div class="parameterInfo" id="bkmrk-expand-table-type%3A-s-2"><div class="buttons buttons-right margin-bottom-none margin-top-sm"></div><div class="has-inner-focus"><table class="table stack table-sm margin-top-none"><tbody><tr><td>Type:</td><td><span class="no-loc xref">String</span></td></tr><tr><td>Position:</td><td>Named</td></tr><tr><td>Default value:</td><td>None</td></tr><tr><td>Required:</td><td>False</td></tr><tr><td>Accept pipeline input:</td><td>False</td></tr><tr><td>Accept wildcard characters:</td><td>False</td></tr></tbody></table>

</div></div>### -Packages

Specifies a list of installed packaged applications, from which the file information is retrieved.

<div class="parameterInfo" id="bkmrk-expand-table-type%3A-l-1"><div class="buttons buttons-right margin-bottom-none margin-top-sm"></div><div class="has-inner-focus"><table class="table stack table-sm margin-top-none"><tbody><tr><td>Type:</td><td>[List&lt;T&gt;](https://learn.microsoft.com/en-us/dotnet/api/system.collections.generic.list-1)\[<span class="no-loc xref">Microsoft.Windows.Appx.PackageManager.Commands.AppxPackage</span>\]</td></tr><tr><td>Position:</td><td>0</td></tr><tr><td>Default value:</td><td>None</td></tr><tr><td>Required:</td><td>False</td></tr><tr><td>Accept pipeline input:</td><td>True</td></tr><tr><td>Accept wildcard characters:</td><td>False</td></tr></tbody></table>

</div></div>### -Path

Specifies a list of paths to the files from which the file information is retrieved. Supports regular expressions.

<div class="parameterInfo" id="bkmrk-expand-table-type%3A-l-2"><div class="buttons buttons-right margin-bottom-none margin-top-sm"></div><div class="has-inner-focus"><table class="table stack table-sm margin-top-none"><tbody><tr><td>Type:</td><td>[List&lt;T&gt;](https://learn.microsoft.com/en-us/dotnet/api/system.collections.generic.list-1)\[[String](https://learn.microsoft.com/en-us/dotnet/api/system.string)\]</td></tr><tr><td>Position:</td><td>0</td></tr><tr><td>Default value:</td><td>None</td></tr><tr><td>Required:</td><td>False</td></tr><tr><td>Accept pipeline input:</td><td>True</td></tr><tr><td>Accept wildcard characters:</td><td>False</td></tr></tbody></table>

</div></div>### -Recurse

Specifies that all files and folders in the specified directory will be searched.

<div class="parameterInfo" id="bkmrk-expand-table-type%3A-s-3"><div class="buttons buttons-right margin-bottom-none margin-top-sm"></div><div class="has-inner-focus"><table class="table stack table-sm margin-top-none"><tbody><tr><td>Type:</td><td><span class="no-loc xref">SwitchParameter</span></td></tr><tr><td>Position:</td><td>Named</td></tr><tr><td>Default value:</td><td>None</td></tr><tr><td>Required:</td><td>False</td></tr><tr><td>Accept pipeline input:</td><td>False</td></tr><tr><td>Accept wildcard characters:</td><td>False</td></tr></tbody></table>

</div></div>### -Statistics

Specifies the statistics to retrieve on the files included in the event log. Calculates a simple sum of the number of times a file is included in the event log based on specified parameters.

<div class="parameterInfo" id="bkmrk-expand-table-type%3A-s-4"><div class="buttons buttons-right margin-bottom-none margin-top-sm"></div><div class="has-inner-focus"><table class="table stack table-sm margin-top-none"><tbody><tr><td>Type:</td><td><span class="no-loc xref">SwitchParameter</span></td></tr><tr><td>Position:</td><td>Named</td></tr><tr><td>Default value:</td><td>None</td></tr><tr><td>Required:</td><td>False</td></tr><tr><td>Accept pipeline input:</td><td>False</td></tr><tr><td>Accept wildcard characters:</td><td>False</td></tr></tbody></table>

</div></div>## Inputs

**<span class="no-loc xref">None</span>**

## Outputs

**<span class="no-loc xref">Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.FileInformation</span>**

**[String](https://learn.microsoft.com/en-us/dotnet/api/system.string)**

## Related Links

- [Get-AppLockerPolicy](https://learn.microsoft.com/en-us/powershell/module/applocker/get-applockerpolicy?view=windowsserver2025-ps)
- [New-AppLockerPolicy](https://learn.microsoft.com/en-us/powershell/module/applocker/new-applockerpolicy?view=windowsserver2025-ps)
- [Set-AppLockerPolicy](https://learn.microsoft.com/en-us/powershell/module/applocker/set-applockerpolicy?view=windowsserver2025-ps)
- [Test-AppLockerPolicy](https://learn.microsoft.com/en-us/powershell/module/applocker/test-applockerpolicy?view=windowsserver2025-ps)