Applocker is a part of Windows 7/8 Enterprise. It allows an entire organization to eliminate malware. It is seriously that powerful! It works by whitelisting, or allowing, a specific set of trusted executables to run. Once setup, AppLocker is easy to manage. However, if an untrusted executable is ran, you still have to search the event log to gather the AppLocker Errors.
To get a picture of how ugly that event log is, here is a screenshot:
Now imagine opening up the event log for multiple machines! Not fun at all! To help aggregate these logs, we are going to use PowerShell!
The Magic
First, let’s take a look at our script:
$Computers = Read-host “What is the computer” $Computers = Get-QADComputer *$Computers* $Errors = @() foreach ($Computer in $Computers){ $ids = get-winevent -logname “Microsoft-Windows-AppLocker/*” -ComputerName $Computer.Name | Where-Object LevelDisplayName -EQ “Error” | Select-Object userid $id= (New-Object System.Security.Principal.SecurityIdentifier $id.UserId ).Translate([System.Security.Principal.NTAccount]).Value $Errors += get-winevent -logname “Microsoft-Windows-AppLocker/*” -ComputerName $Computer.Name | Where-Object LevelDisplayName -EQ “Error” | Select-Object MachineName,Timecreated,Message,@{N="UserID";e={$id} }} $Errors | Out-GridView
Storing the AppLocker Errors
We start by prompting for a computer and storing it in the $Computers variable. Next, we overwrite that variable by running the Get-QADComputer command. This allows us to search for something like GAMCN and return every computer matching that syntax.
Next, we run a foreach to cycle through all of the computers stored in $Computers. We create a new variable named $ids and store the USERID information for any applocker error. Because that USERID is the object sid of the user, we use the new-object command (plus translate) to change that object sid to a standard user name.
Finally, we append to the $Errors variable a list of all applocker errors and include our now translated USERID. Here is a screenshot of our final result:
Special thanks to:
- Chris Martin for submitting the initial script that gathered the AppLocker Errors..
- Subsun for showing me how to change outputted objects
- TechNet for showing me how to translate those SIDs.
I have been scouring forums, blog posts, recommendations and I came across this script with great hope. Unfortunately, I receive the following error:
New-Object : A constructor was not found. Cannot find an appropriate constructor for type System.Security.Principal.SecurityIdentifier.
At line:7 char:7
+ $id= (New-Object System.Security.Principal.SecurityIdentifier $id.UserId).Transl …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [New-Object], PSArgumentException
+ FullyQualifiedErrorId : CannotFindAppropriateCtor,Microsoft.PowerShell.Commands.NewObjectCommand
Any assistance would be wonderful. I am not sure what is throwing the error.
Thank you in advance.
What version of PowerShell are you using? Make sure you are using version 3 or higher.
I am currently running PowerShell version 4 on a Windows 8.1 Enterprise workstation.
I am currently running powershell version 4 on a Windows 8.1 Enterprise workstation. Are there any known issues with this particular script in Windows 8.1?
Thank you?
See is this modified version will run:
$Computers = Read-host “What is the computer”
$Computers = Get-QADComputer *$Computers*
$Errors = @()
foreach ($Computer in $Computers){
$Errors += get-winevent -logname “Microsoft-Windows-AppLocker/*” -ComputerName $Computer.Name | Where-Object LevelDisplayName -EQ “Error” | Select-Object MachineName,Timecreated,Message
}
$Errors | Out-GridView
Thank you, Joseph.
Your scripting skills will save me during a massive rollout of AppLocker.
Thank you again.
No problem! 🙂
A buddy of mine wrote the original script.