I ran AppLocker in audit mode for a few days on a small number of computers. So all that activity is collecting in the "Microsoft-Windows-AppLocker/EXE and DLL" audit log. It creates an event every time an application starts indicating if it was allowed, blocked, or would have been blocked. That last event type is 8003 and that’s the one I care about.





The Powershell command to view this log entry is this:

get-winevent -logname "Microsoft-Windows-AppLocker/EXE and DLL"

Where-Object $_ . id -eq 8003 } | id

ft message









This will tell me every application that would have failed. I can either make a new rule or ignore it knowing that it would be blocked in the future. I can combine this with powershell remoting to check the event log on every computer I manage.





Get-QADComputer | % { Invoke-Command $_ . Name –AsJob –ScriptBlock { Name

$ErrorActionPreference = "SilentlyContinue"

get-winevent -logname "Microsoft-Windows-AppLocker/EXE and DLL" |

? { $_ . id -eq 8003 } | id

Format-Table message

}}





I use the QuestAD tools to get every computer in the domain and request the log event 8003 from the correct event log. The other stuff just cleans up the output. Give it 60 seconds to finish or timeout (for computers that are not powered up). Then run these commands for the results. I use the QuestAD tools to get every computer in the domain and request the log event 8003 from the correct event log. The other stuff just cleans up the output. Give it 60 seconds to finish or timeout (for computers that are not powered up). Then run these commands for the results.





Get-Job | ? { $_ . State -eq "Failed" -or $_ . HasMoreData -eq $false } | Remove-Job StateHasMoreData

Get-Job | Receive-Job -Keep





This will filter out results we don’t care about and then output all the logs on all the other systems. If you have pages of data, you can process them one computer at a time. This walks the results from the top down. This will filter out results we don’t care about and then output all the logs on all the other systems. If you have pages of data, you can process them one computer at a time. This walks the results from the top down.





Get-Job | ? { $_ . HasMoreData -eq $true }) [ 0 ] | Receive-Job HasMoreData})





When it outputs the results, it will reset the HasMoreData flag from that Job. So if you see some output and you want to know what job it was from, run Get-Job. In the middle of the list, you will see the the HasMoreData flip from false to true. The bottom one with a false value is the last computer you pulled output from. This can be very handy when setting up rules. When it outputs the results, it will reset the HasMoreData flag from that Job. So if you see some output and you want to know what job it was from, run Get-Job. In the middle of the list, you will see the the HasMoreData flip from false to true. The bottom one with a false value is the last computer you pulled output from. This can be very handy when setting up rules.





If you have the admin share open to administrators, you can open explorer to \\computername\c$ and find files on it. You can also use that remote admin share in the wizard to add new rules.





I saw Google Chrome show up on a computer in a user’s profile on a remote computer. I was able to point the AppLocker rule wizard to \\computername\c$\users\john\appdata\.... and it added the needed rules. I was able to add 4-5 needed applications. I also saw some spyware on a few computers that I was able to clean up.





Now that we added some new rules, I wanted to clear the logs so they are cleaner next time. Here is the command to do that.





Wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"



