I ran AppLocker in audit mode for a few days on a small
number of computers. So all that
activity is collecting in the "Microsoft-Windows-AppLocker/EXE and
DLL" audit log. It creates an event
every time an application starts indicating if it was allowed, blocked, or
would have been blocked. That last event
type is 8003 and that’s the one I care about.
The Powershell command to view this log entry is this:
get-winevent -logname
"Microsoft-Windows-AppLocker/EXE and DLL"
|
Where-Object{$_.id -eq 8003} |
ft message
This will tell me every application that would have
failed. I can either make a new rule or
ignore it knowing that it would be blocked in the future. I can combine this with powershell remoting
to check the event log on every computer I manage.
Get-QADComputer | %{Invoke-Command $_.Name –AsJob –ScriptBlock{
$ErrorActionPreference
= "SilentlyContinue"
get-winevent
-logname "Microsoft-Windows-AppLocker/EXE
and DLL" |
?{$_.id -eq 8003} |
Format-Table
message
}}
Get-Job | ?{$_.State -eq "Failed" -or
$_.HasMoreData
-eq $false}
| Remove-Job
Get-Job | Receive-Job -Keep
(Get-Job | ?{ $_.HasMoreData -eq
$true})[0] | Receive-Job
If you have the admin share open to administrators, you can
open explorer to \\computername\c$ and find files on it. You can also use that remote admin share in
the wizard to add new rules.
I saw Google Chrome show up on a computer in a user’s
profile on a remote computer. I was able
to point the AppLocker rule wizard to \\computername\c$\users\john\appdata\....
and it added the needed rules. I was
able to add 4-5 needed applications. I
also saw some spyware on a few computers that I was able to clean up.
Now that we added some new rules, I wanted to clear the logs
so they are cleaner next time. Here is
the command to do that.
Wevtutil.exe cl
"Microsoft-Windows-AppLocker/EXE and DLL"