Powershell Function to query AppLocker event Logs

This post is for my reference although if you stumble upon it and find it useful then cool!

I have configured AppLocker to run in ‘Audit’ mode and wanted a quick method of seeing what would be blocked without having to log on to individual computers and checking the event logs.

That way I can pro-actively monitor computers and build the white-list rules before I turn AppLocker on to ‘Enforce’ mode.

I’ve seen there are a number of AppLocker cmdlets that I’ll be exploring later, but for now, here’s my solution on GitHub.


  1. I tried the script running as follows:
    .\Get-ApplockerBlocks -computerName PCName -logType ExeandDll -Mode ‘Audit Only’ and it runs and returns nothing, including any error messages. I can look into the event log on the computer and there are warning events about several programs. So do you know what might be happening? This would be so sweet a program if I could get it to work correctly. Thanks.

    • Hi, This script works fine on 2000 PC’s where I used to work. I no longer work there and we’re not currently using applocker at my new place but I have had another look at the code and I can’t see any issues. You could try changing the filter so it’s not filtering on ExeAndDll – are you sure there are entries in the exe and dll event log? Also try changing audit mode to Both.

      • Ok, I tried it like you suggested: .\Get-ApplockerBlocks -computerName PCName -Mode ‘Both’ and got the same result. I looked over the script and it looks like it should work. I can retrieve events if I run the Command you have in your script manually:
        Get-WinEvent -LogName “Microsoft-Windows-AppLocker/MSI and Script” -ComputerName PCName | where {$_.leveldisplayname -eq ‘Warning’} | group-object -property message | select name

        So it seems that the script should work.

  2. I have just configured auditing mode for applocker at my new work place and I’m pleased to say the powershell code works just fine..happy days! 🙂

Leave a Reply