Inspecting AppLocker Policy

Inspecting AppLocker Policy

While doing incident response, if AppLocker is being used but the computer still got infected by a malicious executable, it is useful to know exactly what AppLocker policy is currently applied.

Leveraging PowerShell is the right choice to achieve this. The following cmdlet will dump the current AppLocker policy to a XML file. It will do that by reading the registry without the need for special permissions (i.e. administrator).

The resulting XML file will contain all the rules and conditions making it easy to audit them. Follows the source code.

Hope it’s useful :D