Updated AppLocker Dump Script

Updated AppLocker Dump Script

I have created a new version of this script so that it is better aligned with the conventions I use for other PowerShell scripts.

I have also created the PowaScripts project were I will publish PowerShell scripts that I use and that might be of public interest. Follows an example on how to invoke the cmdlet.

1Dump-AppLocker -ResultFile policy.xml

As with the previous version, the resulting XML file will contain all the rules and conditions making it easy to audit the AppLocker policy. Follows a example result file.

 1<?xml version="1.0" encoding="utf-8"?>
 2<AppLocker Date="2016-09-23T21:50:33.1246017Z" Host="test01.domain.local">
 3  <Group Name="Appx" />
 4  <Group Name="Dll">
 5    <FilePathRule Id="3737732c-99b7-41d4-9037-9cddfb0de0d0" Name="(Default Rule) All DLLs located in the Program Files folder" Description="Allows members of the Everyone group to load DLLs that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
 6      <Conditions>
 7        <FilePathCondition Path="%PROGRAMFILES%\*" />
 8      </Conditions>
 9    </FilePathRule>
10    <FilePathRule Id="ac881f52-1a4c-4f81-9fdc-02179022f08b" Name="(My Rule) All files located in the Windows Temporary folder" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
11      <Conditions>
12        <FilePathCondition Path="%WINDIR%\Temp\*" />
13      </Conditions>
14    </FilePathRule>
15    <FilePathRule Id="bac4b0bf-6f1b-40e8-8627-8545fa89c8b6" Name="(Default Rule) Microsoft Windows DLLs" Description="Allows members of the Everyone group to load DLLs located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
16      <Conditions>
17        <FilePathCondition Path="%WINDIR%\*" />
18      </Conditions>
19    </FilePathRule>
20    <FilePathRule Id="c1a9b922-713f-4a8f-af01-32ff907cd1fd" Name="(My Rule) All files located in the Windows Tasks folder" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
21      <Conditions>
22        <FilePathCondition Path="%WINDIR%\Tasks\*" />
23      </Conditions>
24    </FilePathRule>
25    <FilePathRule Id="fe64f59f-6fca-45e5-a731-0f6715327c38" Name="(Default Rule) All DLLs" Description="Allows members of the local Administrators group to load all DLLs." UserOrGroupSid="S-1-5-32-544" Action="Allow">
26      <Conditions>
27        <FilePathCondition Path="*" />
28      </Conditions>
29    </FilePathRule>
30  </Group>
31  <Group Name="Exe">
32    <FilePathRule Id="744af0ed-87d1-4bf4-98a1-8ad4d2823bd3" Name="(My Rule) All files located in the Windows Temporary folder" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
33      <Conditions>
34        <FilePathCondition Path="%WINDIR%\Temp\*" />
35      </Conditions>
36    </FilePathRule>
37    <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows members of the Everyone group to run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
38      <Conditions>
39        <FilePathCondition Path="%PROGRAMFILES%\*" />
40      </Conditions>
41    </FilePathRule>
42    <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members of the Everyone group to run applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
43      <Conditions>
44        <FilePathCondition Path="%WINDIR%\*" />
45      </Conditions>
46    </FilePathRule>
47    <FilePathRule Id="d9efc88e-0b2a-41f1-b12b-ca24cf942aaf" Name="(My Rule) All files located in the Windows Tasks folder" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
48      <Conditions>
49        <FilePathCondition Path="%WINDIR%\Tasks\*" />
50      </Conditions>
51    </FilePathRule>
52    <FilePathRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="(Default Rule) All files" Description="Allows members of the local Administrators group to run all applications." UserOrGroupSid="S-1-5-32-544" Action="Allow">
53      <Conditions>
54        <FilePathCondition Path="*" />
55      </Conditions>
56    </FilePathRule>
57  </Group>
58  <Group Name="Msi">
59    <FilePathRule Id="5b290184-345a-4453-b184-45305f6d9a54" Name="(Default Rule) All Windows Installer files in %systemdrive%\Windows\Installer" Description="Allows members of the Everyone group to run all Windows Installer files located in %systemdrive%\Windows\Installer." UserOrGroupSid="S-1-1-0" Action="Allow">
60      <Conditions>
61        <FilePathCondition Path="%WINDIR%\Installer\*" />
62      </Conditions>
63    </FilePathRule>
64    <FilePathRule Id="64ad46ff-0d71-4fa0-a30b-3f3d30c5433d" Name="(Default Rule) All Windows Installer files" Description="Allows members of the local Administrators group to run all Windows Installer files." UserOrGroupSid="S-1-5-32-544" Action="Allow">
65      <Conditions>
66      <FilePathCondition Path="*.*" />
67      </Conditions>
68    </FilePathRule>
69  </Group>
70  <Group Name="Script">
71    <FilePathRule Id="06dce67b-934c-454f-a263-2515c8796a5d" Name="(Default Rule) All scripts located in the Program Files folder" Description="Allows members of the Everyone group to run scripts that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow">
72      <Conditions>
73        <FilePathCondition Path="%PROGRAMFILES%\*" />
74      </Conditions>
75    </FilePathRule>
76    <FilePathRule Id="3f4760f4-bd8a-47fa-a86e-e2f0222b5e79" Name="(My Rule) All files located in the Windows Tasks folder" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
77      <Conditions>
78        <FilePathCondition Path="%WINDIR%\Tasks\*" />
79      </Conditions>
80    </FilePathRule>
81    <FilePathRule Id="9428c672-5fc3-47f4-808a-a0011f36dd2c" Name="(Default Rule) All scripts located in the Windows folder" Description="Allows members of the Everyone group to run scripts that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow">
82      <Conditions>
83        <FilePathCondition Path="%WINDIR%\*" />
84      </Conditions>
85    </FilePathRule>
86    <FilePathRule Id="b8467b04-066e-40af-8f48-4545e1037e4a" Name="(My Rule) All files located in the Windows Temporary folder" Description="" UserOrGroupSid="S-1-1-0" Action="Deny">
87      <Conditions>
88        <FilePathCondition Path="%WINDIR%\Temp\*" />
89      </Conditions>
90    </FilePathRule>
91    <FilePathRule Id="ed97d0cb-15ff-430f-b82c-8d7832957725" Name="(Default Rule) All scripts" Description="Allows members of the local Administrators group to run all scripts." UserOrGroupSid="S-1-5-32-544" Action="Allow">
92      <Conditions>
93        <FilePathCondition Path="*" />
94      </Conditions>
95    </FilePathRule>
96  </Group>
97</AppLocker>

Hope it is useful :)