Applies To: Windows 7, Windows Server 2008 R2

This topic for the IT professional describes how to use Windows PowerShell to test an AppLocker policy for allowed applications in Windows Server 2008 R2 and Windows 7.

The Test-AppLockerPolicy cmdlet uses the specified AppLocker policy to test whether a specified list of files are allowed to run on the local computer for a specific user.


Test-AppLockerPolicy [-PolicyObject] <AppLockerPolicy> [-Path <String[]>] [-User <String>] [-Filter <PolicyDecision[]>] [<CommonParameters>]

Test-AppLockerPolicy [-XMLPolicy] <String> [-Path <String>] [-User <String>] [-Filter <FilterType>] [<CommonParameters>]


Parameter Description

PolicyObject <AppLockerPolicy>

Specifies the policy object that contains the AppLocker policy. It can be obtained from the Get-AppLockerPolicy or New-AppLockerPolicy cmdlet.

XMLPolicy <String>

The XML file path that contains the AppLocker policy.

Path <String[]>

Specifies the list of file paths to test. Supports regular expressions.

User <String>

Defines the user or group that the rules are applied to. You must provide one of the following property values:

  • DNS user name (domain\username)

  • User principal name (username@domain.com)

  • Security identifier (S-1-5-21-3165297888-301567370-576410423-1103)

  • SAM user name (username)

Filter <PolicyDecision[]>

Filters the output by the policy decision for each input file. The policy decision options include: All, Allowed, Denied, DeniedByDefault, and AllowedByDefault. By default, all policy decisions are displayed.


To test AppLocker rules for a nested group, you should specify a representative member of the nested group for the User parameter. For example, a rule that allows the Everyone group to run calc.exe may not appear to apply correctly when you specify the nested Finance group for the User parameter. Instead, you should specify a representative member of the Finance group for the User parameter.


Uses the AppLocker policy in C:\Policy.xml to test whether calc.exe and notepad.exe are allowed to run for users who are members of the Everyone group. If you do not specify a group, the Everyone group is used by default.

C:\PS>Test-AppLockerPolicy -XMLPolicy c:\Policy.xml -Path c:\Windows\System32\calc.exe, c:\Windows\System32\notepad.exe -User Everyone

Gets the list of executable files under C:\Windows\System32, obtains the full path for each file by using the Convert-Path cmdlet, and then uses the AppLocker policy specified in C:\Policy.xml to test whether the user with the specified security identifier (SID) is denied access to run the files by default. A policy decision of DeniedByDefault occurs when there are rules in the rule collection but there are no explicit allow or deny rules that apply to the specified file and user.

C:\PS>Get-ChildItem c:\Windows\System32\ -filter *.exe -recurse Convert-Path | Test-AppLockerPolicy c:\Policy.xml –User S-1-5-21-3165297888-301567370-576410423-1103 -Filter DeniedByDefault

Gets the local AppLocker policy, uses the policy to determine which executable files in C:\Windows\System32 that Sara Davis is explicitly denied access to run, and then redirects the list to a text file.

C:\PS>Get-AppLockerPolicy -Local | Test-AppLockerPolicy -Path C:\Windows\System32\*.exe –User domain\saradavis -Filter Denied | Format-List –Property Path > C:\DeniedFiles.txt