cmdlet will return a hash code it labels as "SHA256". But you will find
that a hash code it returns differs from one returned by the
cmdlet for executable, e.g., .exe files.
PS C:\Users\Lily\documents> Get-AppLockerFileInformation bookcollectorsetup16311.exe | Format-List Path : %OSDRIVE%\USERS\LISA\DOCUMENTS\BOOKCOLLECTORSETUP16311.EXE Publisher : O=BITZ & PIXELZ BV, L=AMSTERDAM, S=NOORD-HOLLAND, C=NL\BOOK COLLECTOR\,0.0.0.0 Hash : SHA256 0xC9C0B33CC19DFFC150486BC2B652CDEE1874486908A5533A4F886D7C559140E8 AppX : False PS C:\Users\Lily\documents> Get-FileHash bookcollectorsetup16311.exe | Format-List Algorithm : SHA256 Hash : EF10F80A45F3D97F24DDEFBB10C119782FB1D862053ECC896CF80124535F594F Path : C:\Users\Lily\documents\bookcollectorsetup16311.exe PS C:\Users\Lily\documents>
You will find that the SHA-256 hash returned by Get-FileHash is the one returned by other tools that calculate SHA-256 hashes for files and that it matches the hash you will see calculated by VirusTotal, if you upload a file to that service for antivirus analysis.
So why is there a difference between the value produced by the
Get-AppLockerFileInformation cmdlet and the
cmdlet and other utilities. Microsoft implements a
signing mechanism known as Authenticode - see
Everything you need to know
about Authenticode Code Signing. It is because the
Get-AppLockerFileInformation cmdlet is calculating an
Authenticode hash that the SHA256 value it displays differs from that produced
Get-FileHash and other utilities that determine a SHA256
hash for files. According to Microsoft's article
Use AppLocker and Software Restriction Policies in the Same Domain:
AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (Exe and Dll) and Windows Installers and a SHA2 flat file hash for the rest.
If you use both cmdlets on a non-executable file, though, you should see the same SHA256 code listed. E.g.:
PS C:\Users\Lily\documents> Get-FileHash Disk_Mgmt.html | Format-List Algorithm : SHA256 Hash : C51AED2E7AC5B068CD735D83E345D533D3DB02EF38AB9F90C0A16206994F1969 Path : C:\Users\Lily\documents\Disk_Mgmt.html PS C:\Users\Lily\documents> Get-AppLockerFileInformation Disk_Mgmt.html | Format-List Path : %OSDRIVE%\USERS\LISA\DOCUMENTS\DISK_MGMT.HTML Publisher : Hash : SHA256 0xC51AED2E7AC5B068CD735D83E345D533D3DB02EF38AB9F90C0A16206994F1969 AppX : False PS C:\Users\Lily\documents>