Get-AppLockerFileInformation versus Get-FileHash hash codes

AppLocker is a policy-based security component of Microsoft Windows introduced in Windows 7 Professional, Enterprise and Ultimate editions and Windows Server 2008 R2. It enables or disables execution of software based on rules such as location, properties and digital signature, so it can be used to restrict that software that can be run on a Microsoft Windows system. Executable file restrictions can be based on a hash value, publisher certificate, etc. Further details on AppLocker can be found at An approach for managing Microsoft AppLocker policies.

The Get-AppLockerFileInformation PowerShell cmdlet will return a hash code it labels as "SHA256". But you will find that a hash code it returns differs from one returned by the Get-FileHash cmdlet for executable, e.g., .exe files. 

PS C:\Users\Lily\documents> Get-AppLockerFileInformation bookcollectorsetup16311.exe | Format-List


Path      : %OSDRIVE%\USERS\LISA\DOCUMENTS\BOOKCOLLECTORSETUP16311.EXE
Publisher : O=BITZ & PIXELZ BV, L=AMSTERDAM, S=NOORD-HOLLAND, C=NL\BOOK COLLECTOR\,0.0.0.0
Hash      : SHA256 0xC9C0B33CC19DFFC150486BC2B652CDEE1874486908A5533A4F886D7C559140E8
AppX      : False



PS C:\Users\Lily\documents> Get-FileHash bookcollectorsetup16311.exe | Format-List


Algorithm : SHA256
Hash      : EF10F80A45F3D97F24DDEFBB10C119782FB1D862053ECC896CF80124535F594F
Path      : C:\Users\Lily\documents\bookcollectorsetup16311.exe



PS C:\Users\Lily\documents>

You will find that the SHA-256 hash returned by Get-FileHash is the one returned by other tools that calculate SHA-256 hashes for files and that it matches the hash you will see calculated by VirusTotal, if you upload a file to that service for antivirus analysis.

So why is there a difference between the value produced by the Get-AppLockerFileInformation cmdlet and the Get-FileHash cmdlet and other utilities. Microsoft implements a code signing mechanism known as Authenticode - see Everything you need to know about Authenticode Code Signing. It is because the Get-AppLockerFileInformation cmdlet is calculating an Authenticode hash that the SHA256 value it displays differs from that produced by Get-FileHash and other utilities that determine a SHA256 hash for files. According to Microsoft's article Use AppLocker and Software Restriction Policies in the Same Domain:

AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (Exe and Dll) and Windows Installers and a SHA2 flat file hash for the rest.

If you use both cmdlets on a non-executable file, though, you should see the same SHA256 code listed. E.g.:

PS C:\Users\Lily\documents> Get-FileHash Disk_Mgmt.html | Format-List


Algorithm : SHA256
Hash      : C51AED2E7AC5B068CD735D83E345D533D3DB02EF38AB9F90C0A16206994F1969
Path      : C:\Users\Lily\documents\Disk_Mgmt.html



PS C:\Users\Lily\documents> Get-AppLockerFileInformation Disk_Mgmt.html | Format-List


Path      : %OSDRIVE%\USERS\LISA\DOCUMENTS\DISK_MGMT.HTML
Publisher :
Hash      : SHA256 0xC51AED2E7AC5B068CD735D83E345D533D3DB02EF38AB9F90C0A16206994F1969
AppX      : False



PS C:\Users\Lily\documents>

References:

  1. Why are the SHA256 hashes used by AppLocker different to other generators?
    Posted: February 25, 2015
    SuperUser
  2. Get-AppLockerFileInformation
    Microsoft TechNet
  3. An approach for managing Microsoft AppLocker policies
    By: Peter Hinchley
    Date: June 13, 2016
    Peter Hinchley
  4. Everything you need to know about Authenticode Code Signing
    By: EricLaw
    Date: March 22, 2011
    Microsoft Developer Nework (MSDN) Blogs
  5. Use AppLocker and Software Restriction Policies in the Same Domain
    Updated: September 12, 2013
    Microsoft TechNet

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px