PowerShell Examples for Custom Audit Fields

This page collects ready-to-use PowerShell samples for Windows custom audit fields. Copy a sample into the Script box when Filling method is set to Script, then replace the placeholder values with data from your environment.

Note: Each script should return a value that matches the field's Type. Use Table for multi-value output and Logical for true/false checks.

Before you start

1. Create the custom audit field.
2. Set Device type to the Windows device type you want to audit.
3. Choose a Type that matches the script output.
4. Set Filling method to Script.
5. Paste one of the samples below into the Script box and test it in a controlled environment.

PowerShell script samples

Collecting system information

Use this pattern when you want to collect a set of values from Windows hardware or system classes. In the example below, AlloyScan can store the returned property list in a Table field.

$Result = Get-WmiObject Win32_PortConnector | Select-Object InternalReferenceDesignator

This sample:

• queries the Win32_PortConnector WMI class;
• keeps only the InternalReferenceDesignator property;
• returns a collection of values, so Table is the most suitable field type.

Capturing Registry keys

Use this pattern when you need a logical yes/no result from the registry.

[bool] (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2' -Name 'EnforcementMode' -ErrorAction SilentlyContinue)

This sample:

• checks whether AppLocker Enforcement Mode is enabled;
• returns $true or $false;
• fits a Logical field type.

Checking file presence

Use this pattern when the script should report whether a file exists on the system.

[bool] (Test-Path -Path 'C:\ProgramData\MyApp\license.lic')

This sample:

• verifies whether the file is present;
• returns $true or $false;
• also fits a Logical field type.

Related

• How to create a custom audit field
• Custom Audit Fields Reference
• About Custom Audit Fields