The Test-FileCatalog command compares the content of the catalog file to the filesystem. Hashes are recalculated for each file.
If none of the content has changed, Test-FileCatalog will return Valid:
PS> Test-FileCatalog -Path C:TempACL -CatalogFilePath C:TempSecurityexample.cat
Valid
If a file has been added, removed, or changed, the Test-FileCatalog command will return ValidationFailed.
At this point, the Detailed parameter can be used to see which file changed.
The Detailed parameter does not change the amount of work Test-FileCatalog must do. If the result is to be used, it might be better to use the Detailed parameter right away. This saves the CPU cycles and I/O operations required to list the content of a directory and generate the hashes a second time.
The command does not provide a summary of changes; instead, it returns all files and hashes from the catalog and all files and hashes from the path being tested:
PS> Set-Content C:TempACL33.txt –Value 'New content'
PS> $params = @{
>> Path = 'C:TempACL'
>> CatalogFilePath = 'C:TempSecurityexample.cat'
>> Detailed = $true
>> }
PS> Test-FileCatalog @params
Status : ValidationFailed
HashAlgorithm : SHA1
CatalogItems : {[11.txt, 3B88969F774811E6A5D634832BE099EDA42B5E72], ...}
PathItems : {[11.txt, 3B88969F774811E6A5D634832BE099EDA42B5E72], ...}
Signature : System.Management.Automation.Signature
These values can be used to find changes. First, assign the result of the command to a variable:
$params = @{
Path = 'C:TempACL'
CatalogFilePath = 'C:TempSecurityexample.cat'
Detailed = $true
}
$result = Test-FileCatalog @params
Once done, files that have been added can be listed with the following code:
$result.PathItems.Keys | Where-Object { -not $result.CatalogItems.ContainsKey($_) }
Files that have been removed are listed with the following code:
$result.CatalogItems.Keys | Where-Object { -not $result.PathItems.ContainsKey($_) }
Files that have been modified are listed with the following code:
$result.PathItems.Keys | Where-Object { $result.CatalogItems[$_] -ne $result.PathItems[$_]}
As the file catalog only stores hashes, the command is unable to describe exactly what has changed about a file, only that something has.