The Test-FileCatalog command compares the content of the catalog file to the filesystem. Hashes are re-calculated for each file.
If none of the content has changed, Test-FileCatalog will return Valid:
PS> Test-FileCatalog -Path C:TempACL -CatalogFilePath C:TempSecurityexample.cat
Valid
If a file is added, removed, or changed, the Test-FileCatalog command will return ValidationFailed.
At this point, the Detailed parameter can be used to see which file changed.
The Detailed parameter does not change the amount of work Test-FileCatalog must do. If the result is to be used, it might be better to use the Detailed parameter right away. This saves the CPU cycles and IO operations required to list the content of a directory and generate the hashes a second time.
The command does not provide a summary of changes; instead, it returns all files and hashes from the catalog and all files and hashes from the path being tested:
PS>Set-Content C:TempACL33.txt –Value 'New content'
Test-FileCatalog -Path C:TempACL -CatalogFilePath C:TempSecurityexample.cat-Detailed
Status : ValidationFailed
HashAlgorithm : SHA1
CatalogItems : {[11.txt, 3B88969F774811E6A5D634832BE099EDA42B5E72], [111.txt, 3B88969F774811E6A5D634832BE099EDA42B5E72], [22.txt,
3B88969F774811E6A5D634832BE099EDA42B5E72], [222.txt, 3B88969F774811E6A5D634832BE099EDA42B5E72]...}
PathItems : {[11.txt, 3B88969F774811E6A5D634832BE099EDA42B5E72], [111.txt, 3B88969F774811E6A5D634832BE099EDA42B5E72], [22.txt,
3B88969F774811E6A5D634832BE099EDA42B5E72], [222.txt, 3B88969F774811E6A5D634832BE099EDA42B5E72]...}
Signature : System.Management.Automation.Signature
These values can be used to find changes. First, assign the result of the command to a variable:
$result = Test-FileCatalog -Path C:TempACL -CatalogFilePath C:TempSecurityexample.cat -Detailed
Once done, files that have been added can be listed with the following code:
$result.PathItems.Keys | Where-Object { -not $result.CatalogItems.ContainsKey($_) }
Files that have been removed are listed with the following code:
$result.CatalogItems.Keys | Where-Object { -not $result.PathItems.ContainsKey($_) }
Files that have been modified are listed with the following code:
$result.PathItems.Keys | Where-Object { $result.CatalogItems[$_] -ne $result.PathItems[$_]}
As the file catalog only stores hashes, the command is unable to describe exactly what has changed about a file, only that something has.