PowerShell Logging Features


Nowadays, PowerShell is very popular among security oriented folks. In red teams, and blue teams too.Indeed, the Win32 API, WMI, registry, C# support is appreciated by red teams, especially since common anti-virus software suck at PowerShell.

As a blue team member, you have some security features built in PowerShell in recent releases, manageable with GPO in : Computer Configuration, Policy, Administrative Templates, Windows Components, Windows PowerShell.

In PowerShell 2 and older, you can only manage PowerShell Execution Policy:


This isn’t really a security measure.

In PowerShell 3, or with KB2819745, you have a few more options :


Now, you can log module, and specify a path for Update-Help if you have systems not connected to Internet.

In PowerShell 4 with KB3000850, you have even more options :


To check if this KB is present on your system :

Get-HotFix -Id KB3000850

Thanks to that KB, you can now enable PowerShell logging (transcript) computer-wide, and log in the EventLog every cmdlet that run on your systems.

Note : This can be pretty verbose :


(Get-WinEvent -FilterXPath "*[System[EventID=800 and TimeCreated[timediff(@SystemTime) <= 3600000]]]" -LogName 'WindowsPowerShell').count


And transcript (logging all PowerShell sessions) :


You may want to centralized events and transcripts on a secured computer for forensics analysis in case of a breach.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.