Logging

Enable Logging in Registry

This method may be useful if using a deployment or logon script.

  • Enable ScriptBlock Logging

    • HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

      • EnableScriptBlockLogging = 1

  • Enable Module Logging

    • HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging

  • EnableModuleLogging = 1

    • HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging \ModuleNames

      • * = *

  • Transcription

    • HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription\

      • EnableInvocationHeader = 1

      • EnableTranscripting = 1

      • OutputDirectory = <path_to_directory>

The PowerShell Operational Log may be found here:

%SystemRoot%\system32\winevt\logs\Microsoft-Windows-PowerShell%4Operational.evtx

Find ScriptBlock Logging Events in Event Logger

Application and Service Logs > Microsoft > Windows > PowerShell > Operational > Event ID 4104 Scriptblock

PreviousClassesNextPowerShell Modules

Last updated