{
	"id": "b6c019d7-eb96-4701-98df-7475520501f9",
	"created_at": "2026-04-06T00:15:20.095463Z",
	"updated_at": "2026-04-10T03:20:27.255922Z",
	"deleted_at": null,
	"sha1_hash": "6ddb1dafaba927d0e574aaa015487fb8e8cc65f8",
	"title": "about_Logging_Windows - PowerShell",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67142,
	"plain_text": "about_Logging_Windows - PowerShell\r\nBy sdwheeler\r\nArchived: 2026-04-05 21:49:28 UTC\r\nPowerShell logs internal operations from the engine, providers, and cmdlets to the Windows event log.\r\nPowerShell logs details about PowerShell operations, such as starting and stopping the engine and providers, and\r\nexecuting PowerShell commands.\r\nFor information about logging in Windows PowerShell 5.1, see about_Logging.\r\nPowerShell supports configuring two categories of logging:\r\nModule logging - Record the pipeline execution events for members of specified modules. Module logging\r\nmust be enabled for both the session and specific modules. For more information about configuring this\r\nlogging, see about_PowerShell_Config.\r\nIf module logging is enabled through configuration, you can enable and disable logging for specific\r\nmodules in a session by setting the value of the LogPipelineExecutionDetails property of the module.\r\nFor example, to enable module logging for the PSReadLine module:\r\n$psrl = Get-Module PSReadLine\r\n$psrl.LogPipelineExecutionDetails = $true\r\nGet-Module PSReadLine | Select-Object Name, LogPipelineExecutionDetails\r\nName LogPipelineExecutionDetails\r\n---- ---------------------------\r\nPSReadLine True\r\nScript block logging - Record the processing of commands, scriptblocks, functions, and scripts whether\r\ninvoked interactively, or through automation.\r\nWhen you enable Script Block Logging, PowerShell records the content of all scriptblocks that it\r\nprocesses. Once enabled, any new PowerShell session logs this information. For more information, see\r\nEnabling scriptblock Logging.\r\nUnlike Linux or macOS, Windows requires the event provider to be registered before events can be written to the\r\nevent log. To enable the PowerShell event provider, run the following command from an elevated PowerShell\r\nprompt.\r\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7\r\nPage 1 of 4\n\n$PSHOME\\RegisterManifest.ps1\r\nPowerShell logs can be viewed using the Windows Event Viewer. The event log is located in the Application and\r\nServices Logs group and is named PowerShellCore. The associated ETW provider GUID is {f90714a8-5509-\r\n434a-bf6d-b1624c8a19a2} .\r\nWhen Script Block Logging is enabled, PowerShell logs the following events to the\r\nPowerShellCore/Operational log:\r\nField Value\r\nEventId 4104 / 0x1008\r\nChannel Operational\r\nLevel Verbose\r\nOpcode Create\r\nTask CommandStart\r\nKeyword Runspace\r\nRegistering the event provider places a lock in the binary library used to decode events. To update this library, the\r\nprovider must be unregistered to release this lock.\r\nTo unregister the PowerShell provider, run the following command from an elevated PowerShell prompt.\r\n$PSHOME\\RegisterManifest.ps1 -Unregister\r\nAfter updating PowerShell, run $PSHOME\\RegisterManifest.ps1 to register the updated event provider.\r\nWhen you enable Script Block Logging, PowerShell records the content of all scriptblocks that it processes. Once\r\nenabled, any new PowerShell session logs this information.\r\nNote\r\nIt's recommended to enable Protected Event Logging, as described below, when using Script Block Logging for\r\nanything other than diagnostics purposes.\r\nScript Block Logging can be enabled via Group Policy or a registry setting.\r\nTo enable automatic transcription, enable the Turn on PowerShell Script Block Logging feature in Group Policy\r\nthrough Administrative Templates -\u003e PowerShell Core.\r\nRun the following function:\r\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7\r\nPage 2 of 4\n\nfunction Enable-PSScriptBlockLogging {\r\n $basePath = @(\r\n 'HKLM:\\Software\\Policies\\Microsoft'\r\n 'PowerShellCore\\ScriptBlockLogging'\r\n ) -join '\\'\r\n if (-not (Test-Path $basePath)) {\r\n $null = New-Item $basePath -Force\r\n }\r\n Set-ItemProperty $basePath -Name EnableScriptBlockLogging -Value \"1\"\r\n}\r\nYou can set the ScriptBlockLogging option in the powershell.config.json file that controls how PowerShell\r\nbehaves. For more information, see about_PowerShell_Config.\r\nIncreasing the level of logging on a system increases the possibility that logged content may contain sensitive\r\ndata. For example, with script logging enabled, credentials or other sensitive data used by a script can be written\r\nto the event log. When a machine that has logged sensitive data is compromised, the logs can provide an attacker\r\nwith information needed to extend their reach.\r\nTo protect this information, Windows 10 introduces Protected Event Logging. Protected Event Logging lets\r\nparticipating applications encrypt sensitive data written to the event log. Later, you can decrypt and process these\r\nlogs on a more secure and centralized log collector.\r\nEvent log content is protected using the IETF Cryptographic Message Syntax (CMS) standard. CMS uses public\r\nkey cryptography. The keys used to encrypt content and decrypt content are kept separate.\r\nThe public key can be shared widely and isn't sensitive data. Any content encrypted with this public key can only\r\nbe decrypted by the private key. For more information about Public Key Cryptography, see Wikipedia - Public\r\nKey Cryptography.\r\nTo enable a Protected Event Logging policy, deploy a public key to all machines that have event log data to\r\nprotect. The corresponding private key is used to post-process the event logs at a more secure location such as a\r\ncentral event log collector, or SIEM aggregator. You can set up SIEM in Azure. For more information, see Generic\r\nSIEM integration.\r\nTo enable Protected Event Logging, enable the Enable Protected Event Logging feature in Group Policy\r\nthrough Administrative Templates -\u003e Windows Components -\u003e Event Logging . This setting requires an\r\nencryption certificate, which you can provide in one of several forms:\r\nThe content of a base-64 encoded X.509 certificate (for example, as offered by the Export option in\r\nCertificate Manager).\r\nThe thumbprint of a certificate that can be found in the Local Machine certificate store (can be deployed by\r\nPKI infrastructure).\r\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7\r\nPage 3 of 4\n\nThe full path to a certificate (can be local, or a remote share).\r\nThe path to a directory containing a certificate or certificates (can be local, or a remote share).\r\nThe subject name of a certificate that can be found in the Local Machine certificate store (can be deployed\r\nby PKI infrastructure).\r\nThe resulting certificate must have Document Encryption as an enhanced key usage ( 1.3.6.1.4.1.311.80.1 ),\r\nand either Data Encipherment or Key Encipherment key usages enabled.\r\nWarning\r\nThe private key shouldn't be deployed to the machines logging events. It should be kept in a secure location where\r\nyou decrypt the messages.\r\nThe following script retrieves and decrypts events, assuming that you have the private key:\r\nGet-WinEvent Microsoft-Windows-PowerShell/Operational |\r\n Where-Object Id -EQ 4104 | Unprotect-CmsMessage\r\nabout_Logging_Non-Windows\r\nPowerShell the Blue Team\r\nGeneric SIEM integration\r\nSource: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7\r\nhttps://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7"
	],
	"report_names": [
		"about_logging_windows?view=powershell-7"
	],
	"threat_actors": [],
	"ts_created_at": 1775434520,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6ddb1dafaba927d0e574aaa015487fb8e8cc65f8.pdf",
		"text": "https://archive.orkl.eu/6ddb1dafaba927d0e574aaa015487fb8e8cc65f8.txt",
		"img": "https://archive.orkl.eu/6ddb1dafaba927d0e574aaa015487fb8e8cc65f8.jpg"
	}
}