Enable and configure Module, Script Block, and Transcription logging in Windows PowerShell

This post will show you how to enable and configure module, script block, and transcription logging in Windows PowerShell. Module logging allows you to specify the PowerShell modules that you want to log. Script block stores PowerShell commands that are run without the output, while transcription logging records the PowerShell commands that are run along with the full result of the command.

Windows PowerShell 5.0 and above introduce new logging features which we’ll be using here. As we’re using Windows Server 2016 in this example, this is available by default. You can manually download WMF 5.0 to install in Windows Server 2008 R2 or Windows 7 SP1 and above which will give you PowerShell 5.0 if you need it in an older operating system.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.


Configure Module, Script Block, and Transcription PowerShell Logging

To begin open up Group Policy Management, this can be done either through Server Manager > Tools > Group Policy Management, or by running ‘gpmc.msc’ in PowerShell or Command Prompt. At this point you can either create a new policy, or edit an existing policy. In this example we’ll create a new GPO called “PowerShell Logging”.

PowerShell Logging GPO

Edit the policy, and browse to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell. From within here, either double click or right click then select properties on the policy that you wish to edit. There are a few different policies here that we’ll now discuss.

PowerShell Group Policy Settings

Turn on Module Logging

This policy will allow us to log PowerShell cmdlets that come from a specific module that we specify. By enabling this policy setting, pipeline execution events will be stored in the Windows PowerShell log in event viewer.

Module Logging

To specify the PowerShell modules that we want to enable logging for we click the “Show…” button, which opens up the interface below. From this window we simply specify the name of the PowerShell module or modules that we wish to log for. In this example we want to log any PowerShell cmdlet provided by the SmbShare module that is run.

PowerShell Modules

If you are not sure of the module name that you need, you can run the ‘Get-Module -ListAvailable’ PowerShell cmdlet, which will print out a list of all available module names. Under the ExportedCommands column we can see the cmdlets that are included as part of the module. You can pipe the output into ‘Format-List’ to view all of it.

Get-Module List PowerShell Modules

We simply apply this policy to the site, domain, or organizational unit (OU) and then perform a system reboot as this is a computer policy and will not otherwise apply. Once booted up, we then run a PowerShell cmdlet from the SmbShare module. We’ll use Get-SmbShare in this example.

Get-SmbShare PowerShell cmdlet

Now if we view Applications and Services Logs > Windows PowerShell in event viewer we should see that this cmdlet is logged. Note that the output is not logged, we’ll cover this later.

Logged PowerShell Command

PowerShell cmdlets from modules other than SmbShare will not be logged in this manner. To test this I ran some others such as ‘Get-WindowsFeature’ however it did not display in the log.

Turn on PowerShell Script Block Logging

Enabling the script block logging PowerShell policy will store all PowerShell script input into the Microsoft-Windows-PowerShell/Operational event log. This will log various code blocks as PowerShell runs them including commands and scripts. This policy also does not log the output of the PowerShell that was run.

We can optionally select the check box to also log script block invocation start / stop events, which we have done here. Note that this may generate a large number of logs.

Script Block Logging

I’ve now created test.ps1 on the desktop which simply runs ‘Get-WindowsFeature’. After running this script and checking the Application and Services Logs > Microsoft > Windows > PowerShell > Operational event log, we can see that this activity was logged.

Logged Script Block

Turn on PowerShell Transcription

Enabling this policy will log both input and the resulting output of PowerShell into a text file. We need to specify a folder to store the logs to, in this example I’ve selected the test folder on the administrator users desktop.

PowerShell Transcription

After enabling the policy and running ‘Get-SmbShare’ in PowerShell we can view the folder specified. There’s a PowerShell transcript text file which we can open to view the logs. We can see the PowerShell cmdlet that was run as well as the output have been logged.

PowerShell Transcript Log

There’s also plenty of other useful information here, such as the version of PowerShell in use, the user that ran it, when it was run, the machine it was run on, and the process ID just to name a few examples.

Summary

We have shown you how to use group policy to enable and configure module, script block, and transcription logging in Windows PowerShell. These different policies allow us to log different components of PowerShell which is made possible thanks to the new features available in PowerShell 5.0 and above.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>