0
0
PowerShellscripting~5 mins

Script block logging in PowerShell

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction

Script block logging helps you see what PowerShell scripts are running on your system. It records the code blocks executed, so you can track and troubleshoot script activity.

You want to monitor scripts running on a server for security reasons.
You need to audit PowerShell commands executed by users.
You want to troubleshoot why a script behaves unexpectedly by seeing what code actually ran.
You are managing multiple machines and want centralized logging of PowerShell activity.
You want to detect malicious or unauthorized PowerShell usage.
Syntax
PowerShell
Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Name 'EnableScriptBlockLogging' -Value 1

This command enables script block logging by setting a registry key.

You need administrator rights to run this command.

Examples
Enables script block logging on the local machine.
PowerShell
Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Name 'EnableScriptBlockLogging' -Value 1
Checks if script block logging is enabled.
PowerShell
Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Name 'EnableScriptBlockLogging'
Disables script block logging by removing the registry key.
PowerShell
Remove-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Name 'EnableScriptBlockLogging'
Sample Program

This script enables script block logging and then confirms it is enabled by reading the registry key.

PowerShell
Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Name 'EnableScriptBlockLogging' -Value 1
Get-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Name 'EnableScriptBlockLogging' | Select-Object EnableScriptBlockLogging
OutputSuccess
Important Notes

Script block logging records the full content of PowerShell scripts run on the system.

Logs are stored in the Windows Event Log under 'Microsoft-Windows-PowerShell/Operational'.

Enabling script block logging may slightly impact system performance due to extra logging.

Summary

Script block logging helps track PowerShell script execution for security and troubleshooting.

It is enabled by setting a registry key with PowerShell commands.

Logs appear in the Windows Event Log for review.