Bird
Raised Fist0
PowerShellscripting~5 mins

Script block logging in PowerShell - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is Script Block Logging in PowerShell?
Script Block Logging records the full content of all PowerShell script blocks that run on a system. It helps track what commands and scripts are executed for security and troubleshooting.
Click to reveal answer
intermediate
How do you enable Script Block Logging using Group Policy?
Go to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell, then enable 'Turn on PowerShell Script Block Logging'.
Click to reveal answer
beginner
Which Windows Event Log channel stores Script Block Logging events?
Script Block Logging events are stored in the 'Microsoft-Windows-PowerShell/Operational' event log channel.
Click to reveal answer
intermediate
What is the benefit of Script Block Logging for security teams?
It helps detect malicious scripts by capturing the exact code run, even if scripts are obfuscated or run from memory, improving threat detection.
Click to reveal answer
intermediate
Can Script Block Logging impact system performance?
Yes, enabling Script Block Logging can add overhead because it records detailed script content, so it should be used thoughtfully in production environments.
Click to reveal answer
Where are PowerShell Script Block Logging events stored?
ASecurity log
BMicrosoft-Windows-PowerShell/Operational log
CSystem log
DApplication log
What does Script Block Logging capture?
AOnly error messages from scripts
BNetwork traffic details
CUser login events
DFull content of executed PowerShell script blocks
How can you enable Script Block Logging on a Windows machine?
AEnable it via Group Policy under Windows PowerShell settings
BInstall a third-party tool
CRun a PowerShell command to disable logging
DIt is enabled by default
What is a potential downside of enabling Script Block Logging?
ADisables PowerShell entirely
BLoss of script execution data
CIncreased system resource usage
DPrevents script execution
Why is Script Block Logging useful for security monitoring?
AIt captures exact script code, helping detect malicious activity
BIt blocks all scripts automatically
CIt encrypts all PowerShell scripts
DIt disables PowerShell remoting
Explain what Script Block Logging is and how it helps in monitoring PowerShell activity.
Think about what details you want to see when a script runs.
You got /3 concepts.
    Describe the steps to enable Script Block Logging on a Windows system using Group Policy.
    Focus on the path inside Group Policy and the specific setting name.
    You got /3 concepts.

      Practice

      (1/5)
      1. What is the main purpose of PowerShell script block logging?
      easy
      A. To automatically fix errors in scripts
      B. To speed up script execution by caching commands
      C. To record executed PowerShell commands for security and troubleshooting
      D. To encrypt PowerShell scripts for protection

      Solution

      1. Step 1: Understand script block logging purpose

        Script block logging records the commands run in PowerShell scripts to help track activity.

      2. Step 2: Compare options to purpose

        Only "To record executed PowerShell commands for security and troubleshooting" matches the purpose of recording commands for security and troubleshooting.

      3. Final Answer:

        To record executed PowerShell commands for security and troubleshooting -> Option C

      4. Quick Check:

        Script block logging = record commands [OK]
      Hint: Remember: logging means recording actions, not speeding or fixing [OK]
      Common Mistakes:
      • Confusing logging with script optimization
      • Thinking it encrypts scripts
      • Assuming it auto-fixes errors
      2. Which PowerShell command correctly enables script block logging by setting the registry key?
      easy
      A. Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy ScriptBlockLogging
      B. Enable-ScriptBlockLogging -Value 1
      C. New-Item -Path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell' -Name 'ScriptBlockLogging' -Value 1
      D. Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Name 'EnableScriptBlockLogging' -Value 1

      Solution

      1. Step 1: Identify correct registry path and property

        The registry path for script block logging is under HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging with property EnableScriptBlockLogging.

      2. Step 2: Match command syntax

        Set-ItemProperty sets a registry value correctly. Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Name 'EnableScriptBlockLogging' -Value 1 uses correct path, property, and value 1 to enable logging.

      3. Final Answer:

        Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Name 'EnableScriptBlockLogging' -Value 1 -> Option D

      4. Quick Check:

        Set-ItemProperty + correct path = enable logging [OK]
      Hint: Use Set-ItemProperty with full registry path to enable logging [OK]
      Common Mistakes:
      • Using non-existent cmdlets like Enable-ScriptBlockLogging
      • Incorrect registry paths
      • Confusing execution policy with logging
      3. Given the registry key is set to enable script block logging, what event log source will you check to see logged script blocks?
      medium
      A. Windows PowerShell
      B. Application
      C. Security
      D. System

      Solution

      1. Step 1: Identify where PowerShell logs script block events

        PowerShell script block logging events appear in the Windows PowerShell event log under Applications and Services Logs.

      2. Step 2: Match event log source

        The correct source is 'Windows PowerShell', not general logs like Application, Security, or System.

      3. Final Answer:

        Windows PowerShell -> Option A

      4. Quick Check:

        Script block logs appear in Windows PowerShell log [OK]
      Hint: Check 'Windows PowerShell' log for script block events [OK]
      Common Mistakes:
      • Looking in Application or System logs
      • Confusing Security log with script block logging
      • Not knowing event log sources
      4. You enabled script block logging but no events appear in the Windows PowerShell log. What is a likely cause?
      medium
      A. The registry key was set under the wrong registry hive
      B. PowerShell script execution is disabled
      C. The event log service is stopped
      D. The script block logging feature is only for PowerShell 5.0 and above

      Solution

      1. Step 1: Check registry hive correctness

        Script block logging requires setting the key under HKLM (local machine). Setting it under HKCU or wrong hive causes no logging.

      2. Step 2: Evaluate other options

        PowerShell execution policy does not block logging; event log service stopping would affect all logs; script block logging works in PowerShell 5.0+ but question assumes correct version.

      3. Final Answer:

        The registry key was set under the wrong registry hive -> Option A

      4. Quick Check:

        Wrong registry hive = no logs [OK]
      Hint: Always set registry keys under HKLM for script block logging [OK]
      Common Mistakes:
      • Setting keys under HKCU instead of HKLM
      • Assuming execution policy blocks logging
      • Ignoring event log service status
      5. You want to enable script block logging only for scripts running under a specific user account without affecting others. Which approach is best?
      hard
      A. Set the EnableScriptBlockLogging registry key under HKLM for all users
      B. Modify the PowerShell profile script to log commands manually
      C. Use Group Policy to enable script block logging for all users
      D. Set the EnableScriptBlockLogging registry key under HKCU for that user

      Solution

      1. Step 1: Understand scope of script block logging

        Built-in script block logging is a machine-wide feature configured under HKLM or Group Policy, affecting all users.

      2. Step 2: Identify per-user alternative

        HKCU does not enable script block logging (as it requires HKLM). Modifying the user's PowerShell profile to manually log commands (e.g., Start-Transcript) achieves per-user logging without affecting others.

      3. Final Answer:

        Modify the PowerShell profile script to log commands manually -> Option B

      4. Quick Check:

        Per-user logging = profile script [OK]
      Hint: Use PowerShell profile for per-user command logging [OK]
      Common Mistakes:
      • Using HKLM or Group Policy which affects all users
      • Setting HKCU key (does not enable built-in logging)
      • Assuming built-in logging supports per-user config