How to Enable PowerShell Logging

by

In this post, I will cover the different types available and the methods available to enable PowerShell logging. I will also provide examples and additional tips for effective PowerShell logging.

Table of Contents

What is PowerShell Logging?

As the name suggests, PowerShell logging records PowerShell commands and scripts executed on a computer. This provides visibility into what actions are being performed, which is crucial for security, auditing, and troubleshooting.

There are four main types of PowerShell logging built in you can enable, each has a specific use case. You can also write you own custom logging function, you can find a basic example function below.

Script Block Logging

Script Block Logging captures the content of all script blocks processed by the PowerShell engine, including dynamically generated code. This is especially useful for detecting obfuscated or malicious scripts.

Crucially this enabled at the computer level meaning you get an event log for all PowerShell scripts executed on the computer, which is critical for detecting any suspicious activity.

Transcript Logging

Transcript Logging records all input and output of a PowerShell sessions, similar to a command-line session log. This is helpful for auditing and troubleshooting the executing script.

Transaction logging Can be enabled in two ways

  • In a script using the Start-Transcript and Stop-Transcript commands
  • System wide via Group Policy or Registry, in this configuration the result is similar to having script block logging enabled. The difference being the script output is saving to the filesystem not the Windows Event log.

Module Logging

Module Logging logs pipeline execution details as PowerShell modules are loaded and used. You can specify which modules to log for more targeted monitoring.

As with Script Block logging, this one is enabled at the computer level. It is recommended to only log the activity for select modules, not all.

Engine Logging

Logs any stop or start event for the PowerShell Engine

Custom Logging Function

If the inbuilt logging doesn’t suite your needs, you can of course write a function you your usage case.

Example Function:

function Write-Log {
    param (
        [string]$Message,
        [string]$LogFile = "C:\Logs\log.txt"
    )
    $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    $entry = "$timestamp - $Message"
    Add-Content -Path $LogFile -Value $entry
}

Usage Example:

Write-Log -Message "This is a log entry." -LogFile "C:\Logs\mylog.txt"

Output Example:

2026-02-16 14:23:45 - This is a log entry.
2026-02-16 14:24:10 - Another message to log.
2026-02-16 14:25:01 - Error: File not found.

Why Have PowerShell Logging Enabled?

The main reasons are

Security

PowerShell is a powerful tool often used by attackers after gaining access to a system for reconnaissance, lateral movement, and persistence. Enabling logging helps you:

  • Detect suspicious or unauthorized activity
  • Investigate incidents and understand the scope of an attack
  • Potentially reverse or mitigate malicious actions

Script block logging is highly recommended for security.

Troubleshooting and Accountability

Having a log of executed scripts and commands can help you:

  • Identify the root cause of issues
  • Track changes made by users or administrators
  • Resolve problems when no one admits to making a change

Enabling Transcript Logging in a Script Session

In your script you can to start and stop transcript logging for a certain section(s) or for the script.

When you start the transcript, you define the output log file.

Example:

Start-Transcript -Path "C:\Logs\PowerShellTranscript.txt"

# ...run your commands...

Stop-Transcript

Enabling PowerShell Logging System Wide via Group Policy

To enable PowerShell logging using Group Policy:

1. Open the Group Policy Management Console (GPMC).

2. Create a new Group Policy Object or edit an existing one.

3. Navigate to Computer Configuration => Administrative Templates => Windows Components => Windows PowerShell.

4. Here, you will find settings for:

  • Turn on PowerShell Script Block Logging
  • Turn on PowerShell Module Logging
  • Turn on PowerShell Transcription

5. Enable the desired settings and specify any additional options, such as which modules to log or where to save transcripts.

6. Apply the policy to the relevant Organizational Units (OUs).

These settings will be applied to all computers within the scope of the GPO after a Group Policy update.

Enabling PowerShell Logging System Wide via the Registry

If you do not have access to Group Policy, you can enable logging directly via the Windows Registry:

1. Open regedit.exe as an administrator.

2. Navigate to the following keys:

For Script Block Logging:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
  • Set EnableScriptBlockLogging to 1 (DWORD)

For Module Logging:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging
  • Set EnableModuleLogging to 1 (DWORD)

For Transcription:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription
  • Set EnableTranscripting to 1 (DWORD)
  • Optionally, set OutputDirectory to specify where transcripts are saved.

After making these changes, restart PowerShell or reboot the system for the settings to take effect.

Where are PowerShell Logs Saved?

PowerShell logs are saved in different locations depending on the type of logging:

  • Script Block and Module Logging: Events are written to the Windows Event Log under **Applications and Services Logs => Windows PowerShell**. Event IDs of significance.
    • 4103 = Module Logging - Pipeline Execution
    • 4104 = Script Block Logging - Code Execution
    • 4105 = Script Block Logging - Start
    • 4106 = Script Block Logging - Stop
    • 40961 = PowerShell Console Starting
    • 40962 = PowerShell Console Ready
    • 53504 = PowerShell Remote Session
  • Transcript Logging: Transcripts are saved as text files in the directory specified in Group Policy, Registry or specified by the Start-Transcript command. By default, they are saved in the user’s Documents folder unless otherwise configured.

Increasing the PowerShell Log Size

By default, the Windows Event Log has a maximum size limit. To ensure you do not lose valuable PowerShell logs, increase the log size:

1. Open Event Viewer.

2. Navigate to Applications and Services Logs > Windows PowerShell.

3. Right-click the log and select Properties.

4. Increase the Maximum log size (KB) as needed.

5. Choose whether to overwrite events as needed or archive the log when full.

This helps retain more historical data for investigations.

Best Practices for PowerShell Logging

  • Regularly review your PowerShell logs for suspicious activity or ingest your logs into a SIEM tool identity one backed my. a managed solution or some sort of AI detection of suspicious PowerShell activity.
  • Test your logging configuration to ensure it is capturing the necessary information.

Get Your Free PowerShell Cheat Sheet

Conclusion

Enabling PowerShell logging is a critical step in securing your Windows environment and improving your ability to troubleshoot issues. By leveraging Group Policy or the registry, you can ensure comprehensive logging across your systems. Regularly review and maintain your logs to maximize their value for security and operational purposes.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.