Sometimes it’s the last place that admins look… Logs 🙂 Something goes wrong, and you don’t know why. Logs tell a lot! (When I deploy some Endpoint Manager packages and suddenly they don’t work, I put in some logging and discover why things don’t work) This blog post shows you a few ways to enable logging and how to read back all PowerShell actions on a device.
Out-File
This is the easiest way to capture your output in a script is by piping it to a file, for example:
Get-Service | Out-File c:\temp\services.txt -Append
This outputs your services and their state (Running/Stopped) to a services.txt file. I used the -Append parameter not to overwrite it if it already exists and appends the output of the command to it. You can use Out-File in your script to get a state of something when running the script or the values of a variable, for example:
$somevariable | Out-File c:\temp\variable.txt -Append
More information about Out-File here
Start-Transcript / Stop-Transcript.
This is very powerful and will log everything in your script to your specific file location. You enable it at the point, mainly the start, of your script by:
Start-Transcript -Path c:\temp\log.txt -Append
At the end of the script, or where you want the logging to stop, you can stop the logging by:
Stop-Transcript
This will result in a log that looks like this (I did a simple get-service and a query for the W32Time service state):
********************** Windows PowerShell transcript start Start time: 20220731120627 Username: 2D85AC64-98E1-4\WDAGUtilityAccount RunAs User: 2D85AC64-98E1-4\WDAGUtilityAccount Configuration Name: Machine: 2D85AC64-98E1-4 (Microsoft Windows NT 10.0.22621.0) Host Application: C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe Process ID: 4276 PSVersion: 5.1.22621.169 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.22621.169 BuildVersion: 10.0.22621.169 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1 ********************** Transcript started, output file is c:\temp\log.txt PS C:\Users\WDAGUtilityAccount> Get-Service | Where-Object Name -eq W32Time Status Name DisplayName ------ ---- ----------- Running W32Time Windows Time PS C:\Users\WDAGUtilityAccount> Stop-Transcript ********************** Windows PowerShell transcript end End time: 20220731120648 **********************
More information about Start/Stop-Transcript is here and here
PowerShell logging to the Windows Eventlog
You can also write log events to the Windows Eventlog. This is a nice way of making it accessible and having to possibility to have it stored in a central logging facility like Splunk, for example, if that’s configured in your environment.
Note: This works in PowerShell 5.1 but not in 7.x
You can write an event to the Windows Eventlog like this:
Write-EventLog -LogName Application -EventID 4625 -EntryType Warning -Source ‘EventSystem’ -Message ‘Maintenance has started’
This will write an event in the System log that will look like this:
There are strict rules about what Category you can use and what Eventlog you can use it in, do test this 🙂 More information about Write-Eventlog is here
Read PowerShell logging from the Windows Eventlog
You can enable logging for modules, script blocks, and transcription for all commands. There are two ways to do this.
Group Policy
In Computer Configuration / Administrative Templates / Windows Components / Windows PowerShell branch, you can configure these settings:
Turn on Module Logging
If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell logs in Event Viewer. Enabling this policy for a module is equivalent to setting the LogPipelineExecutionDetails property to True.
Turn on PowerShell Script Block Logging
If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invoking a command, script block, function, or script
starts or stops. Enabling Invocation Logging generates a high volume of event logs.
Turn on PowerShell Transcription
If you enable this policy setting, Windows PowerShell will enable transcription for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each user’s My Documents directory, with a file name that includes ‘PowerShell_transcript’, along with the computer name and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session.
Registry
You can also use Registry to enable logging and perhaps monitor these keys with Proactive Remediation from Endpoint Manager and change them back if changed by someone 🙂 The source where I got these from here
Module Logging
This policy setting allows you to turn on logging for Windows PowerShell modules.
If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell logs in Event Viewer. Enabling this policy for a module is equivalent to setting the LogPipelineExecutionDetails property to True.
If you disable this policy setting, logging of execution events is disabled for all Windows PowerShell modules. Disabling this policy for a module is equivalent to setting the LogPipelineExecutionDetails property to False.
If this policy setting is not configured, the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events of a module or snap-in are logged. The LogPipelineExecutionDetails property of all modules and snap-ins is default set to False.
To add modules and snap-ins to the policy setting list, click Show and then type the module names in the list. The modules and snap-ins in the list must be installed on the computer.
Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
Keys are:
| Registry Hive | HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER |
| Registry Path | Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging |
| Value Name | EnableModuleLogging |
| Value Type | REG_DWORD |
| Enabled Value | 1 |
| Disabled Value | 0 |
and
| Registry Hive | HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER |
| Registry Path | Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames |
| Value Name | {number} |
| Value Type | REG_SZ |
| Default Value |
To turn on logging for the Windows PowerShell core modules, type the following module names in the list:
| Registry Hive | HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER |
| Registry Path | Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames |
| Value Name | {number} |
| Value Type | REG_SZ |
| Default Value |
To turn on logging for the Windows PowerShell core modules, type the following module names in the list:
Microsoft.PowerShell.*
Microsoft.WSMan.Management
or just * for every module.
Script Block Logging
This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting,
Windows PowerShell will log the processing of commands, script blocks, functions, and scripts – whether invoked interactively or through automation.
If you disable this policy setting, logging of PowerShell script input is disabled.
If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invoking a command, script block, function, or script
starts or stops. Enabling Invocation Logging generates a high volume of event logs.
Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
Keys are:
| Registry Hive | HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER |
| Registry Path | Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging |
| Value Name | EnableScriptBlockLogging |
| Value Type | REG_DWORD |
| Enabled Value | 1 |
| Disabled Value | 0 |
and
| Registry Hive | HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER |
| Registry Path | Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging |
| Value Name | EnableScriptBlockInvocationLogging |
| Value Type | REG_DWORD |
| Default Value | 0 |
| True Value | 1 |
| False Value | 0 |
PowerShell Transcription
This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts.
If you enable this policy setting, Windows PowerShell will enable transcription for Windows PowerShell, the Windows PowerShell ISE, and any other
applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each user’s My Documents
directory, with a file name that includes ‘PowerShell_transcript’, along with the computer name and time started. Enabling this policy is equivalent
to calling the Start-Transcript cmdlet on each Windows PowerShell session.
If you disable this policy setting, transcripting of PowerShell-based applications is disabled by default, although transcripting can still be enabled
through the Start-Transcript cmdlet.
If you use the OutputDirectory setting to enable transcript logging to a shared location, be sure to limit access to that directory to prevent users
from viewing the transcripts of other users or computers.
Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
Keys are:
| Registry Hive | HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER |
| Registry Path | Software\Policies\Microsoft\Windows\PowerShell\Transcription |
| Value Name | EnableTranscripting |
| Value Type | REG_DWORD |
| Enabled Value | 1 |
| Disabled Value | 0 |
and for the output directory
Transcript output directory
| Registry Hive | HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER |
| Registry Path | Software\Policies\Microsoft\Windows\PowerShell\Transcription |
| Value Name | OutputDirectory |
| Value Type | REG_SZ |
| Default Value |
Include invocation headers:
| Registry Hive | HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER |
| Registry Path | Software\Policies\Microsoft\Windows\PowerShell\Transcription |
| Value Name | EnableInvocationHeader |
| Value Type | REG_DWORD |
| Default Value | 0 |
| True Value | 1 |
| False Value | 0 |