PowerShell and logging

Sometimes it’s the last place that admins look… Logs 🙂 Something goes wrong and you don’t know why, logs tell a lot! (When I deploy some Endpoint Manager packages and suddenly they don’t work, I put in some logging and discover why things don’t work) This blog post shows you a few ways to enable logging and how to read back all PowerShell actions on a device.

Out-File

This is the easiest way to capture your output in a script is by piping it to a file, for example:

Get-Service | Out-File c:\temp\services.txt -Append

This outputs your services and their state (Running/Stopped) to a services.txt file, I used the -Append parameter to not overwrite it if it already exists and appends the output of the command to it. You can use Out-File in your script to get a state of something when running the script or the values of a variable, for example:

$somevariable | Out-File c:\temp\variable.txt -Append

More information about Out-File here

Start-Transcript / Stop-Transcript.

This is very powerful and will log everything that happens in your script to a file location you specify. You enable it at the point, mostly the start, of your script by:

Start-Transcript -Path c:\temp\log.txt -Append

At the end of the script, or where you want the logging to stop, you can stop the logging by:

Stop-Transcript

This will result in a log that looks like this (I did a simple get-service and a query for the W32Time service state):

**********************
Windows PowerShell transcript start
Start time: 20220731120627
Username: 2D85AC64-98E1-4\WDAGUtilityAccount
RunAs User: 2D85AC64-98E1-4\WDAGUtilityAccount
Configuration Name: 
Machine: 2D85AC64-98E1-4 (Microsoft Windows NT 10.0.22621.0)
Host Application: C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe
Process ID: 4276
PSVersion: 5.1.22621.169
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.22621.169
BuildVersion: 10.0.22621.169
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Transcript started, output file is c:\temp\log.txt
PS C:\Users\WDAGUtilityAccount> Get-Service | Where-Object Name -eq W32Time

Status   Name               DisplayName
------   ----               -----------
Running  W32Time            Windows Time


PS C:\Users\WDAGUtilityAccount> Stop-Transcript
**********************
Windows PowerShell transcript end
End time: 20220731120648
**********************

More information about Start/Stop-Transcript here and here

PowerShell logging to the Windows Eventlog

You can also write log events to the Windows Eventlog, this is a nice way of making it accessible and having to possibility to have it stored to a central logging facility like Splunk for example if that’s configured in your environment.

Note: This works in PowerShell 5.1 but not in 7.x

You can write an event to the Windows Eventlog like this:

Write-EventLog -LogName Application -EventID 4625 -EntryType Warning -Source ‘EventSystem’ -Message ‘Maintenance has started’

This will write an event in the System log that will look like this:

There are strict rules about what Category you can use and what Eventlog you can use it in, do test this 🙂 More information about Write-Eventlog is here

Read PowerShell logging from the Windows Eventlog

You can enable logging for modules and script blocks but also enable transcription for all commands, there are two ways for doing this.

Group Policy

In Computer Configuration / Administrative Templates / Windows Components / Windows PowerShell branch you can configure these settings:

Turn on Module Logging
If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to True.

Turn on PowerShell Script Block Logging

If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invoking a command, script block, function, or script
starts or stops. Enabling Invocation Logging generates a high volume of event logs.

Turn on PowerShell Transcription

If you enable this policy setting, Windows PowerShell will enable transcription for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each user’s My Documents directory, with a file name that includes ‘PowerShell_transcript’, along with the computer name and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session.

Registry

You can also use Registry to enable logging and perhaps monitor these keys with Proactive Remediation from Endpoint Manager and change them back if changed by someone 🙂 The source where I got these from here

Module Logging

This policy setting allows you to turn on logging for Windows PowerShell modules.

If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to True.

If you disable this policy setting, logging of execution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to False.

If this policy setting is not configured, the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events of a module or snap-in are logged. By default, the LogPipelineExecutionDetails property of all modules and snap-ins is set to False.

To add modules and snap-ins to the policy setting list, click Show, and then type the module names in the list. The modules and snap-ins in the list must be installed on the computer.

Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.

Keys are:

Registry HiveHKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Registry PathSoftware\Policies\Microsoft\Windows\PowerShell\ModuleLogging
Value NameEnableModuleLogging
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

and

Registry HiveHKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Registry PathSoftware\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames
Value Name{number}
Value TypeREG_SZ
Default Value

To turn on logging for the Windows PowerShell core modules, type the following module names in the list:

Registry HiveHKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Registry PathSoftware\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames
Value Name{number}
Value TypeREG_SZ
Default Value

To turn on logging for the Windows PowerShell core modules, type the following module names in the list:
Microsoft.PowerShell.*
Microsoft.WSMan.Management
or just * for every module.

Script Block Logging

This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting,
Windows PowerShell will log the processing of commands, script blocks, functions, and scripts – whether invoked interactively or through automation.

If you disable this policy setting, logging of PowerShell script input is disabled.

If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invoking a command, script block, function, or script
starts or stops. Enabling Invocation Logging generates a high volume of event logs.

Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.

Keys are:

Registry HiveHKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Registry PathSoftware\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
Value NameEnableScriptBlockLogging
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

and

Registry HiveHKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Registry PathSoftware\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
Value NameEnableScriptBlockInvocationLogging
Value TypeREG_DWORD
Default Value0
True Value1
False Value0

PowerShell Transcription

This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts.

If you enable this policy setting, Windows PowerShell will enable transcription for Windows PowerShell, the Windows PowerShell ISE, and any other
applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each user’s My Documents
directory, with a file name that includes ‘PowerShell_transcript’, along with the computer name and time started. Enabling this policy is equivalent
to calling the Start-Transcript cmdlet on each Windows PowerShell session.

If you disable this policy setting, transcripting of PowerShell-based applications is disabled by default, although transcripting can still be enabled
through the Start-Transcript cmdlet.

If you use the OutputDirectory setting to enable transcript logging to a shared location, be sure to limit access to that directory to prevent users
from viewing the transcripts of other users or computers.

Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.

Keys are:

Registry HiveHKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Registry PathSoftware\Policies\Microsoft\Windows\PowerShell\Transcription
Value NameEnableTranscripting
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

and for the output directory

Transcript output directory

Registry HiveHKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Registry PathSoftware\Policies\Microsoft\Windows\PowerShell\Transcription
Value NameOutputDirectory
Value TypeREG_SZ
Default Value

 Include invocation headers:

Registry HiveHKEY_LOCAL_MACHINE or HKEY_CURRENT_USER
Registry PathSoftware\Policies\Microsoft\Windows\PowerShell\Transcription
Value NameEnableInvocationHeader
Value TypeREG_DWORD
Default Value0
True Value1
False Value0

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.