About PowerShell Core 6.0 logging

I’ve seen in this interview that group policy templates (ADMX files) should be shipped soon and allow corporate admins to control PowerShell Core ScriptBlockLogging, Transcripts,.. all the security stuff the blue team .

Procmon reveals what registry path pwsh.exe is looking for:

It appears that the policy path for PowerShell Core 6.0 is different from Windows PowerShell 5.x:
Microsoft\Windows\PowerShell is replaced by Microsoft\PowerShellCore.

Using some google fu, I came across this pull request where there’s an interesting discussion, a sample powershell.config.json file. We also learn that:

On Windows, we first query GPO from registry, if the required policy is not defined, then we query policies from the configuration file.

Another very useful link is the help file about_Logging.md where you can read that:

Windows requires the event provider to be registered before logged events can appear in the event log. For PowerShell, this is accomplished by running the RegisterManifest.ps1 from an elevated PowerShell prompt.

When you’ve ScriptBlockLogging enabled by GPO and registered the ETW provider, you get the related events in this location

Get-WinEvent -ListProvider "PowerShellCore"
Get-WinEvent -LogName 'PowerShellCore/Operational' -MaxEvents 1

Last thing, let’s look how different is the transcript header:

PowerShell Core has its own learning curve 🙂


1 thought on “About PowerShell Core 6.0 logging

  1. Pingback: Dew Drop - January 22, 2018 (#2648) - Morning Dew

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.