Last active
April 15, 2022 18:41
-
-
Save jessefmoore/963c213e07ae387cdc4053b0a55eccbc to your computer and use it in GitHub Desktop.
enable script block logging
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerShell module that is available from the PowerShell Gallery to enable script block logging, all you need is a PowerShell 5.x console with Administrator privileges, and this code | |
| Install-Module -Name scriptblocklogginganalyzer -Scope CurrentUser Set-SBLLogSize -MaxSizeMB 1000 Enable-SBL | |
| # Once script block logging is active, you can dump the log and examine the logged script | |
| # Get-SBLEvent | Out-GridView | |
| # | |
| #There are ways to harden the script block log, and make sure only Administrators can read this log. Run this to change access permissions to Administrators only | |
| #requires -RunAsAdministrator | |
| $Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\winevt\Channels\Microsoft-Windows-PowerShell/Operational" | |
| # get the default access permission for the standard security log... | |
| $sddlSecurity = ((wevtutil gl security) -like 'channelAccess*').Split(' ')[-1] | |
| # get the current permissions | |
| $sddlPowerShell = (Get-ItemProperty -Path $Path).ChannelAccess | |
| # make a backup of the current permissions | |
| New-ItemProperty -Path $Path -Name ChannelAccessBackup -Value $sddlPowerShell -ErrorAction Ignore | |
| # apply the hardened permissions | |
| Set-ItemProperty -Path $Path -Name ChannelAccess -Value $sddlSecurity | |
| # restart service to take effect | |
| Restart-Service -Name EventLog -Force | |
| Write-host "### Now, when a regular user tries to read the script block logging log, no information is returned.###" | |
| # | |
| Write-host "Viewing just the message which shows scripts" | |
| Get-WinEvent Microsoft-Windows-PowerShell/Operational -MaxEvents 4 | Where-Object Id -eq 4104 | Select-Object -ExpandProperty Message | |
| # | |
| # Enable Module Logging using Windows Registry | |
| # This function checks for the correct registry path and creates it | |
| # if it does not exist, then enables it. | |
| function Enable-PSModuleLogging | |
| { | |
| # Registry path | |
| $basePath = 'HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging' | |
| # Create the key if it does not exist | |
| if(-not (Test-Path $basePath)) | |
| { | |
| $null = New-Item $basePath -Force | |
| # Create the correct properties | |
| New-ItemProperty $basePath -Name "EnableModuleLogging" -PropertyType Dword | |
| } | |
| # These can be enabled (1) or disabled (0) by changing the value | |
| Set-ItemProperty $basePath -Name "EnableModuleLogging" -Value "1" | |
| } | |
| # | |
| Enable-PSModuleLogging | |
| # To view these PSModule log entries with PowerShell | |
| Get-EventLog 'Windows PowerShell' -EntryType Information -InstanceId 800 | |
| # | |
| # To log all the modules, for all the users, all the time | |
| # This function creates another key value to enable logging | |
| # for all modules | |
| Function Enable-AllModuleLogging | |
| { | |
| # Registry Path $basePath = 'HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging\ModuleNames' | |
| # Create the key if it does not exist | |
| if(-not (Test-Path $basePath)) | |
| { | |
| $null = New-Item $basePath -Force | |
| } | |
| # Set the key value to log all modules | |
| Set-ItemProperty $basePath -Name "*" -Value "*" | |
| } | |
| Enable-AllModuleLogging |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment