powershell cmd

How to Monitor PowerShell Commands and Logs in Windows

Complete Guide to PowerShell Monitoring, History, and Security Logging

PowerShell is one of the most powerful administration tools in Windows. It is widely used by system administrators, developers, and security professionals for automation and management tasks.

However, because of its powerful scripting capabilities, PowerShell is also commonly abused in malware attacks and unauthorized system activity.

This guide explains how to:

  • Check running PowerShell commands
  • View PowerShell history
  • Monitor PowerShell logs
  • Enable advanced logging
  • Record full PowerShell sessions
  • Detect suspicious PowerShell activity

1. Check Currently Running PowerShell Commands

To see whether PowerShell processes are currently running:

Get-Process powershell

To view the actual command line used by each PowerShell process:

Get-WmiObject Win32_Process | Where-Object {$_.Name -like "powershell*"} | Select-Object ProcessId, CommandLine

Why This Is Useful

This command helps identify:

  • Active PowerShell sessions
  • Background scripts
  • Suspicious encoded commands
  • Automation tasks
  • Malware activity using PowerShell

2. Check PowerShell Command History

View Current Session History

Get-History

This shows commands executed during the current PowerShell session.

View Saved History from Previous Sessions

Get-Content (Get-PSReadLineOption).HistorySavePath

Why This Matters

This allows you to:

  • Review previously executed commands
  • Audit user activity
  • Recover accidentally forgotten commands
  • Investigate suspicious actions

3. Check PowerShell Event Logs (Most Important)

Windows stores PowerShell activity inside Event Viewer logs.

To view PowerShell operational logs:

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Select-Object -First 20

Important PowerShell Event IDs

Event IDDescription
4104Full command or script content
4103Module execution details
400PowerShell engine start
403PowerShell engine stop

Filter Only Script Block Logs

Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | Where-Object {$_.Id -eq 4104}

Why Event ID 4104 Is Important

Event ID 4104 records:

  • Full PowerShell commands
  • Script contents
  • Decoded malicious scripts
  • Obfuscated command activity

This is one of the best ways to audit PowerShell usage.

4. Enable PowerShell Logging

By default, detailed PowerShell logging may not be enabled.

Enable Script Block Logging

Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" `
 -Name "EnableScriptBlockLogging" -Value 1

What This Does

After enabling Script Block Logging:

  • PowerShell records detailed script activity
  • Commands become visible in Event Viewer
  • Security monitoring becomes much easier

5. Record Full PowerShell Sessions

PowerShell can record complete interactive sessions using transcripts.

Start Recording

Start-Transcript -Path "C:\logs\ps-log.txt"

Stop Recording

Stop-Transcript

What Gets Recorded

Transcripts capture:

  • Commands entered
  • Command output
  • Errors
  • Console activity

This works like a complete session recording.

6. Identify Suspicious PowerShell Commands

When monitoring PowerShell activity, pay attention to suspicious patterns.

Commonly Abused Commands

Invoke-Expression (IEX)

Invoke-Expression

Used to execute dynamically generated code.

DownloadString

(New-Object Net.WebClient).DownloadString()

Often used to download remote scripts.

Encoded Commands

powershell -EncodedCommand

Attackers frequently use Base64-encoded commands to hide malicious activity.

7. Common Signs of Malicious PowerShell Activity

Watch for:

  • Hidden PowerShell windows
  • Encoded commands
  • Remote downloads
  • Unexpected scheduled tasks
  • PowerShell spawned by Office apps
  • Scripts running from Temp folders

8. Best Security Practices

Recommended Steps

  • Enable PowerShell logging
  • Keep Windows Defender updated
  • Use antivirus with behavior monitoring
  • Restrict PowerShell for standard users
  • Monitor Event Viewer regularly
  • Disable unnecessary PowerShell remoting

9. Where to View Logs in Event Viewer

Open:

Event Viewer → Applications and Services Logs → Microsoft → Windows → PowerShell → Operational

This is the primary location for PowerShell activity logs.

Final Thoughts

PowerShell is an essential Windows administration tool, but it is also heavily targeted by attackers. Learning how to monitor PowerShell activity helps improve both troubleshooting and system security.

Using:

  • command history,
  • Event Viewer logs,
  • script block logging,
  • and transcripts

provides a powerful way to audit and monitor PowerShell usage on Windows systems.

SEO Keywords

  • PowerShell monitoring
  • PowerShell logging
  • PowerShell command history
  • PowerShell security logging
  • Event ID 4104
  • PowerShell transcript
  • Detect malicious PowerShell
  • Windows PowerShell audit
  • PowerShell Event Viewer logs
  • PowerShell script block logging

Comments

Post a Comment

Popular Posts