killchain-compendium/post exploitation/docs/windows/powershell_logs.md

# Powershell Logs

## Powershell User History

```sh
cd $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
```

## Transcript Logs

* Enable via
```sh
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /t REG_DWORD /d 0x1 /f
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v OutputDirectory /t REG_SZ /d C:/ /f
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableInvocationHeader /t REG_DWORD /d 0x1 /f
```

## Usage

```sh
Get-EventLog -List
```
some more docker 2021-12-09 01:50:04 +01:00			`# Powershell Logs`

added powershell user history 2022-10-27 23:11:38 +02:00			`## Powershell User History`

			```sh
			`cd $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt`
			```

some more docker 2021-12-09 01:50:04 +01:00			`## Transcript Logs`

			`* Enable via`
			```sh
			`reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /t REG_DWORD /d 0x1 /f`
			`reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v OutputDirectory /t REG_SZ /d C:/ /f`
			`reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableInvocationHeader /t REG_DWORD /d 0x1 /f`
			```
bump 2022-02-07 23:37:05 +01:00
			`## Usage`

			```sh
			`Get-EventLog -List`
			```