Skip to content

Instantly share code, notes, and snippets.

Created November 11, 2020 16:03
Show Gist options
  • Save socketz/44447393dee24d1cb3247f7f270547ce to your computer and use it in GitHub Desktop.
Save socketz/44447393dee24d1cb3247f7f270547ce to your computer and use it in GitHub Desktop.
PSEventLogging.ps1 enables or disables PowerShell event logging disabled by default
This configures PowerShell event logging.
Must be executed with administrative rights.
cmd /c powershell -executionpolicy bypass -File <PathToThisFile>
This configures PowerShell event logging. This script must be run as administrator.
Specify this switch to enable PowerShell event logging on the host. Enabled by default.
Specify this switch to disable PowerShell event logging on the host.
If this switch is not specified, PowerShell event logging is enabled on the host.
Last Edit: 2020-11-11
Version 1.0 - Initial Release of PSEventLogging
.\PSEventLogging.ps1 -Enable
Enables PowerShell event logging
$PSCommandPath -Disable
Disables PowerShell event logging
param (
[Parameter (Mandatory=$false, HelpMessage="PowerShell event logging will be enabled. Default option.")]
[Parameter (Mandatory=$false, HelpMessage="PowerShell event logging will be disabled.")]
# Validate the the script is run as admin
function Validate-AdminAccess
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
Write-Host -ForegroundColor Red -BackgroundColor Black "[-] This script must be executed as an administrator."
return $false
return $true
# Enables the PowerShell event logging
function Enable-PSEventLogging
Write-Host -ForegroundColor Yellow -BackgroundColor Black "[*] Enabling PowerShell detailed event logging..."
$ScriptBlockPath = 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging'
$ScriptTranscriptPath = 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription'
if(-not (Test-Path $ScriptBlockPath))
$null = New-Item $ScriptBlockPath -Force
if(-not (Test-Path $ScriptTranscriptPath)){
$null = New-Item $ScriptTranscriptPath -Force
Set-ItemProperty $ScriptBlockPath -Name EnableScriptBlockLogging -Value "1"
Set-ItemProperty $ScriptTranscriptPath -Name EnableTranscripting -Value "1"
Set-ItemProperty $ScriptTranscriptPath -Name EnableInvocationHeader -Value "1"
Set-ItemProperty $ScriptTranscriptPath -Name OutputDirectory -Value ""
Write-Host -ForegroundColor Green -BackgroundColor Black "[+] PowerShell logging was enabled"
# Disables the PowerShell event logging
function Disable-PSEventLogging
Write-Host -ForegroundColor Yellow -BackgroundColor Black "[*] Disabling PowerShell detailed event logging..."
$ScriptBlockPath = 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging'
$ScriptTranscriptPath = 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription'
if(-not (Test-Path $ScriptBlockPath))
$null = New-Item $ScriptBlockPath -Force
if(-not (Test-Path $ScriptTranscriptPath)){
$null = New-Item $ScriptTranscriptPath -Force
Set-ItemProperty $ScriptBlockPath -Name EnableScriptBlockLogging -Value "0"
Set-ItemProperty $ScriptTranscriptPath -Name EnableTranscripting -Value "0"
Set-ItemProperty $ScriptTranscriptPath -Name EnableInvocationHeader -Value "0"
Set-ItemProperty $ScriptTranscriptPath -Name OutputDirectory -Value ""
Test-Path -Path $ScriptBlockPath
Write-Host -ForegroundColor Red -BackgroundColor Black "[-] PowerShell logging was disabled"
# Main function
function PSEventLogging
if (!(Validate-AdminAccess))
return $null
if ($Disable) {
return Disable-PSEventLogging
else {
return Enable-PSEventLogging
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment