- Create a certificate-signed RDP shortcut via Group Policy - Fri, Aug 9 2019
- Monitor web server uptime with a PowerShell script - Tue, Aug 6 2019
- How to build a PowerShell inventory script for Windows Servers - Fri, Aug 2 2019
If you're like me, you've probably got a ton of PowerShell scripts and modules you use on a daily basis. These scripts perform a number of different actions. Remembering what syntax a script used to invoke that one command or, if you're unlucky, figuring out exactly what a script ran to take down that production server is nearly impossible.
You could implement some kind of logging framework that writes various commands to a text file, but it'd be easier just to record all of those commands. PowerShell transcripts make this recording possible.
A PowerShell transcript is a simple text file that contains a history of all commands and their output. Think of a transcript as a command history you can get with the Get-History command. However, instead of just seeing all commands run, you can also see the output of those commands as well. Transcripts are an awesome way to record all activity performed via scripts, modules, or typed by a user in the console itself. Once a transcript starts, it records everything.
To create a transcript, you'll use the Start-Transcript command. This command comes in the box with any installation of PowerShell v2 and later. Running Start-Transcript is super simple. If you want to accept the default location of the text file it records to, you don't need any parameters.
You can see above I've typed this directly into the console, and it's created a text file for me. Since the path is long, I'll assign it to a variable and then check out what the text file has in it already.
By default, it will display some header information, and after that, you'll see all commands run and their output. You'll also notice below that it will even capture the output of .exe commands as well. It records anything executed inside the PowerShell session.
Once the transcript starts, it stays that way until one of two actions occurs: either executing Stop-Transcript or closing the session. Transcripts do not persist across sessions.
All this time I've been manually starting and stopping the transcript, but it doesn't have to be that way. We can include these start and stop transcripts at any time in the console, in a script, or in a module as well. For example, when creating a script, maybe you just want to save that script's output. In that case, just put a Start-Transcript invocation at the top of the script and a Stop-Transcript invocation at the bottom.
Start-Transcript 'do stuff here in the script' Stop-Transcript
Also, if you'd like to ensure recording all commands you executed, you can also include Start-Transcript in your PowerShell user profile at $profile. Include a Start-Transcript reference at the top of your profile to ensure capturing all activity regardless of whether you close your session or not. However, know that it will create another transcript. To get around this, you can append a transcript to an existing one by using the Path and Append parameters.
Subscribe to 4sysops newsletter!
Start-Transcript -Path C:\ExistingTranscript.txt -Append
Transcripts are a great way to go back and figure out what commands produced what output. However, they are not a good way to build a serious auditing product. Transcripts are raw output sent to the host. They have no structure and are thus extremely hard to parse. Trust me; I've tried. If you're looking for a serious auditing solution, I suggest looking into something more like scriptblock logging.