# EventID 4104: PowerShell Script Block Logging

This event is logged to the `Microsoft-Windows-PowerShell/Operational` channel whenever a script is run through PowerShell.

{% hint style="warning" %}
This event will only be logged if PowerShell Script Block Logging is configured and enabled. This is a GPO setting that can be found under `Administrative Templates → Windows Components → Windows PowerShell`.
{% endhint %}

## Analysis Value

{% content-ref url="../../../artifacts-by-activity/execution/evidence-of-execution" %}
[evidence-of-execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution)
{% endcontent-ref %}

{% content-ref url="../../../artifacts-by-activity/execution/parent-and-child-information" %}
[parent-and-child-information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information)
{% endcontent-ref %}

{% content-ref url="../../../artifacts-by-activity/execution/first-executed" %}
[first-executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/first-executed)
{% endcontent-ref %}

{% content-ref url="../../../artifacts-by-activity/file-activity/file-path" %}
[file-path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path)
{% endcontent-ref %}

{% content-ref url="../../../artifacts-by-activity/account-activity/security-identifier" %}
[security-identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier)
{% endcontent-ref %}

## Operating System Availability

| Major Version | Support | Major Version | Support |
| ------------- | ------- | ------------- | ------- |
| Windows 11    | ✅       | Server 2019   | ✅       |
| Windows 10    | ✅       | Server 2016   | ✅       |
| Windows 8     | ✅       | Server 2012   | ✅       |
| Windows 7     | ✅       | Server 2008   | ✅       |
| Windows Vista | ❌       | Server 2003   | ❌       |
| Windows XP    | ❌       |               |         |

## Artifact Location(s)

* `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx`

## Artifact Interpretation

| Field                        | Interpretation                                                                                                                                                                                                              | Reference                                                                                                                                          |
| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
| `System/Level`               | This field may indicate a suspicious script. If its value is `Warning` this indicates the script was flagged as suspicious based on its contents.                                                                           |                                                                                                                                                    |
| `EventData/ScriptBlockId`    | This field is used to uniquely identify a script across multiple `4104` events. Large scripts may be split across multiple events, to reconstruct the full script, concatenate all the events with this unique ID together. |                                                                                                                                                    |
| `EventData/Path`             | This field indicates the full path to the executed script, if available.                                                                                                                                                    | [file-path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path "mention")                                   |
| `System/Execution/ProcessID` | This field indicates the parent Process ID (PID) that executed the script.                                                                                                                                                  | [parent-and-child-information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information "mention") |
| `System/Security/UserID`     | This field contains the SID of the user that executed the script.                                                                                                                                                           | [security-identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier "mention")            |

{% hint style="info" %}
This event is only logged the first time that a script is executed.
{% endhint %}

{% hint style="info" %}
This event will not capture the resultant output of an executed script as module logging does.
{% endhint %}

## Example

```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}" /> 
  <EventID>4104</EventID> 
  <Version>1</Version> 
  <Level>5</Level> 
  <Task>2</Task> 
  <Opcode>15</Opcode> 
  <Keywords>0x0</Keywords> 
  <TimeCreated SystemTime="2023-11-06T20:24:01.8911267Z" /> 
  <EventRecordID>194</EventRecordID> 
  <Correlation ActivityID="{7af08a74-10ed-0003-e08b-f07aed10da01}" /> 
  <Execution ProcessID="4328" ThreadID="4600" /> 
  <Channel>Microsoft-Windows-PowerShell/Operational</Channel> 
  <Computer>DESKTOP-TUMSOE7</Computer> 
  <Security UserID="S-1-5-21-1392459375-2353216063-1350843065-1001" /> 
  </System>
- <EventData>
  <Data Name="MessageNumber">1</Data> 
  <Data Name="MessageTotal">1</Data> 
  <Data Name="ScriptBlockText">Invoke-WebRequest -Uri "https://example.com" -OutFile "C:\Temp\test.exe"</Data> 
  <Data Name="ScriptBlockId">808e4d85-977e-4418-9218-59dd2aa1b0ef</Data> 
  <Data Name="Path" /> 
  </EventData>
  </Event>
```

This example was produced on Windows 10, Version 10.0.19044 Build 19044