# EventID 4104: PowerShell Script Block Logging

This event is logged to the `Microsoft-Windows-PowerShell/Operational` channel whenever a script is run through PowerShell.

{% hint style="warning" %}
This event will only be logged if PowerShell Script Block Logging is configured and enabled. This is a GPO setting that can be found under `Administrative Templates → Windows Components → Windows PowerShell`.
{% endhint %}

## Analysis Value

{% content-ref url="/pages/vnDLfD9RBoVh5UOGGhiw" %}
[Evidence of Execution](/windows-forensics/artifacts-by-activity/execution/evidence-of-execution.md)
{% endcontent-ref %}

{% content-ref url="/pages/qnouj5GLuiwXN3ZPDBUb" %}
[Parent and Child Information](/windows-forensics/artifacts-by-activity/execution/parent-and-child-information.md)
{% endcontent-ref %}

{% content-ref url="/pages/NwFJ38aWYFJ7FKQuKQMQ" %}
[First Executed](/windows-forensics/artifacts-by-activity/execution/first-executed.md)
{% endcontent-ref %}

{% content-ref url="/pages/V3cDcDJogcr4slquHEzB" %}
[File Path](/windows-forensics/artifacts-by-activity/file-activity/file-path.md)
{% endcontent-ref %}

{% content-ref url="/pages/LRJZQZsAd12i4mDfGwuK" %}
[Security Identifier](/windows-forensics/artifacts-by-activity/account-activity/security-identifier.md)
{% endcontent-ref %}

## Operating System Availability

| Major Version | Support | Major Version | Support |
| ------------- | ------- | ------------- | ------- |
| Windows 11    | ✅       | Server 2019   | ✅       |
| Windows 10    | ✅       | Server 2016   | ✅       |
| Windows 8     | ✅       | Server 2012   | ✅       |
| Windows 7     | ✅       | Server 2008   | ✅       |
| Windows Vista | ❌       | Server 2003   | ❌       |
| Windows XP    | ❌       |               |         |

## Artifact Location(s)

* `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx`

## Artifact Interpretation

| Field                        | Interpretation                                                                                                                                                                                                              | Reference                                                                                                          |
| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
| `System/Level`               | This field may indicate a suspicious script. If its value is `Warning` this indicates the script was flagged as suspicious based on its contents.                                                                           |                                                                                                                    |
| `EventData/ScriptBlockId`    | This field is used to uniquely identify a script across multiple `4104` events. Large scripts may be split across multiple events, to reconstruct the full script, concatenate all the events with this unique ID together. |                                                                                                                    |
| `EventData/Path`             | This field indicates the full path to the executed script, if available.                                                                                                                                                    | [File Path](/windows-forensics/artifacts-by-activity/file-activity/file-path.md)                                   |
| `System/Execution/ProcessID` | This field indicates the parent Process ID (PID) that executed the script.                                                                                                                                                  | [Parent and Child Information](/windows-forensics/artifacts-by-activity/execution/parent-and-child-information.md) |
| `System/Security/UserID`     | This field contains the SID of the user that executed the script.                                                                                                                                                           | [Security Identifier](/windows-forensics/artifacts-by-activity/account-activity/security-identifier.md)            |

{% hint style="info" %}
This event is only logged the first time that a script is executed.
{% endhint %}

{% hint style="info" %}
This event will not capture the resultant output of an executed script as module logging does.
{% endhint %}

## Example

```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}" /> 
  <EventID>4104</EventID> 
  <Version>1</Version> 
  <Level>5</Level> 
  <Task>2</Task> 
  <Opcode>15</Opcode> 
  <Keywords>0x0</Keywords> 
  <TimeCreated SystemTime="2023-11-06T20:24:01.8911267Z" /> 
  <EventRecordID>194</EventRecordID> 
  <Correlation ActivityID="{7af08a74-10ed-0003-e08b-f07aed10da01}" /> 
  <Execution ProcessID="4328" ThreadID="4600" /> 
  <Channel>Microsoft-Windows-PowerShell/Operational</Channel> 
  <Computer>DESKTOP-TUMSOE7</Computer> 
  <Security UserID="S-1-5-21-1392459375-2353216063-1350843065-1001" /> 
  </System>
- <EventData>
  <Data Name="MessageNumber">1</Data> 
  <Data Name="MessageTotal">1</Data> 
  <Data Name="ScriptBlockText">Invoke-WebRequest -Uri "https://example.com" -OutFile "C:\Temp\test.exe"</Data> 
  <Data Name="ScriptBlockId">808e4d85-977e-4418-9218-59dd2aa1b0ef</Data> 
  <Data Name="Path" /> 
  </EventData>
  </Event>
```

This example was produced on Windows 10, Version 10.0.19044 Build 19044


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-powershell/evtx-4104-script-block-logging.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.