EventID 4104: PowerShell Script Block Logging
This event is logged to the Microsoft-Windows-PowerShell/Operational
channel whenever a script is run through PowerShell.
This event will only be logged if PowerShell Script Block Logging is configured and enabled. This is a GPO setting that can be found under Administrative Templates → Windows Components → Windows PowerShell
.
Analysis Value
pageEvidence of ExecutionpageParent and Child InformationpageFirst ExecutedpageFile PathpageSecurity IdentifierOperating System Availability
Major Version | Support | Major Version | Support |
---|---|---|---|
Windows 11 | ✅ | Server 2019 | ✅ |
Windows 10 | ✅ | Server 2016 | ✅ |
Windows 8 | ✅ | Server 2012 | ✅ |
Windows 7 | ✅ | Server 2008 | ✅ |
Windows Vista | ❌ | Server 2003 | ❌ |
Windows XP | ❌ |
Artifact Location(s)
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx
Artifact Interpretation
Field | Interpretation | Reference |
---|---|---|
| This field may indicate a suspicious script. If its value is | |
| This field is used to uniquely identify a script across multiple | |
| This field indicates the full path to the executed script, if available. | |
| This field indicates the parent Process ID (PID) that executed the script. | |
| This field contains the SID of the user that executed the script. |
This event is only logged the first time that a script is executed.
This event will not capture the resultant output of an executed script as module logging does.
Example
This example was produced on Windows 10, Version 10.0.19044 Build 19044
Last updated