EventID 4104: PowerShell Script Block Logging
Last updated
Last updated
This event is logged to the Microsoft-Windows-PowerShell/Operational channel whenever a script is run through PowerShell.
This event will only be logged if PowerShell Script Block Logging is configured and enabled. This is a GPO setting that can be found under Administrative Templates → Windows Components → Windows PowerShell.
| Major Version | Support | Major Version | Support |
|---|---|---|---|
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx
This event is only logged the first time that a script is executed.
This event will not capture the resultant output of an executed script as module logging does.
This example was produced on Windows 10, Version 10.0.19044 Build 19044
| Field | Interpretation | Reference |
|---|---|---|
System/Level
This field may indicate a suspicious script. If its value is Warning this indicates the script was flagged as suspicious based on its contents.
EventData/ScriptBlockId
This field is used to uniquely identify a script across multiple 4104 events. Large scripts may be split across multiple events, to reconstruct the full script, concatenate all the events with this unique ID together.
EventData/Path
This field indicates the full path to the executed script, if available.
System/Execution/ProcessID
This field indicates the parent Process ID (PID) that executed the script.
System/Security/UserID
This field contains the SID of the user that executed the script.
Windows 11
✅
Server 2019
✅
Windows 10
✅
Server 2016
✅
Windows 8
✅
Server 2012
✅
Windows 7
✅
Server 2008
✅
Windows Vista
❌
Server 2003
❌
Windows XP
❌