EventID 4104: PowerShell Script Block Logging

This event is logged to the Microsoft-Windows-PowerShell/Operational channel whenever a script is run through PowerShell.

This event will only be logged if PowerShell Script Block Logging is configured and enabled. This is a GPO setting that can be found under Administrative Templates → Windows Components → Windows PowerShell.

Analysis Value

pageEvidence of Execution pageParent and Child Information pageFirst Executed pageFile Path pageSecurity Identifier

Operating System Availability

Major Version	Support	Major Version	Support
Windows 11	✅	Server 2019	✅
Windows 10	✅	Server 2016	✅
Windows 8	✅	Server 2012	✅
Windows 7	✅	Server 2008	✅
Windows Vista	❌	Server 2003	❌
Windows XP	❌

Major Version

Support

Major Version

Support

Windows 11

✅

Server 2019

✅

Windows 10

✅

Server 2016

✅

Windows 8

✅

Server 2012

✅

Windows 7

✅

Server 2008

✅

Windows Vista

❌

Server 2003

❌

Windows XP

❌

Artifact Location(s)

%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

Artifact Interpretation

Field Interpretation Reference

Field	Interpretation	Reference
`System/Level`	This field may indicate a suspicious script. If its value is `Warning` this indicates the script was flagged as suspicious based on its contents.
`EventData/ScriptBlockId`	This field is used to uniquely identify a script across multiple `4104` events. Large scripts may be split across multiple events, to reconstruct the full script, concatenate all the events with this unique ID together.
`EventData/Path`	This field indicates the full path to the executed script, if available.	File Path
`System/Execution/ProcessID`	This field indicates the parent Process ID (PID) that executed the script.	Parent and Child Information
`System/Security/UserID`	This field contains the SID of the user that executed the script.	Security Identifier

System/Level

This field may indicate a suspicious script. If its value is Warning this indicates the script was flagged as suspicious based on its contents.

EventData/ScriptBlockId

This field is used to uniquely identify a script across multiple 4104 events. Large scripts may be split across multiple events, to reconstruct the full script, concatenate all the events with this unique ID together.

EventData/Path

This field indicates the full path to the executed script, if available.

File Path

System/Execution/ProcessID

This field indicates the parent Process ID (PID) that executed the script.

Parent and Child Information

System/Security/UserID

This field contains the SID of the user that executed the script.

Security Identifier

This event is only logged the first time that a script is executed.

This event will not capture the resultant output of an executed script as module logging does.

Example

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}" /> 
  <EventID>4104</EventID> 
  <Version>1</Version> 
  <Level>5</Level> 
  <Task>2</Task> 
  <Opcode>15</Opcode> 
  <Keywords>0x0</Keywords> 
  <TimeCreated SystemTime="2023-11-06T20:24:01.8911267Z" /> 
  <EventRecordID>194</EventRecordID> 
  <Correlation ActivityID="{7af08a74-10ed-0003-e08b-f07aed10da01}" /> 
  <Execution ProcessID="4328" ThreadID="4600" /> 
  <Channel>Microsoft-Windows-PowerShell/Operational</Channel> 
  <Computer>DESKTOP-TUMSOE7</Computer> 
  <Security UserID="S-1-5-21-1392459375-2353216063-1350843065-1001" /> 
  </System>
- <EventData>
  <Data Name="MessageNumber">1</Data> 
  <Data Name="MessageTotal">1</Data> 
  <Data Name="ScriptBlockText">Invoke-WebRequest -Uri "https://example.com" -OutFile "C:\Temp\test.exe"</Data> 
  <Data Name="ScriptBlockId">808e4d85-977e-4418-9218-59dd2aa1b0ef</Data> 
  <Data Name="Path" /> 
  </EventData>
  </Event>

This example was produced on Windows 10, Version 10.0.19044 Build 19044

Last updated 6 months ago