EventID 4104: PowerShell Script Block Logging

This event is logged to the Microsoft-Windows-PowerShell/Operational channel whenever a script is run through PowerShell.

This event will only be logged if PowerShell Script Block Logging is configured and enabled. This is a GPO setting that can be found under Administrative Templates → Windows Components → Windows PowerShell.

Analysis Value

Evidence of ExecutionParent and Child InformationFirst ExecutedFile PathSecurity Identifier

Operating System Availability

Major Version
Support
Major Version
Support

Windows 11

Server 2019

Windows 10

Server 2016

Windows 8

Server 2012

Windows 7

Server 2008

Windows Vista

Server 2003

Windows XP

Artifact Location(s)

  • %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

Artifact Interpretation

Field
Interpretation
Reference

System/Level

This field may indicate a suspicious script. If its value is Warning this indicates the script was flagged as suspicious based on its contents.

EventData/ScriptBlockId

This field is used to uniquely identify a script across multiple 4104 events. Large scripts may be split across multiple events, to reconstruct the full script, concatenate all the events with this unique ID together.

EventData/Path

This field indicates the full path to the executed script, if available.

File Path

System/Execution/ProcessID

This field indicates the parent Process ID (PID) that executed the script.

Parent and Child Information

System/Security/UserID

This field contains the SID of the user that executed the script.

Security Identifier

This event is only logged the first time that a script is executed.

This event will not capture the resultant output of an executed script as module logging does.

Example

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}" /> 
  <EventID>4104</EventID> 
  <Version>1</Version> 
  <Level>5</Level> 
  <Task>2</Task> 
  <Opcode>15</Opcode> 
  <Keywords>0x0</Keywords> 
  <TimeCreated SystemTime="2023-11-06T20:24:01.8911267Z" /> 
  <EventRecordID>194</EventRecordID> 
  <Correlation ActivityID="{7af08a74-10ed-0003-e08b-f07aed10da01}" /> 
  <Execution ProcessID="4328" ThreadID="4600" /> 
  <Channel>Microsoft-Windows-PowerShell/Operational</Channel> 
  <Computer>DESKTOP-TUMSOE7</Computer> 
  <Security UserID="S-1-5-21-1392459375-2353216063-1350843065-1001" /> 
  </System>
- <EventData>
  <Data Name="MessageNumber">1</Data> 
  <Data Name="MessageTotal">1</Data> 
  <Data Name="ScriptBlockText">Invoke-WebRequest -Uri "https://example.com" -OutFile "C:\Temp\test.exe"</Data> 
  <Data Name="ScriptBlockId">808e4d85-977e-4418-9218-59dd2aa1b0ef</Data> 
  <Data Name="Path" /> 
  </EventData>
  </Event>

This example was produced on Windows 10, Version 10.0.19044 Build 19044

Last updated