EventID 4104: PowerShell Script Block Logging
This event is logged to the Microsoft-Windows-PowerShell/Operational
channel whenever a script is run through PowerShell.
This event will only be logged if PowerShell Script Block Logging is configured and enabled. This is a GPO setting that can be found under Administrative Templates → Windows Components → Windows PowerShell
.
Analysis Value
Evidence of ExecutionParent and Child InformationFirst ExecutedFile PathSecurity IdentifierOperating System Availability
Windows 11
✅
Server 2019
✅
Windows 10
✅
Server 2016
✅
Windows 8
✅
Server 2012
✅
Windows 7
✅
Server 2008
✅
Windows Vista
❌
Server 2003
❌
Windows XP
❌
Artifact Location(s)
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx
Artifact Interpretation
System/Level
This field may indicate a suspicious script. If its value is Warning
this indicates the script was flagged as suspicious based on its contents.
EventData/ScriptBlockId
This field is used to uniquely identify a script across multiple 4104
events. Large scripts may be split across multiple events, to reconstruct the full script, concatenate all the events with this unique ID together.
System/Execution/ProcessID
This field indicates the parent Process ID (PID) that executed the script.
System/Security/UserID
This field contains the SID of the user that executed the script.
Example
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-PowerShell" Guid="{a0c1853b-5c40-4b15-8766-3cf1c58f985a}" />
<EventID>4104</EventID>
<Version>1</Version>
<Level>5</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2023-11-06T20:24:01.8911267Z" />
<EventRecordID>194</EventRecordID>
<Correlation ActivityID="{7af08a74-10ed-0003-e08b-f07aed10da01}" />
<Execution ProcessID="4328" ThreadID="4600" />
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>DESKTOP-TUMSOE7</Computer>
<Security UserID="S-1-5-21-1392459375-2353216063-1350843065-1001" />
</System>
- <EventData>
<Data Name="MessageNumber">1</Data>
<Data Name="MessageTotal">1</Data>
<Data Name="ScriptBlockText">Invoke-WebRequest -Uri "https://example.com" -OutFile "C:\Temp\test.exe"</Data>
<Data Name="ScriptBlockId">808e4d85-977e-4418-9218-59dd2aa1b0ef</Data>
<Data Name="Path" />
</EventData>
</Event>
This example was produced on Windows 10, Version 10.0.19044 Build 19044
Last updated