locked
Options to monitor any instance of Powershell RRS feed

  • Question

  • I am looking for an option, native or 3rd party, to monitor any instance of powershell on a workstation.

    Plenty of information for using powershell to monitor, but not much for monitoring powershell itself.

    Thursday, August 23, 2018 1:09 PM

All replies

  • If you want to log every PowerShell cmdlet executed on a machine, use Transcription Logging. You can enable it using a Group Policy Object.

    References:
    https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_script
    https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/


    • Proposed as answer by jrv Thursday, August 23, 2018 1:33 PM
    Thursday, August 23, 2018 1:32 PM
  • Good article John linked, but note the comment about alternate credentials in PowerShell scripts also being logged.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, August 23, 2018 1:43 PM
  • Thank you John. Unfortunately, the computer is running Windows 7 that doesnt seem to support powershell transcription.

    Do you know of any 3rd party programs that could take care of that?

    Thursday, August 23, 2018 8:54 PM
  • Thank you John. Unfortunately, the computer is running Windows 7 that doesnt seem to support powershell transcription.

    Do you know of any 3rd party programs that could take care of that?


    I believe this is a feature of PowerShell V5, which is not shipped with Windows 7 by default, but you can install it. PowerShell transcription should work for Windows 7.
    • Edited by John Seerden Thursday, August 23, 2018 9:14 PM Typo
    Thursday, August 23, 2018 9:14 PM
  • WMF 5.1 is the latest and is here.

    \_(ツ)_/

    Thursday, August 23, 2018 9:16 PM