SID-500

Home » PowerShell » PowerShell Security: Enabling Transcription Logging by using Group Policy

PowerShell Security: Enabling Transcription Logging by using Group Policy

In one of my previous posts “PowerShell: Documenting your work with Start-Transcript” I’ve described how to manually configure PowerShell Transcripting by using the command Start-Transcript. In this article I show how to use Group Policy for configuring Transcription logging for all PowerShell users.

Turn on PowerShell Transcription

Open cmd or PowerShell and type gpedit.msc. This will open the Group Policy Editor.

gpedit.msc

Navigate to Computer Configuration – Administrative Templates – Windows Components –  Windows PowerShell and double-klick “Turn on PowerShell Transcription”. Click on Enable and enter your prefered Output Directory. You can also activate “Include invocation headers”. I will explain this later.

Unbenannt.JPG

Click OK twice. To make sure, that your settings are applied run

gpupdate /force

Testing the functionality

Open Windows PowerShell. Enter some commands and then review your output directory. You should see one or more files.

Unbenannt.JPG

The Invokation Headers

If you activate Invokation headers, then each command is recorded with a command start time.

The first screenshot shows Transcription Logging without invokation headers activated:

Unbenannt.JPG

The second one shows logging with invokation headers activated:

Unbenannt.JPG

See also

Another way to configure transcripting is to include the command start-transcript in your PowerShell Profile, which I described here: How to create PowerShell Profiles.

See also my English article about Start-Transcript PowerShell: Documenting your work with Start-Transcript or if you prefer German see my article PowerShell: Sitzung aufzeichnen mit start-transcript.


2 Comments

  1. Max E. says:

    Are you aware CIS policy actually recommends and check that PS transcripting is disabled in their compliance template. As if someone pass creds, etc in a PS script it’s recorded and easily viewable.

    Thoughts?

    PN

    Like

  2. pewa2303 says:

    Thank you for your comment. This is new to me.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

GET-AUTHOR

My name is Patrick Grünauer. Microsoft MVP. I am from Austria. On sid-500 I write about Windows, Cisco and IT-Security in English and German. Have fun while reading!

Categories

Patrick Gruenauer
Follow SID-500 on WordPress.com