Powershell History

A lot of information can be gathered from the series of commands that were executed on a system. By default Windows Powershell history is limited, however enterprises enable this feature to log more information to analyse systems for threats. There are 2 types of logging mechanisms - Powershell Transcription and Powershell Script Block Logging.

Transcription - The information is stored in transcript files that are often stored in the user's home directory or even in a centralized directory for all users.

Script Block Logging - It records commands and blocks of script code as events while executing. This is more detailed logging as the code is also recorded.

Here are some of the commands that can be used to gather info on past commands,

Get-History

Though the history can be cleared using the 'Clear-History' command, the commands recorded in 'PSReadline' is not erased. It can be retrieved using the following command,

#The storage path of the file can be retrieved using the following command,
(Get-PSReadlineOption).HistorySavePath

The file can be read using the 'type' command.

PreviousUsers NextSystem Details

Last updated 4 months ago