| Server IP : 134.29.175.74 / Your IP : 216.73.216.160 Web Server : nginx/1.10.2 System : Windows NT CST-WEBSERVER 10.0 build 19045 (Windows 10) i586 User : Administrator ( 0) PHP Version : 7.1.0 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : OFF | Perl : OFF | Python : OFF | Sudo : OFF | Pkexec : OFF Directory : /Windows/System32/WindowsPowerShell/v1.0/en-US/ |
Upload File : |
ABOUT EVENTLOGS
Short Description
Windows PowerShell creates a Windows event log that is named "Windows
PowerShell" to record Windows PowerShell events. You can view this log in
Event Viewer or by using cmdlets that get events, such as the Get-EventLog
cmdlet. By default, Windows PowerShell engine and provider events are
recorded in the event log, but you can use the event log preference
variables to customize the event log. For example, you can add events about
Windows PowerShell commands.
Long Description
The Windows PowerShell event log records details of Windows PowerShell
operations, such as starting and stopping the program engine and starting
and stopping the Windows PowerShell providers. You can also log details
about Windows PowerShell commands.
The Windows PowerShell event log is in the Application and Services Logs
group. The Windows PowerShell log is a classic event log that does not use
the Windows Eventing technology. To view the log, use the cmdlets designed
for classic event logs, such as Get-EventLog.
Viewing the Windows PowerShell Event Log
You can view the Windows PowerShell event log in Event Viewer or by using
the Get-EventLog and Get-WmiObject cmdlets. To view the contents of the
Windows PowerShell log, type:
Get-EventLog -LogName "Windows PowerShell"
To examine the events and their properties, use the Sort-Object cmdlet, the
Group-Object cmdlet, and the cmdlets that contain the Format verb (the
Format cmdlets).
For example, to view the events in the log grouped by the event ID, type:
Get-EventLog "Windows PowerShell" | Format-Table -GroupBy EventID
Or, type:
Get-EventLog "Windows PowerShell" |
Sort-Object EventID |
Group-Object EventID
To view all the classic event logs, type:
Get-EventLog -List
You can also use the Get-WmiObject cmdlet to use the event-related Windows
Management Instrumentation (WMI) classes to examine the event log. For
example, to view all the properties of the event log file, type:
Get-WmiObject Win32_NTEventlogFile |
where LogFileName -EQ "Windows PowerShell" |
Format-List -Property *
To find the Win32 event-related WMI classes, type:
Get-WmiObject -List | where Name -Like "win32*event*"
For more information, type "Get-Help Get-EventLog" and "Get-Help
Get-WmiObject".
Selecting Events for the Windows PowerShell Event Log
You can use the event log preference variables to determine which events
are recorded in the Windows PowerShell event log.
There are six event log preference variables; two variables for each of the
three logging components: the engine (the Windows PowerShell program), the
providers, and the commands. The LifeCycleEvent variables log normal
starting and stopping events. The Health variables log error events.
The following table lists the event log preference variables.
Variable Description
---------------------------- -------------------------------------------------
$LogEngineLifeCycleEvent Logs the start and stop of PowerShell
$LogEngineHealthEvent Logs PowerShell program errors
$LogProviderLifeCycleEvent Logs the start and stop of PowerShell providers
$LogProviderHealthEvent Logs PowerShell provider errors
$LogCommandLifeCycleEvent Logs the starting and completion of commands
$LogCommandHealthEvent Logs command errors
(For information about Windows PowerShell providers, see about_Providers.)
By default, only the following event types are enabled:
- $LogEngineLifeCycleEvent
- $LogEngineHealthEvent
- $LogProviderLifeCycleEvent
- $LogProviderHealthEvent
To enable an event type, set the preference variable for that event type to
$true. For example, to enable command life-cycle events, type:
$LogCommandLifeCycleEvent
Or, type:
$LogCommandLifeCycleEvent = $true
To disable an event type, set the preference variable for that event type
to $false. For example, to disable command life-cycle events, type:
$LogProviderLifeCycleEvent = $false
You can disable any event, except for the events that indicate that the
Windows PowerShell engine and the core providers are started. These events
are generated before the Windows PowerShell profiles are run and before the
host program is ready to accept commands.
The variable settings apply only for the current Windows PowerShell
session. To apply them to all Windows PowerShell sessions, add them to your
Windows PowerShell profile.
Logging Module Events
Beginning in Windows PowerShell 3.0, you can record execution events for
the cmdlets and functions in Windows PowerShell modules and snap-ins by
setting the LogPipelineExecutionDetails property of modules and snap-ins to
TRUE. In Windows PowerShell 2.0, this feature is available only for
snap-ins.
When the LogPipelineExecutionDetails property value is TRUE ($true),
Windows PowerShell writes cmdlet and function execution events in the
session to the Windows PowerShell log in Event Viewer. The setting is
effective only in the current session.
To enable logging of execution events of cmdlets and functions in a module,
use the following command sequence.
Import-Module <ModuleName>
$m = Get-Module <ModuleName>
$m.LogPipelineExecutionDetails = $true
To enable logging of execution events of cmdlets in a snap-in, use the
following command sequence.
$m = Get-PSSnapin <SnapInName> [-Registered]
$m.LogPipelineExecutionDetails = $True
To disable logging, use the same command sequence to set the property value
to FALSE ($false).
You can also use the "Turn on Module Logging" Group Policy setting to
enable and disable module and snap-in logging. The policy value includes a
list of module and snap-in names. Wildcards are supported.
When "Turn on Module Logging" is set for a module, the value of the
LogPipelineExecutionDetails property of the module is TRUE in all sessions
and it cannot be changed.
The Turn On Module Logging group policy setting is located in the following
Group Policy paths:
Computer Configuration\
Administrative Templates\
Windows Components\
Windows PowerShell
User Configuration\
Administrative Templates\
Windows Components\
Windows PowerShell
The User Configuration policy takes precedence over the Computer
Configuration policy, and both policies take preference over the value of
the LogPipelineExecutionDetails property of modules and snap-ins.
For more information about this Group Policy setting, see
about_Group_Policy_Settings.
Security and Auditing
The Windows PowerShell event log is designed to indicate activity and to
provide operational details for troubleshooting.
However, like most Windows-based application event logs, the Windows
PowerShell event log is not designed to be secure. It should not be used to
audit security or to record confidential or proprietary information.
Event logs are designed to be read and understood by users. Users can read
from and write to the log. A malicious user could read an event log on a
local or remote computer, record false data, and then prevent the logging
of their activities.
Notes
Authors of module authors can add logging features to their modules. For
more information, see Writing a Windows PowerShell Module.
See Also
Get-EventLog
Get-WmiObject
about_Group_Policy_Settings
about_Preference_Variables