Register of the commands Powershell
(PowerShell logs)
PowerShell commands issued by a script, an application, or a user can be recorded in the Working Log and Access Logs:
To enable logging on machines, some keys must be created in the Windows Registry (Regedit) under:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\
Create the PowerShell key and, immediately below it, two additional keys:
-
Module-Logging
-
ModuleNames
Inside Module-Logging, create a DWORD value named EnableModuleLogging and set it to 1.
Inside ModuleNames, create a String value with the following label and value:
Microsoft.PowerShell.*
These keys must be generated by GPO, so as to "spread" them across all machines.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging] "EnableModuleL-ogging"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\Modu leNames]
"Microsoft.PowerShell.*"="Microsoft.PowerShell.*"
​
If the NinjaOne software is present on your network, it may generate several million log entries, resulting in a significant increase in the database size.
In this case, the use of PowerShell logs is not recommended, as it may negatively affect the application's performance.