Hello, today I want to show you how to use the group policy to configure the registry transcription to audit the use of PowerShell on servers.

Requirements: This tutorial assumes that the target system already has WMF 5.x installed or upgraded.

The group policy setting to enable and configure Windows PowerShell logging capabilities can be found in the following GPO folder.

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell

https://www.jorgebernhardt.com/wp-content/uploads/2018/11/ComputerPowershellGPO

In this post I am going to focus on the following policy:

  • Turn on PowerShell Transcription

This policy setting allows you to capture the input and output of Windows PowerShell commands in text-based transcripts.

TurnOnPowershellTranscript.GPO

If you enable this policy setting, Windows PowerShell will enable transcription of Windows PowerShell, Windows PowerShell ISE, and any other application that uses the Windows PowerShell engine. By default, Windows PowerShell will log the output of transcripts in each user’s My Documents directory with a file name that includes “PowerShell_transcript” along with the computer name, random characters to avoid possible overwrites or duplications, and the start time.

Transcription Output Directory: You can specify an alternative location for the transcript files. The best practice says that you should store it in a shared directory with write-only permissions on a remote server.

Include invocation headers: If you want to have a time stamp for each command that is executed through PowerShell.

https://www.jorgebernhardt.com/wp-content/uploads/2018/11/TurnOnPowershellTranscript.File

In the following screenshot, you can see the contents of a transcription file.

If you want to know more about Audit PowerShell Usage using Transcription, check out this link: https://docs.microsoft.com/en-us/powershell/wmf/5.0/audit_overview