Share via

EventID for the GPO

Glenn Maxwell 11,416 Reputation points
2024-05-28T15:51:47.9+00:00

I have enabled the GPO (Turn on PowerShell Transcription):

Computer Configuration-Administrative Templates-Windows Components-Windows PowerShell.

Turn on PowerShell Transcription: Enabled. Should I see any other Event ID besides 4103 in Event Viewer with this GPO?

transcript

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,753 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,508 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,094 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,526 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,526 questions
Accepted answer
  1. Daisy Zhou 24,046 Reputation points Microsoft Vendor
    2024-05-29T12:21:58.3566667+00:00

    Hello Glenn Maxwell,

    Thank you for posting in Q&A forum.

    From the following article, I can see:

    Turn on Module Logging will log event ID 800 under Applications and Services Logs > Windows PowerShell in event viewer.

    Turn on PowerShell Script Block Logging will log event ID 4104 under

    Application and Services Logs > Microsoft > Windows > PowerShell > Operational event log

    Turn on PowerShell Transcription

    Enabling this policy will log both input and the resulting output of PowerShell into a text file. We need to specify a folder to store the logs to.

    For more information, please read link below.
    https://www.rootusers.com/enable-and-configure-module-script-block-and-transcription-logging-in-windows-powershell/

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Glenn Maxwell 11,416 Reputation points
    2024-05-29T08:26:58.9+00:00

    with this gpo enabled what event ids will we see?

    0 comments
  2. Glenn Maxwell 11,416 Reputation points
    2024-05-29T16:17:52.2433333+00:00

    As per this article, Event ID 4103 – Module logging, should i consider 800 or 4103

    https://www.iblue.team/incident-response-1/logging-powershell-activities

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.