Hardening PowerShell Script Block Logging Log

by Aug 17, 2018

When you enable ScriptBlockLogging, PowerShell logs all PowerShell code that is executed on your machine. Even if it is disabled, any security-relevant code is still logged. That’s awesome. However, the log can be read by any user, so anyone could browse through the logged code like this:

Get-WinEvent -FilterHashtable @{ ProviderName="Microsoft-Windows-PowerShell"= 4104 } 

To harden security and limit the access to the log file, you have two choices:

  • You can set up encrypted logging by installing a digital certificate. This way, the logged data would be protected even from fellow Administrators. However, setting up and managing these certificates is not trivial.
  • You can harden the access security to the PowerShell operational log, and use the same access that is used for the classic Security log. This way, only local Administrators can read the log. This is the approach we are taking in this tip today:
#requires -RunAsAdministrator 
# this is where the  PowerShell operational log stores its settings 
$Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\winevt\Channels\Microsoft-Windows-PowerShell/Operational"
# get the default  SDDL security definition for the classic security log 
$sddlSecurity = ((wevtutil gl security) -like 'channelAccess*').Split(' ')[-1]
# get the current  SDDL security for the PowerShell log 
$sddlPowerShell = (Get-ItemProperty -Path $Path).ChannelAccess
# store the current  SDDL security (just in case you want to restore it later) 
$existsBackup = Test-Path -Path $Path
if (!$existsBackup)
    Set-ItemProperty -Path $Path -Name ChannelAccessBackup -Value $sddlPowerShell
# set the hardened  security to the PowerShell operational log 
Set-ItemProperty -Path $Path -Name ChannelAccess -Value $sddlSecurity
# restart the service  to take effect 
Restart-Service -Name EventLog -Force 

Once you run the script, reading the PowerShell operational log is limited to local Administrators.

Twitter This Tip! ReTweet this Tip!