By default, script block logging data is open to anyone, not just Administrators. When script block logging is enabled, any user can access the log and read its content. The easiest way would probably be to download tools and use a one-liner:
Install-Module -Name scriptblocklogginganalyzer -Scope CurrentUser Get-SBLEvent | Out-GridView
There are ways to harden the script block log, and make sure only Administrators can read this log. Run this to change access permissions to Administrators only:
#requires -RunAsAdministrator $Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\winevt\Channels\Microsoft-Windows-PowerShell/Operational" # get the default access permission for the standard security log... $sddlSecurity = ((wevtutil gl security) -like 'channelAccess*').Split(' ')[-1] # get the current permissions $sddlPowerShell = (Get-ItemProperty -Path $Path).ChannelAccess # make a backup of the current permissions New-ItemProperty -Path $Path -Name ChannelAccessBackup -Value $sddlPowerShell -ErrorAction Ignore # apply the hardened permissions Set-ItemProperty -Path $Path -Name ChannelAccess -Value $sddlSecurity # restart service to take effect Restart-Service -Name EventLog -Force
Now, when a regular user tries to read the script block logging log, no information is returned.
