Understanding Script Block Logging (Part 4)

by Jun 27, 2018

This is part 4 of our mini-series covering PowerShell script block logging. By now, you know how to read logged PowerShell code, and how to turn on verbose mode. With verbose mode turned on, any PowerShell code that executes on your machine is logged, so this may produce a lot of data. In order to not overwrite older log entries, you should enlarge the log file. Here is how:

function Set-SBLLogSize { <# .SYNOPSIS Sets a new size for the script block logging log. Administrator privileges required. .DESCRIPTION By default, the script block log has a maximum size of 15MB which may be too small to capture and log PowerShell activity over a given period of time. With this command, you can assign more memory to the log. .PARAMETER MaxSizeMB New log size in Megabyte .EXAMPLE Set-SBLLogSize -MaxSizeMB 100 Sets the maximum log size to 100MB. Administrator privileges required. #> param ( [Parameter(Mandatory)] [ValidateRange(15,3000)] [int] $MaxSizeMB ) $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-PowerShell/Operational" try { $ErrorActionPreference = 'Stop' Set-ItemProperty -Path $Path -Name MaxSize -Value ($MaxSizeMB * 1MB) } catch { Write-Warning "Administrator privileges required. Run this command from an elevated PowerShell." } } 

To assign 100MB to the log file instead of the default 15MB, run this (with Administrator privileges):

 PS> Set-SBLLogSize -MaxSizeMB 100 

Twitter This Tip! ReTweet this Tip!