MicrosoftDocs · Taojunshen · Jul 25, 2023 · Jul 25, 2023 · Jul 25, 2023 · Jul 25, 2023
@@ -1,7 +1,7 @@
 ---
 description: PowerShell logs internal operations from the engine, providers, and cmdlets.
 Locale: en-US
-ms.date: 12/14/2018
+ms.date: 07/25/2023
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_logging?view=powershell-5.1&WT.mc_id=ps-gethelp
 schema: 2.0.0
 title: about Logging
@@ -10,8 +10,8 @@ title: about Logging
 # about_Logging
 
 ## Short description
-
-PowerShell logs internal operations from the engine, providers, and cmdlets.
+PowerShell logs internal operations from the engine, providers, and cmdlets to
+the Windows event log.
 
 ## Long description
 
@@ -22,27 +22,27 @@ stopping the engine and providers, and executing PowerShell commands.
 > Windows PowerShell versions 3.0, 4.0, 5.0, and 5.1 include **EventLog**
 > cmdlets for the Windows event logs. In those versions, to display the list of
 > **EventLog** cmdlets type: `Get-Command -Noun EventLog`. For more
-> information, see the cmdlet documentation and [about_EventLogs](about_Eventlogs.md) for your
-> version of Windows PowerShell.
+> information, see the cmdlet documentation and
+> [about_EventLogs](about_Eventlogs.md) for your version of Windows PowerShell.
 
 ## Viewing the PowerShell event log entries on Windows
 
 PowerShell logs can be viewed using the Windows Event Viewer. The event log is
-located in the Application and Services Logs group and is named
-`Microsoft-Windows-PowerShell`. The associated ETW provider `GUID` is
+located in the **Application and Services Logs** group and is named
+**Microsoft-Windows-PowerShell**. The associated ETW provider `GUID` is
 `{A0C1853B-5C40-4B15-8766-3CF1C58F985A}`.
 
 When Script Block Logging is enabled, PowerShell logs the following events to
-the `Microsoft-Windows-PowerShell/Operational` log:
+the **Microsoft-Windows-PowerShell/Operational** log:
 
-|Field| Value|
-|-|-|
-|EventId|`4104` / `0x1008`|
-|Channel|`Operational`|
-|Level|`Verbose`|
-|Opcode|`Create`|
-|Task|`CommandStart`|
-|Keyword|`Runspace`|
+|  Field  |       Value       |
+| ------- | ----------------- |
+| EventId | `4104` / `0x1008` |
+| Channel | `Operational`     |
+| Level   | `Verbose`         |
+| Opcode  | `Create`          |
+| Task    | `CommandStart`    |
+| Keyword | `Runspace`        |
 
 ## Enabling Script Block Logging
 
@@ -58,22 +58,22 @@ Script Block Logging can be enabled via Group Policy or a registry setting.
 
 ### Using Group Policy
 
-To enable automatic transcription, enable the `Turn on PowerShell Script Block
-Logging` feature in Group Policy through `Administrative Templates -> Windows
-Components -> Windows PowerShell`.
+To enable automatic transcription, enable the **Turn on PowerShell Script Block
+Logging** feature in Group Policy through **Administrative Templates** ->
+**Windows Components** -> **Windows PowerShell**.
 
 ### Using the Registry
 
 Run the following function:
 
 ```powershell
-function Enable-PSScriptBlockLogging
-{
-    $basePath = 'HKLM:\Software\Policies\Microsoft\Windows' +
-      '\PowerShell\ScriptBlockLogging'
+function Enable-PSScriptBlockLogging {
+    $basePath = @(
+        'HKLM:\Software\Policies\Microsoft\Windows'
+        'PowerShell\ScriptBlockLogging'
+    ) -join '\'
 
-    if(-not (Test-Path $basePath))
-    {
+    if (-not (Test-Path $basePath)) {
         $null = New-Item $basePath -Force
     }
 
@@ -101,13 +101,13 @@ content and decrypt content are kept separate.
 The public key can be shared widely and isn't sensitive data. Any content
 encrypted with this public key can only be decrypted by the private key. For
 more information about Public Key Cryptography, see
-[Wikipedia - Public Key Cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography).
+[Wikipedia - Public Key Cryptography][04].
 
 To enable a Protected Event Logging policy, deploy a public key to all machines
 that have event log data to protect. The corresponding private key is used to
 post-process the event logs at a more secure location such as a central event
-log collector, or [SIEM][SIEM] aggregator. You can set up SIEM in Azure. For more
-information, see [Generic SIEM integration](/cloud-app-security/siem).
+log collector, or [SIEM][05] aggregator. You can set up SIEM in Azure. For more
+information, see [Generic SIEM integration][01].
 
 ### Enabling Protected Event Logging via Group Policy
 
@@ -127,27 +127,31 @@ can provide in one of several forms:
   certificate store (can be deployed by PKI infrastructure).
 
 The resulting certificate must have `Document Encryption` as an enhanced key
-usage (`1.3.6.1.4.1.311.80.1`), and either `Data Encipherment` or `Key
-Encipherment` key usages enabled.
+usage (`1.3.6.1.4.1.311.80.1`), and either `Data Encipherment` or
+`Key Encipherment` key usages enabled.
 
 > [!WARNING]
 > The private key shouldn't be deployed to the machines logging events. It
 > should be kept in a secure location where you decrypt the messages.
 
 ### Decrypting Protected Event Logging messages
 
-The following script will retrieve and decrypt, assuming that you have the
+The following script retrieves and decrypts events, assuming that you have the
 private key:
 
 ```powershell
 Get-WinEvent Microsoft-Windows-PowerShell/Operational |
-  Where-Object Id -eq 4104 | Unprotect-CmsMessage
+    Where-Object Id -eq 4104 |
+    Unprotect-CmsMessage
 ```
 
 ## See also
 
-- [Generic SIEM integration](/cloud-app-security/siem)
-- [PowerShell the Blue Team](https://devblogs.microsoft.com/powershell/powershell-the-blue-team/)
+- [PowerShell the Blue Team][03]
+- [Generic SIEM integration][01]
 
 <!-- link references -->
-[SIEM]: https://wikipedia.org/wiki/Security_information_and_event_management
+[01]: /cloud-app-security/siem
+[03]: https://devblogs.microsoft.com/powershell/powershell-the-blue-team/
+[04]: https://en.wikipedia.org/wiki/Public-key_cryptography
+[05]: https://wikipedia.org/wiki/Security_information_and_event_management
@@ -1,7 +1,7 @@
 ---
 description: PowerShell logs internal operations from the engine, providers, and cmdlets to the Windows event log.
 Locale: en-US
-ms.date: 10/07/2022
+ms.date: 07/25/2023
 online version: https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.2&WT.mc_id=ps-gethelp
 schema: 2.0.0
 title: about Logging Windows
@@ -18,13 +18,6 @@ the Windows event log.
 PowerShell logs details about PowerShell operations, such as starting and
 stopping the engine and providers, and executing PowerShell commands.
 
-> [!NOTE]
-> Windows PowerShell versions 3.0, 4.0, 5.0, and 5.1 include **EventLog**
-> cmdlets for the Windows event logs. In those versions, to display the list of
-> **EventLog** cmdlets type: `Get-Command -Noun EventLog`. For more
-> information, see the cmdlet documentation and about_EventLogs for your
-> version of Windows PowerShell.
-
 ## Registering the PowerShell event provider on Windows
 
 Unlike Linux or macOS, Windows requires the event provider to be registered
@@ -38,12 +31,12 @@ $PSHOME\RegisterManifest.ps1
 ## Viewing the PowerShell event log entries on Windows
 
 PowerShell logs can be viewed using the Windows Event Viewer. The event log is
-located in the Application and Services Logs group and is named
-`PowerShellCore`. The associated ETW provider `GUID` is
+located in the **Application and Services Logs** group and is named
+**PowerShellCore**. The associated ETW provider GUID is
 `{f90714a8-5509-434a-bf6d-b1624c8a19a2}`.
 
 When Script Block Logging is enabled, PowerShell logs the following events to
-the `PowerShellCore/Operational` log:
+the **PowerShellCore/Operational** log:
 
 |  Field  |       Value       |
 | ------- | ----------------- |
@@ -84,22 +77,22 @@ Script Block Logging can be enabled via Group Policy or a registry setting.
 
 ### Using Group Policy
 
-To enable automatic transcription, enable the `Turn on PowerShell Script Block
-Logging` feature in Group Policy through `Administrative Templates -> Windows
-Components -> Windows PowerShell`.
+To enable automatic transcription, enable the **Turn on PowerShell Script Block
+Logging** feature in Group Policy through **Administrative Templates** ->
+**PowerShell Core**.
 
 ### Using the Registry
 
 Run the following function:
 
 ```powershell
-function Enable-PSScriptBlockLogging
-{
-    $basePath = 'HKLM:\Software\Policies\Microsoft\Windows' +
-      '\PowerShell\ScriptBlockLogging'
+function Enable-PSScriptBlockLogging {
+    $basePath = @(
+        'HKLM:\Software\Policies\Microsoft'
+        'PowerShellCore\ScriptBlockLogging'
+    ) -join '\'
 
-    if(-not (Test-Path $basePath))
-    {
+    if (-not (Test-Path $basePath)) {
         $null = New-Item $basePath -Force
     }
 
@@ -127,13 +120,13 @@ content and decrypt content are kept separate.
 The public key can be shared widely and isn't sensitive data. Any content
 encrypted with this public key can only be decrypted by the private key. For
 more information about Public Key Cryptography, see
-[Wikipedia - Public Key Cryptography][01].
+[Wikipedia - Public Key Cryptography][04].
 
 To enable a Protected Event Logging policy, deploy a public key to all machines
 that have event log data to protect. The corresponding private key is used to
 post-process the event logs at a more secure location such as a central event
-log collector, or [SIEM][02] aggregator. You can set up SIEM in Azure. For more
-information, see [Generic SIEM integration][03].
+log collector, or [SIEM][05] aggregator. You can set up SIEM in Azure. For more
+information, see [Generic SIEM integration][01].
 
 ### Enabling Protected Event Logging via Group Policy
 
@@ -153,33 +146,33 @@ can provide in one of several forms:
   certificate store (can be deployed by PKI infrastructure).
 
 The resulting certificate must have `Document Encryption` as an enhanced key
-usage (`1.3.6.1.4.1.311.80.1`), and either `Data Encipherment` or `Key
-Encipherment` key usages enabled.
+usage (`1.3.6.1.4.1.311.80.1`), and either `Data Encipherment` or
+`Key Encipherment` key usages enabled.
 
 > [!WARNING]
 > The private key shouldn't be deployed to the machines logging events. It
 > should be kept in a secure location where you decrypt the messages.
 
 ### Decrypting Protected Event Logging messages
 
-The following script will retrieve and decrypt, assuming that you have the
+The following script retrieves and decrypts events, assuming that you have the
 private key:
 
 ```powershell
 Get-WinEvent Microsoft-Windows-PowerShell/Operational |
-  Where-Object Id -eq 4104 | Unprotect-CmsMessage
+    Where-Object Id -eq 4104 |
+    Unprotect-CmsMessage
 ```
 
 ## See also
 
-- [about_Logging_Non-Windows][04]
-- [PowerShell the Blue Team][05]
-- [Generic SIEM integration][03]
-
-<!-- added link references -->
-[01]: https://en.wikipedia.org/wiki/Public-key_cryptography
-[02]: https://wikipedia.org/wiki/Security_information_and_event_management
-[03]: /cloud-app-security/siem
-[04]: about_Logging_Non-Windows.md
-[05]: https://devblogs.microsoft.com/powershell/powershell-the-blue-team/
-[06]: /cloud-app-security/siem
+- [about_Logging_Non-Windows][02]
+- [PowerShell the Blue Team][03]
+- [Generic SIEM integration][01]
+
+<!-- link references -->
+[01]: /cloud-app-security/siem
+[02]: about_Logging_Non-Windows.md
+[03]: https://devblogs.microsoft.com/powershell/powershell-the-blue-team/
+[04]: https://en.wikipedia.org/wiki/Public-key_cryptography
+[05]: https://wikipedia.org/wiki/Security_information_and_event_management