PowerShell has one of the most powerful logging systems of any shell on any operating system. And almost nobody has Script Block Logging turned on much less even knows it exists.
Many people who do enable script block logging only enable the basic version. There’s a deeper layer that catches stuff the basic one misses. It’s been there since PowerShell 5. It’s one registry key away. And it might be the single highest-value security setting you can flip in your environment today.
In this 3rd Free Upskill Challenge from our PowerShell series by MS MVP, Andrew Pla, you’ll learn what script block logging actually does, how to enable both the basic and deep versions, and how to read what it captures. You don’t need a SIEM. You don’t need fancy tooling. All you need is Event Viewer, a PowerShell window, and about 20 minutes.
Once you understand this, you’ll have real visibility into what’s running on your machines. That’s the foundation for everything else in PowerShell security.
Price = FREE!
Goals for UC – PowerShell: Script Block Logging
By the end of this UC, you should be able to:
- Explain what it does and why it mattersย – What Event ID 4104 captures and why defenders care about it.
- Distinguish between basic and deep script block loggingย – Whatย
EnableScriptBlockInvocationLoggingย adds and when you’d want it. - Enable script block logging via registry and Group Policyย – Both paths, including the PowerShell 7 gotcha most guides skip.
- Read and interpret script block log eventsย – Find Event ID 4104 in Event Viewer and understand what the fields mean.
- Recognize suspicious patterns in the logsย – Know what to look for when something shady shows up.
Whatโs an Upskill Challenge (UC)?
A UC is a CTF-style, bite-sized lesson from the JHT Team, our courseware developers as well as โfriendsโ of JHT. They are meant to be short and to the point. UCs focus on a single tool or concept and are helpful in quickly providing useful skills that might be prerequisites for other types of educational content on the platform.
A UC should be 10 โ 30 minutes of student time and have no VMs. There are quizzes to make sure that the content is understood.
Prerequisites for UC – PowerShell: Script Block Logging
UCs assume no knowledge at all! Theyโre meant to be completely self-contained, so all of the answers are in the lesson. No outside research is required.
