├── PS_logging.reg
└── README.md


/PS_logging.reg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/matthewdunwoody/PS_logging_reg/HEAD/PS_logging.reg


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # PS_logging.reg
 2 | 
 3 | A Windows REG file to enable all default PowerShell logging on a system with PowerShell v5 installed. This file will modify the registry to enable:
 4 |   - Module logging for all modules
 5 |   - Script block logging
 6 |   - Transcription with:
 7 |     - Default directory selected (user's documents folder)
 8 |     - Invocation header enabled
 9 | 
10 | # Usage
11 | 
12 | Import using regedit - either through the UI (file -> import) or command line (regedit.exe PS_logging.reg)
13 | 
14 | To change the output directory for transcripts, set the value for: "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\PowerShell\Transcription\" -> "OutputDirectory"=""
15 | 
16 | # References
17 | 
18 | https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
19 | 


--------------------------------------------------------------------------------