PowerShell Transcription Logs

Location

Common Names

Description

Text transcript files created when PowerShell transcription logging is enabled by Group Policy or Start-Transcript. Each transcript records the host, user, start and stop times, and the commands and output displayed during the session.

Forensic Value

Transcripts preserve both the commands entered and the output returned to the operator, making them one of the highest-value artifacts for reconstructing attacker intent and interactive decision making. They frequently capture remote administration sessions, credential checks, encoded command decoding, and the success or failure of each action in a way that script block logging alone does not. Host and username headers also help tie activity to a specific workstation and operator context.

Tools Required

Collection Commands

Get-ChildItem -Path C:\Users\*\Documents -Filter "PowerShell_transcript*.txt" -Recurse -ErrorAction SilentlyContinue | Copy-Item -Destination C:\output\Transcripts\

kape.exe --tsource C: --tdest C:\output --target PowerShell

Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" | Format-List OutputDirectory,EnableTranscripting,EnableInvocationHeader

Collection Constraints

• •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
• •Transcription is not enabled by default and the output path may be redirected by policy to a central share or custom folder. Absence is not meaningful unless you verified the logging policy.

MITRE ATT&CK Techniques

References