PSReadLine Console History

Location

Common Names

Description

Per-user PSReadLine history file that records commands entered in interactive PowerShell consoles. Windows PowerShell and PowerShell 7+ can maintain separate ConsoleHost_history.txt files depending on the host and profile path.

Forensic Value

PSReadLine history captures operator-entered PowerShell commands even when no script file was written to disk. It commonly preserves download cradles, encoded command launchers, reconnaissance commands, credential access attempts, and one-liners used during hands-on-keyboard activity. Because entries are appended as commands are accepted, the history can survive partial session cleanup and provide evidence even when the standard event logs are noisy or incomplete.

Tools Required

Collection Commands

kape.exe --tsource C: --tdest C:\output --target PowerShell

Get-ChildItem "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine","$HOME\Documents\PowerShell\PSReadLine" -Filter ConsoleHost_history.txt -ErrorAction SilentlyContinue | Copy-Item -Destination C:\output\PSReadLine\

velociraptor artifacts collect Windows.Forensics.PowerShell -o C:\output\velociraptor_psreadline.zip

Collection Constraints

• •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
• •History availability depends on PSReadLine being present and the user not disabling or truncating the history file. Non-interactive runspaces and some remoting hosts do not populate ConsoleHost_history.txt.

MITRE ATT&CK Techniques

References