I've noticed that in Event Viewer, there are two specific logs for PowerShell located at:
- Windows PowerShell
- Microsoft-Windows-PowerShell/Operational
I've come across several online documents, but most seem to reference only the second log. Can anyone explain what the first log is for? Is there any official documentation that covers this?
4 Answers
I’ve set up my own custom logs for different programs I frequently use. For instance, you can create a new log area with commands like:
```
New-EventLog -LogName 'IAASLogs' -Source 'IAASPowershell'
Limit-EventLog -LogName 'IAASLogs' -OverflowAction OverwriteAsNeeded -MaximumSize 10MB
Write-EventLog -LogName "IAASLogs" -Source "IAASPowershell" -EntryType Information -EventId 3 -Message "$(Get-Date -Format yyyMMddHHmmss) - Your script command"
```
This way, you can tailor your logging experience!
I was under the impression that these logs differentiate between PowerShell versions—like the main PowerShell and the newer PowerShell Core? That might explain the existence of two separate logs.
The 'Windows PowerShell' log is mainly for script block logging and similar events, while the 'Microsoft-Windows-PowerShell/Operational' log deals with operations like starting or exiting a session. Just make sure you check out the official documentation for more info on these logs! Here’s a link to help: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows.
From what I've seen, there are actually five logs for PowerShell in the Event Viewer:
- MicrosoftWindowsPowerShellAdmin
- MicrosoftWindowsPowerShellOperational
- MicrosoftWindowsPowerShell-DesiredStateConfigurationOperational
- PowerShell CoreOperational
- Windows PowerShell
Each one serves a different purpose, and some have a "Disable" command linked to them. It’s a good idea to check each log to understand their respective functions.
I thought it was the other way around regarding the log functions! But thanks for the link; it’s helpful!