停用 Windows powershell 事件日誌記錄

Question 1

我認為以下本地群組原則是你所需要的，特別是第二個：

開啟模組日誌記錄

如果你停用透過此策略設置，所有 Windows PowerShell 模組都會停用執行事件日誌記錄。為模組停用此策略設定相當於將模組的 LogPipelineExecutionDetails 屬性設為 False。

開啟 PowerShell 區塊日誌記錄

此政策設定允許將所有 PowerShell 腳本輸入記錄到 Microsoft-Windows-PowerShell/Operational事件日誌。如果啟用此策略設置，Windows PowerShell 將記錄命令、腳本區塊、函數和腳本的處理 - 無論是互動呼叫還是透過自動化呼叫。

如果你停用透過此策略設置，將停用 PowerShell 腳本輸入的日誌記錄。

按Win+R
類型gpedit.msc
去Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell

然後配置上面解釋的設置

Answer

我認為以下本地群組原則是你所需要的，特別是第二個：

開啟模組日誌記錄

如果你停用透過此策略設置，所有 Windows PowerShell 模組都會停用執行事件日誌記錄。為模組停用此策略設定相當於將模組的 LogPipelineExecutionDetails 屬性設為 False。

開啟 PowerShell 區塊日誌記錄

此政策設定允許將所有 PowerShell 腳本輸入記錄到 Microsoft-Windows-PowerShell/Operational事件日誌。如果啟用此策略設置，Windows PowerShell 將記錄命令、腳本區塊、函數和腳本的處理 - 無論是互動呼叫還是透過自動化呼叫。

如果你停用透過此策略設置，將停用 PowerShell 腳本輸入的日誌記錄。

按Win+R
類型gpedit.msc
去Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell

然後配置上面解釋的設置

Question 2

我遇到了同樣的問題並編寫了這個函數來刪除事件日誌。

Function Remove-PowerShellEventLog {
    Write-ToLog -Message 'Remove the PowerShell event log'
    # Function constants
    $PowerShellKey = 'SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell'
    $Admins = 'BUILTIN\Administrators'
    $ReadWriteSubTree = [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree
    $TakeOwnership = [System.Security.AccessControl.RegistryRights]::TakeOwnership
    $ChangePermissions = [System.Security.AccessControl.RegistryRights]::ChangePermissions

    # Define a C# type using P/Invoke and add it
    # Code borrowed from https://www.remkoweijnen.nl/blog/2012/01/16/take-ownership-of-a-registry-key-in-powershell/
    $Definition = @"
    using System;
    using System.Runtime.InteropServices; 

    namespace Win32Api
    {

        public class NtDll
        {
            [DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
            public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
        }
    }
"@
    Add-Type -TypeDefinition $Definition -PassThru

    # Enable SeTakeOwnershipPrivilege
    $Res = [Win32Api.NtDll]::RtlAdjustPrivilege(9, $True, $False, [ref]$False)

    # Open the registry key with Take Ownership rights and change the owner to Administrators
    $Key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("$PowerShellKey\PowerShell", $ReadWriteSubTree, $TakeOwnership)
    $Acl = $Key.GetAccessControl()
    $Acl.SetOwner([System.Security.Principal.NTAccount]$Admins)
    $Key.SetAccessControl($Acl)

    # Re-open the key with Change Permissions rights and grant Administrators Full Control rights
    $Key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("$PowerShellKey\PowerShell", $ReadWriteSubTree, $ChangePermissions)
    $Acl = $Key.GetAccessControl()
    $Rule = New-Object System.Security.AccessControl.RegistryAccessRule ($Admins, 'FullControl', 'Allow')
    $Acl.SetAccessRule($Rule)
    $Key.SetAccessControl($Acl)

    # Remove the parent and subkeys
    Remove-Item -Path "HKLM:\$PowerShellKey" -Force -Recurse

    # Restart the Event Log service to enforce changes
    Restart-Service EventLog -Force
}

Answer

我遇到了同樣的問題並編寫了這個函數來刪除事件日誌。

Function Remove-PowerShellEventLog {
    Write-ToLog -Message 'Remove the PowerShell event log'
    # Function constants
    $PowerShellKey = 'SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell'
    $Admins = 'BUILTIN\Administrators'
    $ReadWriteSubTree = [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree
    $TakeOwnership = [System.Security.AccessControl.RegistryRights]::TakeOwnership
    $ChangePermissions = [System.Security.AccessControl.RegistryRights]::ChangePermissions

    # Define a C# type using P/Invoke and add it
    # Code borrowed from https://www.remkoweijnen.nl/blog/2012/01/16/take-ownership-of-a-registry-key-in-powershell/
    $Definition = @"
    using System;
    using System.Runtime.InteropServices; 

    namespace Win32Api
    {

        public class NtDll
        {
            [DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
            public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
        }
    }
"@
    Add-Type -TypeDefinition $Definition -PassThru

    # Enable SeTakeOwnershipPrivilege
    $Res = [Win32Api.NtDll]::RtlAdjustPrivilege(9, $True, $False, [ref]$False)

    # Open the registry key with Take Ownership rights and change the owner to Administrators
    $Key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("$PowerShellKey\PowerShell", $ReadWriteSubTree, $TakeOwnership)
    $Acl = $Key.GetAccessControl()
    $Acl.SetOwner([System.Security.Principal.NTAccount]$Admins)
    $Key.SetAccessControl($Acl)

    # Re-open the key with Change Permissions rights and grant Administrators Full Control rights
    $Key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("$PowerShellKey\PowerShell", $ReadWriteSubTree, $ChangePermissions)
    $Acl = $Key.GetAccessControl()
    $Rule = New-Object System.Security.AccessControl.RegistryAccessRule ($Admins, 'FullControl', 'Allow')
    $Acl.SetAccessRule($Rule)
    $Key.SetAccessControl($Acl)

    # Remove the parent and subkeys
    Remove-Item -Path "HKLM:\$PowerShellKey" -Force -Recurse

    # Restart the Event Log service to enforce changes
    Restart-Service EventLog -Force
}

停用 Windows powershell 事件日誌記錄

答案1

答案2

相關內容