PSEventLogging.ps1 enables or disables PowerShell event logging disabled by default

PSEventLogging.ps1

<#
.SYNOPSIS
    This configures PowerShell event logging.

  PREREQUISITES
    Must be executed with administrative rights.

  RUNNING FROM CMD.EXE
    cmd /c powershell -executionpolicy bypass -File <PathToThisFile>

.DESCRIPTION
    This configures PowerShell event logging. This script must be run as administrator.

.PARAMETER Enable
    Specify this switch to enable PowerShell event logging on the host. Enabled by default.

.PARAMETER Disable
    Specify this switch to disable PowerShell event logging on the host.
    If this switch is not specified, PowerShell event logging is enabled on the host.

.NOTES
    Author: https://github.com/socketz
    Last Edit: 2020-11-11
    Version 1.0 - Initial Release of PSEventLogging

.EXAMPLE
    .\PSEventLogging.ps1 -Enable
    Enables PowerShell event logging

.EXAMPLE
    $PSCommandPath -Disable
    Disables PowerShell event logging
#>

param (        
        [Parameter (Mandatory=$false, HelpMessage="PowerShell event logging will be enabled. Default option.")]
        [switch]$Enable,
        
        [Parameter (Mandatory=$false, HelpMessage="PowerShell event logging will be disabled.")]
        [switch]$Disable
       )

#
# Validate the the script is run as admin
#
function Validate-AdminAccess
{
    if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
    {
        Write-Host -ForegroundColor Red -BackgroundColor Black "[-] This script must be executed as an administrator."
        return $false
    }
    return $true
}

#
# Enables the PowerShell event logging
#
function Enable-PSEventLogging
{
    Write-Host -ForegroundColor Yellow -BackgroundColor Black "[*] Enabling PowerShell detailed event logging..."

    $ScriptBlockPath = 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging'
    $ScriptTranscriptPath = 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription'

    if(-not (Test-Path $ScriptBlockPath))
    {
        $null = New-Item $ScriptBlockPath -Force
    }

    if(-not (Test-Path $ScriptTranscriptPath)){
        $null = New-Item $ScriptTranscriptPath -Force
    }

    Set-ItemProperty $ScriptBlockPath -Name EnableScriptBlockLogging -Value "1"
    
    Set-ItemProperty $ScriptTranscriptPath -Name EnableTranscripting -Value "1"
    Set-ItemProperty $ScriptTranscriptPath -Name EnableInvocationHeader -Value "1"
    Set-ItemProperty $ScriptTranscriptPath -Name OutputDirectory -Value ""

    Write-Host -ForegroundColor Green -BackgroundColor Black  "[+] PowerShell logging was enabled"
}

#
# Disables the PowerShell event logging
#
function Disable-PSEventLogging
{
    Write-Host -ForegroundColor Yellow -BackgroundColor Black "[*] Disabling PowerShell detailed event logging..."

    $ScriptBlockPath = 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging'
    $ScriptTranscriptPath = 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription'

    if(-not (Test-Path $ScriptBlockPath))
    {
        $null = New-Item $ScriptBlockPath -Force
    }

    if(-not (Test-Path $ScriptTranscriptPath)){
        $null = New-Item $ScriptTranscriptPath -Force
    }

    Set-ItemProperty $ScriptBlockPath -Name EnableScriptBlockLogging -Value "0"
    
    Set-ItemProperty $ScriptTranscriptPath -Name EnableTranscripting -Value "0"
    Set-ItemProperty $ScriptTranscriptPath -Name EnableInvocationHeader -Value "0"
    Set-ItemProperty $ScriptTranscriptPath -Name OutputDirectory -Value ""

    Test-Path -Path $ScriptBlockPath
    Write-Host -ForegroundColor Red -BackgroundColor Black "[-] PowerShell logging was disabled"
}

#
# Main function
#
function PSEventLogging 
{
    if (!(Validate-AdminAccess))
    {
        return $null
    }

    if ($Disable) {
        return Disable-PSEventLogging
    }
    else {
        return Enable-PSEventLogging
    }
}


PSEventLogging