PSReadLine History

The PSReadLine history tracks the commands used in all PowerShell sessions. The history is written to a central file per host. That history file is available to all sessions and contains all past hist

While writing my C2, I found a trick to avoid saving your commands entered during the PowerShell session in the PSReadLine file.

By default, the PowerShell in Windows 10 saves the last 4096 commands.

File located in: %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

So, let’s execute our simple code.

while ($true) {$cmdInput = Read-Host -Prompt 'PS> '; Invoke-Expression -Command $cmdInput}

After executing the code, now we can invoke some commands without logging in “ConsoleHost_history.txt”.

PoC

As shown in the picture below, the commands circled in red are only recorded in the PSReadline file.

What Happened

After going back to Microsoft documentation, we will find the answer.

It's about "Order of Commands"

Commands are added to the history when the command finishes executing, not when the command is entered.

Our code, executes commands without being recorded in the history file, because the while loop does not end and count as one command. What happens inside the loop is not recorded.

Closing Note

All commands that have been executed will be recorded in the Event Viewer.

Last updated 4 years ago

hashtagPoC

hashtagWhat Happened

hashtagClosing Note

PoC

What Happened

Closing Note