Prof. Powershell

PowerShell Command History Lesson Part 1

• By Jeffery Hicks
• 03/25/2014

Recently someone asked me on Twitter about a way to retrieve the command history from another user's PowerShell session. That's a great question and I think I know where the user is coming from but unfortunately, the short answer is that you can't do it. But the question got me thinking about ways that might suffice.

In your PowerShell session, PowerShell will keep track of your recently used commands. You can see past commands with the Get-History cmdlet. The cmdlet has an alias of h. The history you see is an object like anything else in PowerShell which means you could export it to either CSV or XML formats.

PS C:\> get-history | export-csv c:\work\myhistory.csv

In another or later PowerShell session you could import and add the history to the current session.

PS C:\> import-csv C:\work\myhistory.csv | add-history

This is a handy way of pre-populating command history because you can always use Invoke-History or its alias r to re-run a command. But I don't think that is what my Twitter friend was after.

There is no way to automate exporting command history. This also doesn't help if the user uses Clear-History to remove items. And finally, there is a finite number of commands that are stored in history. This is determined by the MaximumHistoryCount variable.

PS C:\> $MaximumHistoryCount
4096

In v2 the value was 64. Now, 4096 commands is a lot of PowerShell, but if someone has a shell open for days at a time like I do, you could easily exceed that value at which point the first commands will be overwritten.

For some of you, knowing you can export and add PowerShell history may be useful. But as an audit trail, it doesn't really cut it. In fact, the sad truth is that PowerShell does not have any sort of audit trail. There is nothing that I am aware of that you can turn on to record all activities in a PowerShell session. Yes, there is a transcript feature (Start-Transcript) but that has limitations as well. Even if you could automatically create it via a PowerShell profile script, the PowerShell ISE doesn't support transcription. Depending on the PowerShell host you are using it too may or may not support transcription. And of course it is just a text file which someone can easily modify or delete.

The only option I can think of for right now to capture everything, is for someone in the PowerShell community to develop a PowerShell console that will automatically and securely create an audit trail of command history. Any takers? Next time, I will show you another option that is limited to modules.

In the meantime, maybe some of you of come up with clever ways to capture history or provide a command audit trail. If so, I'd love to hear about it.