Selcouth Cyber Security Services Private Limited

PowerShell History File

InfoSec + Post Exploitation + Red Teaming acc3ssp0int todayOctober 19, 2020 1249

share close

Hello everyone, we are all aware about Linux systems, its .bash_history and how it provides information about file locations, passwords passed in command arguments, a variety of scripts and so on.

But did you know, something similar to it now also exists in PowerShell? That’s precisely what I will be sharing about in today’s blog post, everything to know about PowerShell’s history file.

About PSReadLine

The PSReadLine module became the default command line experience for PowerShell v3 and above. It provides a bunch of features, you can read more about module here.

See the red box in the above image, that’s what we’re looking for! PowerShell v3 and over now included a history file which saves all executed commands.

For PowerShell v5 on Windows 10, the default option saves history to a file.


First things first, the name of the file is ConsoleHost_history.txt and the default location is at:


$env:APPDATA can also be written as C:\Users\username\AppData\Roaming if your environment variables don’t work (sometimes the case in reverse shells).

Moving onto some other interesting properties of PSReadLine, we can read all the propterties using the Get-PSReadLinOption

  • HistorySavePath – Shows you the file location
  • HistorySaveStyle – The way your history file is saved, there are three options:
    • SaveIncrementally – Appends the file after each command
    • SaveAtExit – Saves all the commands executed in a session upon exit
    • SaveNothing – Disables the history file.
  • MaximumHistoryCount – The maximum number of entries that will be held in the file (default: 4096)

You can also modify these settings and everything else using the Set-PSReadLineOption cmdlet.

A Sample Output of the Get-PSReadLineOption Command:

Logging Capabilities

Everything I type into a PowerShell terminal gets logged in the history file:

However, anything executed using a “Terminal-less” PowerShell session won’t get logged into the file. A terminal-less PowerShell session would be created in case of remote code executions where a attacker may move from cmd.exe to powershell.exe.

Things you could find

From a Red Teamer’s perspective. things similar to what you would find in a Linux .bash_history

  • Executed Commands
  • Files being interacted with.
  • Passwords (maybe)
  • Variables defined while running multi-line code blocks and/or scripts.

That’s all for this post.

Thanks for Reading!


Written by: acc3ssp0int

Rate it
Previous post

Data-Exfil acc3ssp0int / October 16, 2020

Too Sticky for a Note

Hello everyone, A little over a week ago, we discussed about how we can leverage the saved state of deleted file left in the recycle bin and grab it for content in a data exfiltration scenario. You can read more [...]

Similar posts

Active Directory acc3ssp0int / May 28, 2021

Kerberos Part 1: How it Works

Today we start with a new series of blog posts, namely, active directory components. In this three part series on Kerberos, we’ll be talking about it’s three heads: Part 1: What Kerberos is and how it works? Part 2: The notorious techniques of kerberoasting and ticketing attacks (golden and silver tickets) Part 3: Attempting to ...

Read more trending_flat

AppSec w1r3sh65rk / February 22, 2021

Secure Code Review – Part One

Before we travel through the Secure code review in SDLC phase. Let us first understand what is Secure Coding, why it should be the part of early phase of SDLC, importance and best practices, available tools. Security Code Review: A secure code review is a part of the code review process to identify missing best ...

Read more trending_flat

Post comments (0)

Leave a reply