By default, script block logging data is open to anyone, not just Administrators. When script block logging is enabled, any user can access the log and read its content. The easiest way would probably be to download tools and use a one-liner:
Install-Module -Name scriptblocklogginganalyzer -Scope CurrentUser
Get-SBLEvent | Out-GridView
There are ways to harden the script block log, and make sure only Administrators can read this log. Run this to change access permissions to Administrators only:
$Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\winevt\Channels\Microsoft-Windows-PowerShell/Operational"
# get the default access permission for the standard security log...
$sddlSecurity = ((wevtutil gl security) -like 'channelAccess*').Split(' ')[-1]
# get the current permissions
$sddlPowerShell = (Get-ItemProperty -Path $Path).ChannelAccess
# make a backup of the current permissions
New-ItemProperty -Path $Path -Name ChannelAccessBackup -Value $sddlPowerShell -ErrorAction Ignore
# apply the hardened permissions
Set-ItemProperty -Path $Path -Name ChannelAccess -Value $sddlSecurity
# restart service to take effect
Restart-Service -Name EventLog -Force
Now, when a regular user tries to read the script block logging log, no information is returned.
ReTweet this Tip!
The PowerShell Team's Blog describes Protected Event Logging which uses certificates to encrypt the script block and module logging given the chance that these logs may contain credentials or sensitive data.