SOC Event Lookup
Event ID 4103PowerShellP1

Windows Event ID 4103: PowerShell Module Logging

PowerShell Event ID 4103 records pipeline execution details for configured modules and provides command-level context for PowerShell activity.

Applicable version
Windows PowerShell 3.0 and later with Module Logging enabled
Last reviewed
2026-07-10

Trigger Scenarios

The PowerShell operational log writes this event when Module Logging is enabled and a configured module processes commands.

Key Fields

Payload

The logged command and parameter data. Review it with the associated host and user context.

HostApplication

The PowerShell host command line, which can expose encoded commands and noninteractive execution.

UserId

The security principal running the pipeline.

Common False Positives

  • Administrative automation and configuration management often generate extensive module logging.
  • Developer and operations systems can have diverse PowerShell command activity.

Related Events

MITRE ATT&CK Mapping

  • T1059.001Command and Scripting Interpreter: PowerShell

Detection Notes

T1059.001 is actionable when HostApplication contains -EncodedCommand and Payload contains FromBase64String or Invoke-Expression. The -EncodedCommand switch carries Base64 command text, so join its UserId and host with 4104 ScriptBlockText and 4688; PowerShell running from C:\\Windows\\System32 is not benign by path alone.

Microsoft Sentinel KQL
Event
| where Source == "Microsoft-Windows-PowerShell" and EventID == 4103
| project TimeGenerated, Computer, UserName, RenderedDescription
| order by TimeGenerated desc
Splunk SPL
index=wineventlog source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4103
| table _time, host, UserId, HostApplication, Payload
Sample Log
EventCode: 4103
UserId: CORP\jsmith
HostApplication: powershell.exe -NoProfile
Payload: CommandInvocation(Invoke-WebRequest): "Invoke-WebRequest"

Source