Windows Event ID 4103: PowerShell Module Logging
PowerShell Event ID 4103 records pipeline execution details for configured modules and provides command-level context for PowerShell activity.
- Applicable version
- Windows PowerShell 3.0 and later with Module Logging enabled
- Last reviewed
- 2026-07-10
Trigger Scenarios
The PowerShell operational log writes this event when Module Logging is enabled and a configured module processes commands.
Key Fields
Payload
The logged command and parameter data. Review it with the associated host and user context.
HostApplication
The PowerShell host command line, which can expose encoded commands and noninteractive execution.
UserId
The security principal running the pipeline.
Common False Positives
- Administrative automation and configuration management often generate extensive module logging.
- Developer and operations systems can have diverse PowerShell command activity.
Related Events
MITRE ATT&CK Mapping
- T1059.001Command and Scripting Interpreter: PowerShell
Detection Notes
T1059.001 is actionable when HostApplication contains -EncodedCommand and Payload contains FromBase64String or Invoke-Expression. The -EncodedCommand switch carries Base64 command text, so join its UserId and host with 4104 ScriptBlockText and 4688; PowerShell running from C:\\Windows\\System32 is not benign by path alone.
Event
| where Source == "Microsoft-Windows-PowerShell" and EventID == 4103
| project TimeGenerated, Computer, UserName, RenderedDescription
| order by TimeGenerated descindex=wineventlog source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4103
| table _time, host, UserId, HostApplication, PayloadEventCode: 4103
UserId: CORP\jsmith
HostApplication: powershell.exe -NoProfile
Payload: CommandInvocation(Invoke-WebRequest): "Invoke-WebRequest"