:py:mod:`dissect.target.plugins.apps.shell.powershell` ====================================================== .. py:module:: dissect.target.plugins.apps.shell.powershell Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.apps.shell.powershell.PowerShellHistoryPlugin Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.apps.shell.powershell.ConsoleHostHistoryRecord .. py:data:: ConsoleHostHistoryRecord .. py:class:: PowerShellHistoryPlugin(target: dissect.target.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Windows PowerShell history plugin. .. py:attribute:: PATHS :value: ('AppData/Roaming/Microsoft/Windows/PowerShell/psreadline', '.local/share/powershell/PSReadLine') .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an :class:`UnsupportedPluginError`. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: powershell_history() -> collections.abc.Iterator[ConsoleHostHistoryRecord] Return PowerShell command history for all users. The PowerShell ``ConsoleHost_history.txt`` file contains information about the commands executed with PowerShell in a terminal. No data is recorded from terminal-less PowerShell sessions. Commands are saved to disk after the process has completed. PSReadLine does not save commands containing 'password', 'asplaintext', 'token', 'apikey' or 'secret'. .. rubric:: References - https://0xdf.gitlab.io/2018/11/08/powershell-history-file.html - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7.3#order-of-commands-in-the-history - https://learn.microsoft.com/en-us/powershell/module/psreadline/about/about_psreadline?view=powershell-7.3#command-history