...Because someone's gotta tell the story...


To return to the main Blog List, click Full Blog Listing.


Site Updates

PowerShell and EventID 4103

Friday, October 20, 2017 in Powershell (Views: 1680)
After these 30 years in IT, one can learn a lot and make a lot of mistakes.

I was running into an interesting issue where a server I was running a script on a server. Before I knew it, disk space on the system drive had filled up. When I looked into the issue, I found that the PowerShell event logs were filling up with Event 4103.

So, what is the Event 4103?
This event is logging activity in PowerShell, almost like ProcMon would, line for line. This is a new feature in PowerShell called transcription. This, coupled with not overwriting event logs, caused the disk to fill up, but why?

The reason for this is that the script that was running was unsigned. It was simply copied from a USB to the server and executed.

So, how to fix this?
It's actually quite easy...
  • Copy your script to the system you want to execute it on.
  • Open your script in PowerShell ISE
  • Copy the script contents and close the file
  • Open a new/blank script
  • Paste the script into the new window
  • Save the file with the same name as before
That's it. The file is saved and signed, and you shouldn't be seeing the Event 4103 flooding your logs any longer.

Happy Scripting.


Related Blogs You May Be Interested In:

To leave a comment, please log in and/or register.