Under Review

Live Response - Command audit

At the current time you can specify a reason for the connection but once connected it maybe helpful to document a list of commands run. 

From the default command prompt to print a list of previous commands for the session you can run:

doskey /history

To save it to a file, you can run, for example:

doskey /history > C:\dumps\commands.txt

If you have started a PowerShell prompt, then the following cmdlet can be run to print the commands run in the session to screen:


PowerShell also persists, by default the commands (including those from a previous session for the same user) to a text file. To view these:

  • From a PowerShell prompt, using the 'get-content' (gc alias) cmdlet:

    gc $env:userprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
  • Back in a command prompt:

    type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Hopefully this might either provide some documentation for the session.