PowerShell - Command history and confidential information

To support me, you can subscribe to the channel, share and like the videos, disable your ad blocker or make a donation. Thank you!

Hello,

Powershell has a history, even several, the commands you run may contain confidential information and remain in that history.

There are 3 histories:
- The Powershell history (in the current Shell Get-History)
- The history of the PSReadLine module (stored in a file by default)
- The Powershell console cache (the command callback with arrows or F8)

Here are some demonstrations and commands for either deleting these histories or removing sensitive information from them.

# Check behaviours.
ConvertTo-SecureString 'titi' -AsPlainText -Force
Get-Credential -Credential Guillaume

# Display the history of the current shell
Get-History
# Note that the history of the current shell retains the following commands

# Display the history of PSReadLine
Get-Content (Get-PSReadLineOption).HistorySavePath
# The history of PSReadLine deletes the ConvertTo-SecureString command but leaves the identifier

## Delete history
# Delete history Powershell
Clear-History

# Delete console cache history (command callback with arrows or F8)
[Microsoft.PowerShell.PSConsoleReadLine]::ClearHistory()
# Alt + F7 does the same thing

# Delete the PSReadLine history
Remove-Item -Path (Get-PSReadLineOption).HistorySavePath

# Delete PSReadLine history
Set-PSReadlineOption -HistorySaveStyle SaveNothing

## Delete confidential information only
# Delete confidential information from history Powershell
# Delete part of the history (specify an Array of values to delete the corresponding rows)
Clear-History -CommandLine *SecureString*, *credential*

# Clear part of the history PSReadLine (specify values separated by a | to delete the corresponding lines)
HistoryPath = (Get-PSReadLineOption).HistorySavePath
(Get-Content $HistoryPath ).where({$_ -notmatch 'credential|sensible'}) | Set-Content $HistoryPath