issue 4834, 4835, 4836 (#4846)

Author: davidsmatlak

reference/5.1/Microsoft.PowerShell.Core/About/about_Logging.md

@@ -8,25 +8,31 @@ title:  about_Logging
 
 # About Logging
 
-## Short Description
+## Short description
 
 PowerShell logs internal operations from the engine, providers, and cmdlets.
 
-## Long Description
+## Long description
 
-PowerShell logs details of PowerShell operations, such as starting and
-stopping the engine and starting and stopping providers. It will also log
-details about PowerShell commands.
+PowerShell logs details about PowerShell operations, such as starting and
+stopping the engine and providers, and executing PowerShell commands.
+
+> [!NOTE]
+> Windows PowerShell versions 3.0, 4.0, 5.0, and 5.1 include **EventLog**
+> cmdlets for the Windows event logs. In those versions, to display the list of
+> **EventLog** cmdlets type: `Get-Command -Noun EventLog`. For more
+> information, see the cmdlet documentation and about_EventLogs for your
+> version of Windows PowerShell.
 
 ## Viewing the PowerShell event log entries on Windows
 
-PowerShell logs can be viewed using the Event Viewer. The event log is located
-in the Application and Services Logs group and is named
+PowerShell logs can be viewed using the Windows Event Viewer. The event log is
+located in the Application and Services Logs group and is named
 `Microsoft-Windows-PowerShell`. The associated ETW provider `GUID` is
 `{A0C1853B-5C40-4B15-8766-3CF1C58F985A}`.
 
-When script block logging is enabled, PowerShell will log the following events
-to the `Microsoft-Windows-PowerShell/Operational` log:
+When Script Block Logging is enabled, PowerShell logs the following events to
+the `Microsoft-Windows-PowerShell/Operational` log:
 
 |Field| Value|
 |-|-|
@@ -39,18 +45,21 @@ to the `Microsoft-Windows-PowerShell/Operational` log:
 
 ## Enabling Script Block Logging
 
-Any new PowerShell session will pick up the new setting after making one of the
-following changes.
+When you enable Script Block Logging, PowerShell records the content of all
+script blocks that it processes. Once enabled, any new PowerShell session logs
+this information.
 
 > [!NOTE]
-> It is recommended to enable Protected Event Logging (as described below) when
-> using Script Block logging for anything other than diagnostics purposes.
+> It's recommended to enable Protected Event Logging, as described below, when
+> using Script Block Logging for anything other than diagnostics purposes.
+
+Script Block Logging can be enabled via Group Policy or a registry setting.
 
 ### Using Group Policy
 
-To enable automatic transcription, enable the 'Turn on PowerShell Script Block
-Logging' feature in Group Policy through `Administrative Templates ->
-Windows Components -> Windows PowerShell`.
+To enable automatic transcription, enable the `Turn on PowerShell Script Block
+Logging` feature in Group Policy through `Administrative Templates -> Windows
+Components -> Windows PowerShell`.
 
 ### Using the Registry
 
@@ -73,70 +82,67 @@ function Enable-PSScriptBlockLogging
 
 ## Protected Event Logging
 
-One concern when increasing the amount of logging on a system is the danger
-that logged content may contain sensitive data. For example, if you log the
-content of every PowerShell script that was run, there is the possibility that
-a script may contain credentials or other sensitive data.
+Increasing the level of logging on a system increases the possibility that
+logged content may contain sensitive data. For example, with script logging
+enabled, credentials or other sensitive data used by a script can be written to
+the event log. When a machine that has logged sensitive data is compromised,
+the logs can provide an attacker with information needed to extend their reach.
 
-If an attacker later compromises a machine that has logged this data, it may
-provide them with additional information with which to extend their reach.
-
-To prevent this dilemma, Windows 10 introduces Protected Event Logging.
+To protect this information, Windows 10 introduces Protected Event Logging.
 Protected Event Logging lets participating applications encrypt sensitive data
-as they write it to the event log. You can then decrypt and process these logs
-once you've moved them to a more secure and centralized log collector.
-
-Protected Event Logging protects event log content through the IETF
-Cryptographic Message Syntax (CMS) standard. The CMS encryption standard
-implements public key cryptography, where the keys used to encrypt content
-(the public key) and the keys used to decrypt content (the private key) are
-separate.
-
-Your public key can be shared widely, and is not sensitive data. If any
-content is encrypted with this public key, only your private key can decrypt
-it. For more information about Public Key Cryptography, see
+written to the event log. Later, you can decrypt and process these logs on a
+more secure and centralized log collector.
+
+Event log content is protected using the IETF Cryptographic Message Syntax
+(CMS) standard. CMS uses public key cryptography. The keys used to encrypt
+content and decrypt content are kept separate.
+
+The public key can be shared widely and isn't sensitive data. Any content
+encrypted with this public key can only be decrypted by the private key. For
+more information about Public Key Cryptography, see
 [Wikipedia - Public Key Cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography).
 
-When you implement a protected event logging policy, you deploy a public key
-to all machines that have event log data you want to protect. You retain the
-corresponding private key to post-process the event logs at a more secure
-location such as a central event log collector,
-or [SIEM](https://en.wikipedia.org/wiki/Security_information_and_event_management) aggregator.
+To enable a Protected Event Logging policy, deploy a public key to all machines
+that have event log data to protect. The corresponding private key is used to
+post-process the event logs at a more secure location such as a central event
+log collector, or [SIEM](https://en.wikipedia.org/wiki/Security_information_and_event_management)
+aggregator.
 
 ### Enabling Protected Event Logging via Group Policy
 
 To enable Protected Event Logging, enable the `Enable Protected Event Logging`
-feature in Group Policy through `Administrative Templates ->
-Windows Components -> Event Logging`. This setting requires an encryption certificate,
-which you can provide in one of several forms:
+feature in Group Policy through `Administrative Templates -> Windows Components
+-> Event Logging`. This setting requires an encryption certificate, which you
+can provide in one of several forms:
 
 - The content of a base-64 encoded X.509 certificate (for example, as offered
-  by the `Export` option in Certificate Manager)
+  by the `Export` option in Certificate Manager).
 - The thumbprint of a certificate that can be found in the Local Machine
-  certificate store (can be deployed by PKI infrastructure)
-- The full path to a certificate (can be local, or a remote share)
+  certificate store (can be deployed by PKI infrastructure).
+- The full path to a certificate (can be local, or a remote share).
 - The path to a directory containing a certificate or certificates (can be
-  local, or a remote share)
+  local, or a remote share).
 - The subject name of a certificate that can be found in the Local Machine
-  certificate store (can be deployed by PKI infrastructure)
+  certificate store (can be deployed by PKI infrastructure).
 
 The resulting certificate must have `Document Encryption` as an enhanced key
-usage (`1.3.6.1.4.1.311.80.1`), as well as either `Data Encipherment` or `Key
+usage (`1.3.6.1.4.1.311.80.1`), and either `Data Encipherment` or `Key
 Encipherment` key usages enabled.
 
 > [!WARNING]
-> The private key should not be deployed to machines logging.
-> It should be kept in a secure location where you decrypt the messages.
+> The private key shouldn't be deployed to the machines logging events. It
+> should be kept in a secure location where you decrypt the messages.
 
-### Decrypting Protected Event Log Messages
+### Decrypting Protected Event Logging messages
 
-The following script will retrieve and decrypt (assuming you have the private key):
+The following script will retrieve and decrypt, assuming that you have the
+private key:
 
 ```powershell
 Get-WinEvent Microsoft-Windows-PowerShell/Operational |
   Where-Object Id -eq 4104 | Unprotect-CmsMessage
 ```
 
-## See Also
+## See also
 
-[PowerShell the Blue Team](https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/)
+[PowerShell the Blue Team](https://devblogs.microsoft.com/powershell/powershell-the-blue-team/)