History and ClearHistory

Get or Clear PowerShell History

The History command is designed to retrieve PowerShell history from the target system. This command is particularly valuable for uncovering historical commands and activities executed on the system.

When you execute the History command, it will attempt to retrieve the PowerShell history for all users on the target system. However, the success of this action depends on your user privileges.

If you are running the Amnesiac session as a Local Administrator or NT Authority\System, you are more likely to obtain the history of all users. Conversely, if you are running as a standard user, you will only be able to retrieve the history for the user currently running the Amnesiac session.

Please note that the retrieved history is not displayed on screen due to potential length. Instead, the history is saved within the "C:\Users\Public\Documents\Amnesiac\History" folder for later reference and analysis.

The ClearHistory command allows you to clear all PowerShell history entries on the target system. This action can be useful for removing your traces of past activities and commands.

To clear the PowerShell history, type ClearHistory in the Amnesiac console and execute the command. Be cautious when using this command, as it cannot be undone.