Hi everyone, I’m just started using osquery and when I query to see powershell event in osquery then I get output like that “W0106 15:33:36.802225 12808 virtual_table.cpp:967] Table powershell_events is event-based but events are disabled” I have tried with cli like “osqueryi.exe --disable_events=false --windows_event_channels=Micorsoft-Windows-PowerShell” but I get empty output. And I also check in table osquery_event and got result like that select name, publisher, subscriptions, events, active from osquery_events where name like '%powershell_%events%'; +-------------------+----------------+---------------+--------+--------+ | name | publisher | subscriptions | events | active | +-------------------+----------------+---------------+--------+--------+ | powershell_events | windows_events | 1 | 0 | 1 | +-------------------+----------------+---------------+--------+--------+ no Events. Anyone can help me thanks

I think you want to discuss this in #windows, the details about enabling PowerShell events should have updated documentation but the experts are in that channel to help with nuance