Tyr running this (with "Run as administrator) (assuming that it's powershell running from a command line and not some C# in-line PowerShell). That might help locate the source:
$process = "powershell.exe"
Get-WmiObject Win32_Process -Filter "name = '$process'" | Select-Object CommandLine
If that doesn't help, it may be a scheduled task. This should find any of those that use Powershell directly. Run this (again, using "Run as administrator):
Get-ScheduledTask |
ForEach-Object{
$xml = [xml](Export-ScheduledTask -TaskPath $_.TaskPath -TaskName $_.TaskName)
if ($xml.task.actions.exec.command -like "*powershell.exe*" -or
$xml.task.actions.exec.command -like "*pwsh.exe*"){
[PSCustomObject]@{
TaskPath = $_.TaskPath
TaskName = $_.TaskName
Command = $xml.Task.Actions.Exec.Command
Arguments = $xml.Task.Actions.Exec.Arguments
}
}
}
Powershell can also be launched from .BAT or .CMD files (jn, say, scheduled tasks). If you can no longer see running tasks you make have been infected with a root kit. That's one way they avoid detection. In any case, this doesn't sound like it's a PowerShell problem, per se. It reads more like a compromised system, but that's just my guess.