Unknown Powershell Script starts a minute or two after startup.

Ronald Holloway 20 Reputation points
2023-04-15T21:55:36.16+00:00

I am very concerned about a script that just started running on Thursday without my knowledge and I am hoping that one of you will give me advice on the easiest method of finding the script and stopping it without having to reinstall Windows 10 Pro

Will you please help? How do I find the Powershell script when there are thousands of scripts?

**
System Information List**: 16GB RAM<br> <br>500 GB SSD for system, 1 TB SATA III HDD for data Windows 10 Pro, 21H2, Build 19044, 2846

Security Update for Microsoft Windows (KB5025221) Date installed 4/12/2023

Servicing Stack 10.0.19041.2780 Date installed 4/12/2023

Servicing Stack 10.0.19041.2664 Date installed 3/14/2023
M.S. 365 Apps for Enterprise Edition installed. Powershell ISE originally installed and updated to version 5.1.19041.2673. Powershell 7 installed later in 2022. Problem below. Two days ago I started seeing a Powershell 1.0 windows opening on my PC and that prompted me to do a search for .PS1 files on my PC, and I literally have 2,000 or more and I never knew about them. I have only used 1 script myself and don't use it now.

  • Question you may have --> Was there anything that I was doing at the time at the time I noticed the Powershell window appear?
  • Answer --> Nothing that I remember. Windows Update ran this day.

NOTE: The April 2023 Windows updates listed above in the (System Information) had installed automatically on 4/12/2023. COMMENT: Possibly a potential problem for the running Powershell 1.0 window that opens but I am not certain.

Procedures that I have tried to find this unknown Powershell 1.0 script, since 4/13/2023

  • I tried disabling scripts in Group Policy and it broke Microsoft Word paste, so I reversed this.
  • I opened Powershell ISE 5 and I changed the -Scope -LocalMachine from Bypass to Undefined to stop scripting.
  • I went through a lot of the registry the other day and recorded most key locations of all the "Run" keys and subkeys, but due to time constraints, I still need to look for more.
  • I checked Task Scheduler for my old script and it is not there. It is no longer loaded from Task Scheduler.
  • I checked GPEdit.msc for Script settings and everything looks as it should with no scripting allowed.
  • I noticed that TeamViewer was turned on and it was enabled on the Public Profile. How this happened is beyond me. I uninstalled TeamViewer after disabling the rules in the Firewall.
  • In the past, I always ran Autoruns64 upon Startup. I have since shut it off, due to school work, but I ran it the other day, and it does not show all the running processes that it once did, so something changed its settings. Whether this is an indication of foul play or not. Who knows?
  • I checked the Windows Startup directory and scripts shows there.
    Thank you in advance!
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,132 questions
{count} votes

Accepted answer
  1. Rich Matheisen 45,111 Reputation points
    2023-04-16T15:27:18+00:00

    Tyr running this (with "Run as administrator) (assuming that it's powershell running from a command line and not some C# in-line PowerShell). That might help locate the source:

    $process = "powershell.exe"
    Get-WmiObject Win32_Process -Filter "name = '$process'" | Select-Object CommandLine
    
    

    If that doesn't help, it may be a scheduled task. This should find any of those that use Powershell directly. Run this (again, using "Run as administrator):

    Get-ScheduledTask |
            ForEach-Object{
                $xml = [xml](Export-ScheduledTask -TaskPath $_.TaskPath -TaskName $_.TaskName)
                if ($xml.task.actions.exec.command -like "*powershell.exe*" -or
                    $xml.task.actions.exec.command -like "*pwsh.exe*"){
                        [PSCustomObject]@{
                            TaskPath    = $_.TaskPath
                            TaskName    = $_.TaskName
                            Command     = $xml.Task.Actions.Exec.Command
                            Arguments   = $xml.Task.Actions.Exec.Arguments
                        }
                    }
            }
    
    

    Powershell can also be launched from .BAT or .CMD files (jn, say, scheduled tasks). If you can no longer see running tasks you make have been infected with a root kit. That's one way they avoid detection. In any case, this doesn't sound like it's a PowerShell problem, per se. It reads more like a compromised system, but that's just my guess.


1 additional answer

Sort by: Most helpful
  1. MotoX80 32,086 Reputation points
    2023-04-16T19:26:49.0366667+00:00

    Use Process Monitor to trace the activity on your PC. https://learn.microsoft.com/en-us/sysinternals/downloads/procmon Set a filter for "process name contains PowerShell". In the trace it will show you the command line arguments which should point to the.ps1 file. Maybe run an mrt.exe full scan just to be safe.