PowerShell Scriptblock Events on Startup- Need Help on Discerning Them
I noticed this over a month ago but it's been bothering me because I've yet to figure out what this is, as no one else experiences this (which may simply be due to differences in hardware)
on startup, whenever Windows loads, there will be a large wave of Warning and Verbose-level 4104 scriptblock logging events in Event Viewer > Applications and Services > Windows > PowerShell > Operational
the very first event in the list will always start with "MSFT_Disk", and the last event will always be related to "Get-DedupProperties". between those will be a bunch of events, all related to Storage Management/StorageWMI and seems to go through most of the Storage-based modules in the System32 Windows PowerShell folder
my biggest confusion is why? I'm sort of not sure if this is some kind of virtualized malware/rootkit, even though all my scans come back clean. the reason I'm worried is because a fair amount of the modules in the scriptblock events are:
GetDisk, GetDiskImage, GetTargetPortal, GetPhysicalDisk, GetInitiatorID, GetStorageSubSystem, ClearDisk, New-Partition, NewStorageTier, NewMaskingSet, and most importantly, Get-VirtualDisk and Disconnect-VirtualDisk
the Verbose events also mention all the "CIM instance" commands such as Get-CimInstance, Remove-CimInstance, Invoke-CimMethod etc.
I've checked Disk Management and I don't have any Virtual Disks, just my C drive and the 2 partitions. I also don't have Hyper-V enabled in any way; does Windows have or use its own built-in Virtual Disks? is this potentially just a query on the Memory and cleaning up the SSD on startup?
also worth adding that although this usually only happens on startup, every Wednesday at 6pm, all of these events will happen. which makes it seem like a scheduled thing? I've found absolutely nothing in Task Scheduler that lines up though