PowerShell Storage Scriptblock Events on Startup- Need Help Figuring Them Out

JamesBacon 0 Reputation points

I noticed this over a month ago but it's been bothering me because I've yet to figure out what this is, as no one else experiences this (which may simply be due to differences in hardware)

on startup, whenever Windows loads, there will be a large wave of Warning and Verbose-level 4104 scriptblock logging events in Event Viewer > Applications and Services > Windows > PowerShell > Operational

the very first event in the list will always start with "MSFT_Disk", and the last event will always be related to "Get-DedupProperties". between those will be a bunch of events, all related to Storage Management/StorageWMI and seems to go through most of the Storage-based modules in the System32 Windows PowerShell folder

my biggest confusion is why? I'm sort of not sure if this is some kind of virtualized rootkit, even though all my scans come back clean. the reason I'm worried is because a fair amount of the modules in the scriptblock events are:

GetDisk, GetDiskImage, GetTargetPortal, GetPhysicalDisk, GetInitiatorID, GetStorageSubSystem, ClearDisk, New-Partition, NewStorageTier, NewMaskingSet, and most importantly, Get-VirtualDisk and Disconnect-VirtualDisk

the Verbose events also mention all the "CIM instance" commands such as Get-CimInstance, Remove-CimInstance, Invoke-CimMethod etc.

I've checked Disk Management and I don't have any Virtual Disks, just my C drive and the 2 partitions. I also don't have Hyper-V enabled in any way; does Windows have or use its own built-in Virtual Disks? is this potentially just a query on the Memory and cleaning up the SSD on startup?

also worth adding that although this usually only happens on startup, every Wednesday at 6pm, all of these events will happen. which makes it seem like a scheduled thing? I've found absolutely nothing in Task Scheduler that lines up though

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,598 questions
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
1,544 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. MotoX80 29,276 Reputation points

    If it happens every Wednesday, then it is likely a scheduled task. Start by using autoruns to search for entries that invoke powershell.


    If you can't find anything, run process monitor.


    Add a filter entry for "process name starts with powershell". In the option menu, select Enable Boot Logging. Then reboot. Log back in and launch procmon. Stop the capture and then look to see what script the command line is pointing to and what the parent PID is. That is the process that launched Powershell.

    User's image

  2. MotoX80 29,276 Reputation points

    Here is a script that will monitor Powershell instances. Open Powershell_ISE with run as administrator and run it.

    It will check every 5 seconds for new processes. That should capture your Wednesday occurrences.

    $seen = [System.Collections.ArrayList]@()
    "================ Powershell monitor =============================="
    function ShowParent ($ppid) {
        $parent = Get-Process -Id $ppid -ErrorAction SilentlyContinue
        if ($parent) {
            "Parent is {0} - {1}" -f $ppid, $parent.Name
            "Parent Command line: {0} " -f  (Get-CimInstance Win32_Process -Filter "ProcessId=$ppid ").CommandLine
            $svc = get-ciminstance win32_service -Filter "ProcessID = $ppid"
            if ($svc) {
                "Parent service name: {0}" -f $svc.DisplayName
            } else {
                "No service found."
            $perf = Get-CimInstance Win32_PerfRawData_PerfProc_Process -Filter "IDProcess=$ppid"
            ShowParent $perf.CreatingProcessID
    while ($true) {
        $procs = get-process -Name powershell
        foreach ($p in $procs) {
            $key = "{0}-{1}" -f $p.id, $p.StartTime
            if ($seen -contains $key) {
            "{0} -------------------- {1} -------------------- " -f  (get-date), $p.id
            $perf = Get-CimInstance Win32_PerfRawData_PerfProc_Process -Filter "IDProcess=$($p.Id) "
            "Command line: {0} " -f  (Get-CimInstance Win32_Process -Filter "ProcessId=$($p.Id) ").CommandLine
            $count = $seen.Add($key)
            ShowParent $perf.CreatingProcessID
        start-sleep -Seconds 5    # adjust as needed

    Here I caught a scheduled task. Click the red block to stop the script.

    User's image