This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 81%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
I noticed this over a month ago but it's been bothering me because I've yet to figure out what this is, as no one else experiences this (which may simply be due to differences in hardware)
on startup, whenever Windows loads, there will be a large wave of Warning and Verbose-level 4104 scriptblock logging events in Event Viewer > Applications and Services > Windows > PowerShell > Operational
the very first event in the list will always start with "MSFT_Disk", and the last event will always be related to "Get-DedupProperties". between those will be a bunch of events, all related to Storage Management/StorageWMI and seems to go through most of the Storage-based modules in the System32 Windows PowerShell folder
my biggest confusion is why? I'm sort of not sure if this is some kind of virtualized rootkit, even though all my scans come back clean. the reason I'm worried is because a fair amount of the modules in the scriptblock events are:
GetDisk, GetDiskImage, GetTargetPortal, GetPhysicalDisk, GetInitiatorID, GetStorageSubSystem, ClearDisk, New-Partition, NewStorageTier, NewMaskingSet, and most importantly, Get-VirtualDisk and Disconnect-VirtualDisk
the Verbose events also mention all the "CIM instance" commands such as Get-CimInstance, Remove-CimInstance, Invoke-CimMethod etc.
I've checked Disk Management and I don't have any Virtual Disks, just my C drive and the 2 partitions. I also don't have Hyper-V enabled in any way; does Windows have or use its own built-in Virtual Disks? is this potentially just a query on the Memory and cleaning up the SSD on startup?
also worth adding that although this usually only happens on startup, every Wednesday at 6pm, all of these events will happen. which makes it seem like a scheduled thing? I've found absolutely nothing in Task Scheduler that lines up though
If it happens every Wednesday, then it is likely a scheduled task. Start by using autoruns to search for entries that invoke powershell.
https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
If you can't find anything, run process monitor.
https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
Add a filter entry for "process name starts with powershell". In the option menu, select Enable Boot Logging. Then reboot. Log back in and launch procmon. Stop the capture and then look to see what script the command line is pointing to and what the parent PID is. That is the process that launched Powershell.
I checked back with my friend and his logs, while not related to Storage, are related to Defender and seems to run through the modules and commands from the MpDefender folder in System32/WindowsPowerShell/v1.0/Modules
however, although I'm unsure how consistent they are. mine appear to be daily, whenever I turn the computer on; however, his doesn't seem to be the same. they aligned with his logon on Tuesday, and apparently there were more of these events around his sign-in times dating back to the 27th of October; however, there were no events correlating to his logon yesterday
not to mention yesterday was Wednesday for me, and after seeing these Storage events occur again at around 6:15pm, I asked my friend if he saw any events in the PowerShell log as well, but there was nothing recent
anyway, in the Windows PowerShell event log, I can see the command line is as follows "powershell Get-PhysicalDisk | Select FriendlyName | ft -HideTableHeaders"; along the way, it will also change to "Select BusType" and "Select MediaType" instead of FriendlyName. unsure if that's helpful or not
although the PowerShell > Operational log filters very quickly (I can only see events dating back to my previous startup due to the amount of events, unlike my friend), the Windows PowerShell log goes back a lot further. as of now, I believe I can scroll back down to early-mid September, and these events were indeed happening on startup back then (before I noticed it)
I also remember scrolling down to the bottom of the log back in September, and I believe I could see these Get-PhysicalDisk events on startup occurring since July at the very least
I have no idea what software is installed on your PC or why it might be calling Powershell. If you see hardware related calls, then a logical assumption is that it is being done by the Dell/HP/Lenovo/etc vendor support software.
If you can't find anything in Autoruns, or the Task Scheduler itself, then in the Windows task scheduler, in the right pane that's labeled Actions, make sure that you have checked "Enable All Tasks History". Then monitor the Microsoft-Windows-TaskScheduler/Operational event log and ty to match a task to the Powershell query.
Or trace Powershell processes with Process Monitor. Get the parent process pid and from an admin PS/cmd prompt, use tasklist to see what that process is and if it is running as a service.
PS C:\> tasklist /fi "pid eq 28980"
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
cmd.exe 28980 Console 1 4,972 K
PS C:\> tasklist /svc /fi "pid eq 28980"
Image Name PID Services
========================= ======== ============================================
cmd.exe 28980 N/A
PS C:\> tasklist /svc /fi "pid eq 20472"
Image Name PID Services
========================= ======== ============================================
SupportAssistAgent.exe 20472 SupportAssistAgent
I've been told it may be caused by a combination of things such as my SSD + my motherboard + my specific Windows 10 install, etc.
I have an Asus board. Armoury Crate has been uninstalled and deleted for months; although AsusComSvc and AsusCertService do still run in Task Manager on startup, due to the motherboard being Asus
I can have another look in the Task Scheduler logs to see if there are Asus-related tasks that lineup with the PowerShell events on startup, although I'm not sure IF those could be related
as for other software? just base Windows 10 stuff, as well as Steam, Discord, Chrome, and some monitoring software like MSI Afterburner and HWInfo64. although none of these run on startup at all, and don't appear to be connected
I've noticed it on September 21st so over a month ago now; although if the Windows PowerShell logs are reliable, then it's potentially been happening AT LEAST since July. I've never looked in PowerShell > Operational before September, so I can only assume the events in there always happen hand-in-hand with the other log. my main concern has always been whether or not it's something to worry about
I'm sorry but I do not possess a working magic crystal ball that allows me to look inside of your PC to see what is going on.
If you are concerned about this activity, then run a full Defender scan. Also download and run MS's MRT tool.
https://www.microsoft.com/en-us/download/details.aspx?id=9905
If you want to know which of your installed software programs is causing this activity, then you have to do some low-level troubleshooting. That mainly involves figuring out what program is launching Powershell.exe.
Procmon is the best way to do that since in most cases the PS process is only going to be running for a few seconds.
You can also use Process Explorer and try to catch PS while it's executing. Procexp will indent by parent process.
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
Here I launched Powershell from a command prompt. Hit the spacebar to pause the display so that it doesn't refresh.
of course, I don't expect you to magically know. just thought it was worth throwing whatever observations I've made into the reply to see what could be inferred, and whether or not it just sounds like something concerning, at face value
I didn't find much results when searching the Get-PhysicalDisk | Select MediaType | ft -HideTableHeaders command
I'll do some more poking around with Event Viewer and Task Scheduler when I'm home and go from there. I actually never considered the possibility that one of the Asus tasks might be triggering it, if that's what you meant by "you see hardware related calls being done by vendor support software"
edit note: I've run literally countless MalwareBytes (Normal and Rookit) and Windows Defender scans since I first noticed these events. always turned up clean on each scan
that one of the Asus tasks might be triggering it, if that's what you meant by "you see hardware related calls
Yes, my Dell laptop has a number of services installed.
I already had all Task History enabled and checking Task Scheduler logs in Event Viewer, there's nothing that lines up with the events. no Asus tasks or anything; NahimicTask lines up sometimes, but not every time so that's probably just coincidence more than anything
I even checked Applications log to see if AsusUpdateCheck aligned, but it does not
I guess it might be something related to an Asus service that just doesn't appear logged in Event Viewer, or something entirely to do with my SSD (Samsung EVO Plus)
it's been about a month, getting close to 2 months, since I first noticed these events (they date back further though) so I'm not sure how likely it is for this to be malware. I don't have a Virtual Disk, so I got concerned about the prospect of a virtualized rootkit or something of the sort
I don't have Virtualization or Hyper-V enabled on my CPU/computer but it still worried me
hi, I think I found the cause but I also don't know if I've now messed something up
on a whim, I uninstalled AMD Ryzen Master with RevoUninstaller; upon restarting the PC, I saw that the events in PowerShell > Operational and Windows PowerShell no longer logged on startup. this includes the events such as "Confirm-SecureBootUEFI'
I'm now in a state of concern about this. I have no idea if SecureBoot is enabled or disabled by default (my motherboard is an Asus B550-F) but I checked System Information and saw 'Secure Boot State' was Off
I went into the Bios and found the Secure Boot option, which was set to "Other OS Types" (aka Disabled). I set it to the "Windows Boot UEFI" option and now, when looking in System Information, 'Secure Boot State' in says On
however, the events in the PowerShell logs are still gone, and there is no "Confirm-SecureBootUEFI" log. do you know if the Secure Boot feature is enabled or disabled by default?
furthermore, do you know if Secure Boot is actually running on my PC with this information, even if the PowerShell logs no longer show anything on startup? I'm just feeling a bit worried because I don't know what the Secure Boot State in SystemInformation said prior to uninstalling Ryzen Master and stopping these events
I have no experience with Asus software and Secureboot. Your best bet is to ask a question in an Asus support forum.
I've been looking into it over the course of the day. but in regards to the PowerShell events, I'm not sure if Ryzen Master was actually the cause
although uninstalling Ryzen Master with RevoUninstaller stopped the PowerShell events, I did a SystemRestore back to the point before I uninstalled the software for a test
I was trying to see if uninstalling Ryzen Master again would change the Secure Boot setting (which I had enabled for this test), which it didn't. obviously going back with a System Restore triggered the PowerShell events again, but not even uninstalling Ryzen Master and rebooting twice has stopped them again
so that's just plain unlucky I guess
The only way to positively identify the source of the events is to trace Powershell with process monitor and look to see what the parent PID it. Then use tasklist as I demonstrated to see what the process name is and also the service name if it has one.
Here is a script that will monitor Powershell instances. Open Powershell_ISE with run as administrator and run it.
It will check every 5 seconds for new processes. That should capture your Wednesday occurrences.
cls
$seen = [System.Collections.ArrayList]@()
''
"================ Powershell monitor =============================="
function ShowParent ($ppid) {
""
$parent = Get-Process -Id $ppid -ErrorAction SilentlyContinue
if ($parent) {
"Parent is {0} - {1}" -f $ppid, $parent.Name
"Parent Command line: {0} " -f (Get-CimInstance Win32_Process -Filter "ProcessId=$ppid ").CommandLine
$svc = get-ciminstance win32_service -Filter "ProcessID = $ppid"
if ($svc) {
"Parent service name: {0}" -f $svc.DisplayName
} else {
"No service found."
}
$perf = Get-CimInstance Win32_PerfRawData_PerfProc_Process -Filter "IDProcess=$ppid"
ShowParent $perf.CreatingProcessID
}
}
while ($true) {
$procs = get-process -Name powershell
foreach ($p in $procs) {
$key = "{0}-{1}" -f $p.id, $p.StartTime
if ($seen -contains $key) {
continue
}
''
"{0} -------------------- {1} -------------------- " -f (get-date), $p.id
$perf = Get-CimInstance Win32_PerfRawData_PerfProc_Process -Filter "IDProcess=$($p.Id) "
"Command line: {0} " -f (Get-CimInstance Win32_Process -Filter "ProcessId=$($p.Id) ").CommandLine
$count = $seen.Add($key)
ShowParent $perf.CreatingProcessID
}
start-sleep -Seconds 5 # adjust as needed
}
Here I caught a scheduled task. Click the red block to stop the script.
it seems that both my startup and Wednesday-specific PowerShell events were all caused by Ryzen Master
they returned after a system restore even when I uninstalled RM again, but it turns out Ryzen Master didn't uninstall properly that time. so I reinstalled and ran the uninstaller again, cleaned up the leftovers, and there's been no events since