This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 54%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Hi,
More than a year after reporting the problem, I continue to receive the same PowerShell warning despite everything working normally and all versions being up to date.
Maybe with this new information we can better understand the problem.
I know it doesn't affect the functioning, but I'm a bit picky...
Thanks for any help.
It's hard to read your image. Can you please post those statements that you are executing so we can test on our machines?
I would also reomment that instead of passing the entire script on the command line that you save it in a .ps1 file and execute that. Also add in a Start-Transcript at the beginning and a Stop-Transcript at the end and have it generate a log file. Then review that for errors.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
If you can read that, good for you!
Why do you think the evet is a "Warning"? It looks like it's an "informational" event.
A TEXT copy of the event is preferable to a screenshot.
It looks like you're trying to run powershell script (maybe from a scheduled task) that's trying to use a Microsoft.Update.Session COM object. The powershell session is run with a "restricted" execution policy.
Is the Windows Update Service (wuauserv) running? Does your code produce any output?
I had my cataracts removed in April.
Displaying the update counts might have some value.
$UpdateSession = New-Object -ComObject 'Microsoft.Update.Session'
$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()
$count = $UpdateSearcher.GetTotalHistoryCount()
Write-Host "We found $count total updates."
$Updates = $UpdateSearcher.QueryHistory(0,$count)
Write-Host "QueryHistory returned $($updates.count) updates."
The above code does not generate a 300 event on my Win11 laptop.
Check your transcript.
So add in the rest of your code. Try to isolate which statement is causing your problem.
This is the text of the event:
<Provider Name="PowerShell" />
<EventID Qualifiers="0">300</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2024-09-18T16:35:04.0326182Z" />
<EventRecordID>1689</EventRecordID>
<Correlation />
<Execution ProcessID="8792" ThreadID="0" />
<Channel>Windows PowerShell</Channel>
<Computer>Windows-11</Computer>
<Security />
</System>
<Data>Dispositivo non pronto.</Data>
<Data>ProviderName=Microsoft.PowerShell.Core\FileSystem ExceptionClass=IOException ErrorCategory= ErrorId= ErrorMessage=Dispositivo non pronto. Severity=Warning SequenceNumber=13 HostName=ConsoleHost HostVersion=5.1.22621.4111 HostId=df92d23d-43cc-41b4-938f-33a69b1f8380 HostApplication=powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Session = New-Object -ComObject Microsoft.Update.Session; $Searcher = $Session.CreateUpdateSearcher(); $Count = $Searcher.GetTotalHistoryCount(); if ($Count -ge 1) { $Updates = $Searcher.QueryHistory(0, $Count); }; if(($Updates | Where-Object {$_.Title -match 'KB5030310'}) -ne $null) { $Res = 1; }; Write-Host 'Final result:', $Res; EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=</Data>
</EventData>
</Event>
Thank you!
The error is "Device not ready" The exception class is IOException. The only explicit "IO" I can see in your code is the use of the "Write-Host".
So, is this being run as a scheduled task? Does the account under which the scheduled task runs have the necessary permission and rights?
The use of the COM object may also be a problem. It has to access your system disk to have access to the data. See the above question about the user account, permissions, and rights.
I'm pretty sure you need administrative rights to use Microsoft.Update.Session. If running from a scheduled task make sure the task is using the "highest rights" option. That account would also need the necessary COM Object Permissions.
It was able to access Microsoft.Update.Session with a non-admin account.
Run this and examine the transcript. If it is the write-host, then I would expect that you would get several errors.
Start-Transcript -Path 'C:\windows\temp\KB-Test.log'
$Res = 0
$look4 = 'KB5030310'
$UpdateSession = New-Object -ComObject 'Microsoft.Update.Session'
$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()
$count = $UpdateSearcher.GetTotalHistoryCount()
Write-Host "We found $count total updates."
if ($Count -ge 1) {
$Updates = $UpdateSearcher.QueryHistory(0,$count)
Write-Host "QueryHistory returned $($updates.count) updates."
$kb = $Updates | Where-Object {$_.Title -match $look4}
if ($kb -eq $null) {
Write-Host "We did not find $look4."
} else {
Write-Host "We found $look4."
$Res = 1
}
}
Write-Host 'Final result:',$res
Stop-Transcript
PowerShell transcript start
Start time: 20240919175116
Username: WINDOWS-11\Piero
RunAs User: WINDOWS-11\Piero
Configuration Name:
Machine: WINDOWS-11 (Microsoft Windows NT 10.0.22631.0)
Host Application: C:\Program Files\WindowsApps\Microsoft.PowerShell_7.4.5.0_x64__8wekyb3d8bbwe\pwsh.dll
Process ID: 11232
PSVersion: 7.4.5
PSEdition: Core
GitCommitId: 7.4.5
OS: Microsoft Windows 10.0.22631
Platform: Win32NT
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1, 6.0, 7.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
WSManStackVersion: 3.0
Transcript started, output file is C:\windows\temp\KB-Test.log
PS C:\Windows\System32> $Res = 0
PS C:\Windows\System32> $look4 = 'KB5030310'
PS C:\Windows\System32> $UpdateSession = New-Object -ComObject 'Microsoft.Update.Session'
PS C:\Windows\System32> $UpdateSearcher = $UpdateSession.CreateUpdateSearcher()
PS C:\Windows\System32> $count = $UpdateSearcher.GetTotalHistoryCount()
PS C:\Windows\System32> Write-Host "We found $count total updates."
We found 167 total updates.
PS C:\Windows\System32> if ($Count -ge 1) {
$Updates = $UpdateSearcher.QueryHistory(0,$count)
Write-Host "QueryHistory returned $($updates.count) updates."
$kb = $Updates | Where-Object {$_.Title -match $look4}
if ($kb -eq $null) {
Write-Host "We did not find $look4."
} else {
Write-Host "We found $look4."
$Res = 1
}
```}
QueryHistory returned 167 updates.
We did not find KB5030310.
PS C:\Windows\System32> Write-Host 'Final result:',$res
Final result: 0
PS C:\Windows\System32> Stop-Transcript
**********************
PowerShell transcript end
End time: 20240919175212
**********************
You're running different versions.
Your image and the text of the error says "HostVersion=5.1.22621.4111".
But your last post has
Host Application: C:\Program Files\WindowsApps\Microsoft.PowerShell_7.4.5.0_x64__8wekyb3d8bbwe\pwsh.dll
Process ID: 11232
PSVersion: 7.4.5
Back to Rich's question; how are you running this script? A scheduled task? Intune? SCCM? Interactively?
Did PS 7.4.5 generate the eventlog record?
Why did you switch from 5.1 to 7.4.5?
Sorry, the event is automatically generated after system startup and I wanted to understand what was causing it!
thanks
What is launching the script?
Why did you change PS versions?
Does PS 7.4.5 also generate the same event that PS 5.1 did?
Are you the network/desktop/server admin who is responsible for managing your environment or are you more of an end user who just happened to see this event and wondered what it was?
Okay, so it's like to be a scheduled task or, more frightening, there's something in the registry that causes a script to run when a local user logs on here: “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” or here: “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce”
To check your scheduled tasks, try running this PowerShell script (modify the $outcsv value to use a path of your choice
$taskPath = "\" # for example
$outcsv = "c:\junk\taskdef.csv"
Get-ScheduledTask | # Without a -taskpath value, it looks in ALL folders
ForEach-Object {
if ($_.Actions.Arguments -like "*Microsoft.Update.*") {
[pscustomobject]@{
Name = $_.TaskName
Path = $_.TaskPath
LastResult = $(($_ | Get-ScheduledTaskInfo).LastTaskResult)
NextRun = $(($_ | Get-ScheduledTaskInfo).NextRunTime)
Status = $_.State
Command = $_.Actions.execute
Arguments = $_.Actions.Arguments
}
}
} |
Export-Csv -Path $outcsv -NoTypeInformation
Autoruns from sysinternals.com would show all startup entries. But if he's not the admin who developed/administers that script then he really should be talking to his desktop support team.
@MotoX80 They may not know who wrote it either! Stuff like that creeps into the system over time, people forget, or don't want to fess up to the ownership, or any number of other reasons for disavowing any knowledge of the "who" or the "why".
Knowing that it does run was the first step. Discovering how it runs is the second step. Right now, he doesn't even know that! Punishing the innocent will be the last step. :-O
LOL. When my company outsourced the Windows/Unix/Database teams back in 2017, I tried to explain to anyone who would listen that it was a bad idea to throw ALL OF US out on the street, because there was so much institutional knowledge that would be lost. They didn't listen and 5 years later when nothing was getting done and the business units were revolting, they threw out the "3 letter company" who made big promises and had to rebuild their inhouse teams. But hey, thanks for the nice severance package.
https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
Sorry
In fact, the event also occurs when manually starting "Windows PowerShell", from Terminal App not as administrator, while with other versions the problem does not occur.
In app, Terminal there are: Windows PowerShell; Command prompt; PowerShell; and Azure Cloud Shell..
Thanks
There's no way for us to know what configuration change was made by you or someone/something else on your pc.
I think that the best that we can do is to help you try to isolate the issue. Let's start by NOT using the Terminal app and focus just on Powershell.exe first.
Check your settings and verify that you have Windows Console Host set.
Then open a command prompt and just run powershell. Note that the prompt changes to "PS C:>".
Is that enough to generate a 300 event?
What about this?
powershell "write-host 'Hello';exit"
Hi,
in these conditions it always gives me the warning id 300
Thank you
Anything in your profile? Run this in a Powershell prompt. Do any of these files exist and contain any statements?
get-content $profile.AllUsersAllHosts
get-content $profile.AllUsersCurrentHost
get-content $profile.CurrentUserAllHosts
get-content $profile.CurrentUserCurrentHost
This is what it means:
PowerShell 7.4.5
PS C:\Windows\System32> cd\
PS C:\> get-content $profile.AllUsersAllHosts
Get-Content: Cannot find path 'C:\Program Files\WindowsApps\Microsoft.PowerShell_7.4.5.0_x64__8wekyb3d8bbwe\profile.ps1' because it does not exist.
PS C:\> get-content $profile.AllUsersCurrentHost
Get-Content: Cannot find path 'C:\Program Files\WindowsApps\Microsoft.PowerShell_7.4.5.0_x64__8wekyb3d8bbwe\Microsoft.PowerShell_profile.ps1' because it does not exist.
PS C:\> get-content $profile.CurrentUserAllHosts
Get-Content: Cannot find path 'C:\Users\Piero\Documents\PowerShell\profile.ps1' because it does not exist.
PS C:\> get-content $profile.CurrentUserCurrentHost
Get-Content: Cannot find path 'C:\Users\Piero\Documents\PowerShell\Microsoft.PowerShell_profile.ps1' because it does not exist.
PS C:\>
You commented "while with other versions the problem does not occur."
In your last post it says "PowerShell 7.4.5".
Your initial question references Powershell 5.1.
Why do you continue to switch versions?
Which versions of Powershell have the problem? 5.1, 7.4.5, or both?
"$profile" should contain the full path of the current profile. It's just a string value.
I think you meant $PSHOME which would provide the directory name.
I was googling around and found a site that mentioned some NoteProperties that I was not aware of. Since we have no way of knowing what happened on Piero's pc, I thought that it would be good idea to see if any of those files existed and what (if anything) was in them.
$profile
$profile.AllUsersAllHosts
$profile | gm | Where-Object -Property MemberType -eq NoteProperty | ft -Property Name, Definition
@motox80 You're right. I learned something today!
Also interesting: Powershell with the -noprofile switch still shows a profile:
C:\Users\XXXXX\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
Ditto for pwsh.
There's no such profile file, though.
So, maybe he has no profile files?
I don't know what he has going on. As you pointed out it's an I/O error, but it doesn't indicate which file/cmdlet is causing it. I had hoped that a transcript would show something, but then he ran it with PS7. And he did the same with my request to look for profile files. But the way his comment reads (to me) he only has the problem with PS5.1. So, I do not understand why PS7 is being used at all.
Piero, please reply to my comments dated Sep 23, 2024, 1:58 PM.
This is the output of the command in both versions, however the version that causes problems should be 5.1 which is automatically displayed when the operating system starts.
The thing is that PowerShell versions are automatically installed in the system in Terminal and here I have as per attachment.
Can't uninstall version 5.1??
Thanks
PowerShell 7.4.5
PS C:\Windows\System32> cd\
PS C:\> $profile
C:\Users\Piero\Documents\PowerShell\Microsoft.PowerShell_profile.ps1
PS C:\> $profile.AllUsersAllHosts
C:\Program Files\WindowsApps\Microsoft.PowerShell_7.4.5.0_x64__8wekyb3d8bbwe\profile.ps1
PS C:\> $profile | gm | Where-Object -Property MemberType -eq NoteProperty | ft -Property Name, Definition
Name Definition
---- ----------
AllUsersAllHosts string AllUsersAllHosts=C:\Program Files\WindowsApps\Microsoft.PowerShell_7.4.5.0_x64__8wekyb3d…
AllUsersCurrentHost string AllUsersCurrentHost=C:\Program Files\WindowsApps\Microsoft.PowerShell_7.4.5.0_x64__8weky…
CurrentUserAllHosts string CurrentUserAllHosts=C:\Users\Piero\Documents\PowerShell\profile.ps1
CurrentUserCurrentHost string CurrentUserCurrentHost=C:\Users\Piero\Documents\PowerShell\Microsoft.PowerShell_profile.…
Windows PowerShell
Copyright (C) Microsoft Corporation. Tutti i diritti riservati.
Installa la versione più recente di PowerShell per nuove funzionalità e miglioramenti. https://aka.ms/PSWindows
PS C:\Users\Piero> cd\
PS C:\> $profile
C:\Users\Piero\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
PS C:\> $profile.AllUsersAllHosts
C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1
PS C:\> $profile | gm | Where-Object -Property MemberType -eq NoteProperty | ft -Property Name, Definition
Name Definition
---- ----------
AllUsersAllHosts string AllUsersAllHosts=C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1
AllUsersCurrentHost string AllUsersCurrentHost=C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_pr...
CurrentUserAllHosts string CurrentUserAllHosts=C:\Users\Piero\Documents\WindowsPowerShell\profile.ps1
CurrentUserCurrentHost string CurrentUserCurrentHost=C:\Users\Piero\Documents\WindowsPowerShell\Microsoft.PowerShell...
Are you having difficulty understanding what I ask? Maybe try using a different English/Italian translation site. Try Google Translate.
These are the statements that I wanted you to run.
You ran them but with version PS 7.4.5 which you've commented does not have a problem.
If you are having a problem with PS 5.1, then when we ask you to run something, please run it in PS 5.1.
I am going out of town for a few days. Maybe Rich can help you.
Version 5.1 is actually Windows PowerShell.
I try to reinstall the previous version of windows
Sorry.
Windows PowerShell
Copyright (C) Microsoft Corporation. Tutti i diritti riservati.
Installa la versione più recente di PowerShell per nuove funzionalità e miglioramenti. https://aka.ms/PSWindows
PS C:\Users\Piero> get-content $profile.AllUsersAllHosts
get-content : Impossibile trovare il percorso 'C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1' perché non
esiste.
In riga:1 car:1
+ get-content $profile.AllUsersAllHosts
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Windows\Syst...1.0\profile.ps1:String) [Get-Content], ItemNotFoundEx
ception
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
PS C:\Users\Piero> get-content $profile.AllUsersCurrentHost
get-content : Impossibile trovare il percorso
'C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1' perché non esiste.
In riga:1 car:1
+ get-content $profile.AllUsersCurrentHost
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Windows\Syst...ell_profile.ps1:String) [Get-Content], ItemNotFoundEx
ception
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
PS C:\Users\Piero> get-content $profile.CurrentUserAllHosts
get-content : Impossibile trovare il percorso 'C:\Users\Piero\Documents\WindowsPowerShell\profile.ps1' perché non
esiste.
In riga:1 car:1
+ get-content $profile.CurrentUserAllHosts
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\Piero\...ell\profile.ps1:String) [Get-Content], ItemNotFoundEx
ception
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
PS C:\Users\Piero> get-content $profile.CurrentUserCurrentHost
get-content : Impossibile trovare il percorso
'C:\Users\Piero\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1' perché non esiste.
In riga:1 car:1
+ get-content $profile.CurrentUserCurrentHost
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\Piero\...ell_profile.ps1:String) [Get-Content], ItemNotFoundEx
ception
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
What do you mean by "version 7.4.5 also no longer works properly"? What specifically does not work?
It appears that KB5043145 has multiple problems. If you installed the "preview", then you might want to uninstall it and wait for the general release of that patch.
https://www.bing.com/search?pglt=41&q=KB5043145
In looking at what you posted, the fact that those files do not exist in either version is OK. That just means that whatever is causing your event ID 300 is somewhere else.
Have you ever used Process Monitor?
https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
I think I see where some of this confusion is coming from. If you have both Windows PowerShell (versions earlier than 6.0), and PowerShell (versions later than 6.0), you may be running PowerShell version 7.x.x when you click on the "Windows PowerShell" icon in the start menu. To verify this, go ahead and use the "start" menu and when the PowerShell window opens, type $PSVERSIONTABLE.PSVersion. Is the "Major" value "5" or "7"?
If it's "5" your profiles are in a different location ("WindowsPowershell") instead of the "PowerShell" subdirectory.
When you have both versions of PowerShell installed it's always a good thing to include the $PSVersiontable.PSVersion output somewhere in your comments.
Just to recap:
Does the problem occur if, when logged on as a normal user, you use "Run as administrator" to start Windows PowerShell 5.1?
After removing the latest windows update: To recap, the problem occurs randomly when starting the operating system and the one listed is in the event log with id:300, while the error occurs even when manually starting the 5.1 version of Windows PowerShell both as administrator and not! Event View:
"HostVersion=5.1.22621.4111
HostId=da9b1bfe-0ec4-495e-b9b9-52d8f48caece
HostApplication=C:\WINDOWS\System32*WindowsPowerShell\v1.0*\powershell.exe
EngineVersion=
RunspaceId=
PipelineId="
I found this.
Were you doing anything with certificates? Did you get any other errors related to certificates?
Check the Application and System eventlogs and look for errors related to certificates.
What do you get when you run this in PS 5.1?
Get-ChildItem cert: | Format-List *
Do you get any errors when you run this in 5.1?
Get-ChildItem cert: -recurse | Format-Table -Property PSChildName, FriendlyName
Hi,
"Were you doing anything with certificates? Did you get any other errors related to certificates?": No
"What do you get when you run this in PS 5.1?" I only get the id300 error when I start the app.
Than you
Installa la versione più recente di PowerShell per nuove funzionalità e miglioramenti. https://aka.ms/PSWindows
PS C:\Users\Piero> Get-ChildItem cert: | Format-List *
PSPath : Microsoft.PowerShell.Security\Certificate::CurrentUser
PSParentPath :
PSChildName : CurrentUser
PSDrive : Cert
PSProvider : Microsoft.PowerShell.Security\Certificate
PSIsContainer : True
LocationName : CurrentUser
Location : CurrentUser
StoreNames : {TrustedPublisher, ClientAuthIssuer, Root, UserDS...}
PSPath : Microsoft.PowerShell.Security\Certificate::LocalMachine
PSParentPath :
PSChildName : LocalMachine
PSDrive : Cert
PSProvider : Microsoft.PowerShell.Security\Certificate
PSIsContainer : True
LocationName : LocalMachine
Location : LocalMachine
StoreNames : {TestSignRoot, ClientAuthIssuer, OemEsim, Root...}
PS C:\Users\Piero> Get-ChildItem cert: -recurse | Format-Table -Property PSChildName, FriendlyName
PSChildName FriendlyName
----------- ------------
CurrentUser
TrustedPublisher
ClientAuthIssuer
Root
7E962C6E12ABFA40513C1E3E5598557500439744
CDD4EEAE6000AC7F40C3802C171E30148030C072 Microsoft Root Certificate Authority
BE36A4562FB2EE05DBB3D32323ADF445084ED656 Thawte Timestamping CA
A43489159A520F0D93D032CCAF37E7FE20A8B419 Microsoft Root Authority
92B46C76E13054E104F230517E6E504D43AB10B5
8F43288AD272F3103B6FB1428485EA3014C0BCFE Microsoft Root Certificate Authority 2011
7F88CD7223F3C813818C994614A89C99FA3B5247 Microsoft Authenticode(tm) Root
3B1EFD3A66EA28B16697394703A72CA340A05BD5 Microsoft Root Certificate Authority 2010
31F9FC8BA3805986B721EA7295C65B3A44534274 Microsoft ECC TS Root Certificate Authority 2018
245C97DF7514E7CF2DF8BE72AE957B9E04741E85 Microsoft Timestamp Root
18F7C1FCC3090203FD5BAA2F861A754976C8DD25 VeriSign Time Stamping CA
06F1AA330B927B753A40E68CDF22E34BCBEF3352 Microsoft ECC Product Root Certificate Authority 2018
0119E81BE9A14CD8E22F40AC118C687ECBA3F4D8 Microsoft Time Stamp Root Certificate Authority 2014
F373B387065A28848AF2F34ACE192BDDC78E9CAC Actalis Authentication Root CA
E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 Sectigo (UTN Object)
DF717EAA4AD94EC9558499602D48DE5FBCF03A25 IdenTrust Commercial Root CA 1
DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 DigiCert Global Root G2
DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212 GeoTrust Global CA
DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 DigiCert Trusted Root G4
DAC9024F54D8F6DF94935FB1732638CA6AD77C13 DST Root CA X3
D69B561148F01C77C54578C10926DF5B856976AD GlobalSign Root CA - R3
D4DE20D05E66FC53FE1A50882C78DB2852CAE474 DigiCert Baltimore Root
D3DD483E2BBF4C05E8AF10F5FA7626CFD3DC3092 Certum Trusted Network CA 2
D1EB23A46D17D68FD92564C2F1F1601764D8E349 Sectigo (AAA)
D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF0 Sectigo ECC
CABD2A79A1076A31F21D253635CB039D4329A5E8 ISRG Root X1
CA3AFBCF1240364B44B216208880483919937CF7 QuoVadis Root CA 2
B7AB3308D1EA4477BA1480125A6FBDA936490CBB SSL.com Root Certification Authority RSA
B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E Starfield Root Certificate Authority – G2
B31EB1B740E36C8402DADC37D44DF5D4674952F9 Entrust
B1BC968BD4F49D622AA89A81F2150152A41D829C GlobalSign Root CA - R1
AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4 Sectigo (formerly Comodo CA)
AD7E1C28B064EF8F6003402014C3D0E3370EB58A Starfield Class 2 Certification Authority
A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 DigiCert
8CF427FD790C3AD166068DE81E57EFBB932272D4 Entrust.net
8782C6C304353BCFD29692D2593E7D44D934FF11 Trustwave
8094640EB5A7A1CA119C1FDDD59F810263A7FBD1 GlobalSign Root CA - R6
7E04DE896A3E666D00E687D33FFAD93BE83D349E DigiCert Global Root G3
75E0ABB6138512271C04F85FDDDE38E4B7242EFE Google Trust Services - GlobalSign Root CA-R2
743AF0529BD032A0F44A83CDD4BAA97B7C2EC49A SSL.com EV Root Certification Authority RSA R2
742C3192E607E424EB4549542BE1BBC53E6174E2 VeriSign Class 3 Public Primary CA
73A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74 Microsoft RSA Root Certificate Authority 2017
627F8D7827656399D27D7F9044C9FEB3F33EFA9A thawte
6252DC40F71143A22FDE9EF7348E064251B18118 Certum
5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 DigiCert
5F3B8CF2F810B37D78B4CEEC1919C37334B9C774 SECOM Trust Systems Co Ltd.
5EEED86FA37C675230642F55C84DDBF67CD33C80 DigiCert CS RSA4096 Root G5
590D2D7D884F402E617EA562321765CF17D894E9 T-TeleSec GlobalRoot Class 2
503006091D97D4F5AE39F7CBE7927D7D652D3431 Entrust (2048)
4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 VeriSign
47BEABC922EAE80E78783462A79F45C254FDE68B Go Daddy Root Certificate Authority – G2
3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F StartCom Certification Authority
36B12B49F9819ED74C9EBC380FC6568F5DACB2F7 SECOM Trust Systems CO LTD
3679CA35668772304D30A5FB873B0FA77BB70D54 VeriSign Universal Root Certification Authority
2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E Sectigo
2A1D6027D94AB10A1C4D915CCD33A0CB3E2D54CB GTS Root R4
2796BAE63F1801E277261BA0D77770028F20EEE4 Go Daddy Class 2 Certification Authority
23E594945195F2414803B4D564D2A3A3F5D88B8C thawte
1F24C630CDA418EF2069FFAD4FDD5F463A1B69AA GlobalSign ECC Root CA - R5
07E032E020B72C3F192F0628A2593A19A70F069E Certum Trusted Network CA
0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 DigiCert
02FAF3E291435468607857694DF5E45B68851868 Sectigo (AddTrust)
My last suggestion is my favorite troubleshooting tool.
https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
Process Monitor will capture a low level trace of all file, network, and registry calls being made on your pc. You will need to analyze the trace and look for something wrong. It will not produce a nice "here is your problem" output. But it will give us a good idea of what Powershell is doing.
If you are willing to share the .pml trace file on Dropbox or some other internet file sharing site, I can take a look at it.
The first thing you want to do is use the Filter menu and add an entry for "process name is powershell.exe".
The 2 key icons are the square box that will start/stop the capture, and the red trash can to clear the trace.
After you have added the filter entry, you will want to do this sequence.
Clear the trace by click in the red trash can icon.
Run powershell to recreate the problem.
Stop the trace by clicking on the square icon.
It should look like this.
Note the record count in the lower left. The count should not be incrementing.
In the Result and Detail columns, look for something that might indicate a "Device not ready" status.
Note that a result of "Access denied" and "NOT FOUND" do not necessarily indicate a problem, but do warrant some attention.
If you can't find anything and can't share the .PML trace file, then my recommendation is to just ignore the event ID 300 errors.
Hi,
I hope I succeeded...
Thank you
https://drive.google.com/file/d/1IWra_QZF9U8FMDWcQvlFwLTdy7HFiGty/view?usp=drive_link
No access to the link. Can you set that to anyone can view?
it was for privacy.
ok done!
The only unusual I/O exception that I could find is this one.
I traced PS on my Win11 laptop and I see similar I/O. The 3 non-success events, in yellow, match up. But my PS does a QueryEAFile call where yours does not.
I don't know if setting your TEMP environment variable to point to the E: drive is causing this or not. Try putting it back to C: and see if that eliminates the event.
Open a command prompt and test like this.
set temp=c:\windows\temp
set tmp=c:\windows\temp
powershell.exe "1+1;$env:temp;$env:tmp"
That will temporarily override the variables and point temp back to the C: drive. The result should look like this.
C:\>powershell "1+1;$env:temp;$env:tmp"
2
c:\windows\temp
c:\windows\temp
See what that does.
Sorry for the delay in responding, but I didn't notice your intervention, however I followed your instructions from the prompt, but the event is still created at startup and I noticed that the variables remain as I had previously set them...
Any other suggestions?
Thanks
I noticed that the variables remain as I had previously set them...
I didn't ask you to permanently change the variables, just temporarily for one cmd session. The set command only applies to that window. It's not permanent.
Open 2 command prompt windows.
In one of them, copy and paste those 3 statements. Then look in the eventlog to see if it generated a 300 event.
In the second window just paste in a slightly different powershell statement. It should show you that temp points to your E: drive. Then look in the eventlog to see if it generated a 300 event. Which command line did it log? Both 1+1 and 2+2?
This is the result and applying the command one at a time highlights the eventi in both !
I think that someone reviews posts because it takes longer for replies to show up on weekends. I see that my comment is now showing.
highlights the eventi in both !
What does that mean? What 300 events do you see?
Yes, in both!
I have no idea what your pc is doing. My suggestion at this point is to just ignore those events.
Maybe they will go away at some point.
@MotoX80 Would you post the contents of your $PSVersionTable?
@Piero Would you do the same?
I'm interested in the build number of PS 5.
A few years ago, there was a problem that involved the QueryEAFile call that was resolved in later builds. That probably why it doesn't appear to be a problem in PowerShell 7.
It starts with PowerShell creating a PSScriptPolicyTest file (with additional ornamentation to make the name unique each time). PowerShell then tries to run that file. If it runs, PowerShell assumes that AppLocker is disabled or isn't installed and runs in "Full language" mode. If it fails to run, PowerShell runs in "Constrained" mode.
The original problem was that the file contained only one character: "1". That caused AV software (including MS Defender) to block the file. Later builds of PS changed the contents of the file to something less likely to trigger a reaction from AV software.
If you're using MS Defender you may find "'SuspiciousScriptDrop' malware was prevented" in the errors reported there.
https://github.com/PowerShell/PowerShell/issues/24217
Now, that "IOError" may be caused by the "E:" drive. Is it a USB device? A networked device? If so, it may simply be unavailable (i.e., "asleep"). But there should be an error logged in the System event log that roughly corresponds to the "300" event.
I haven't looked for the PS build that stopped the AV detection problem. But looking for the words PSScriptPolicyTest and QueryEAFile (and maybe AppLocker) might turn it up.
Win 11 23H2 22631.4317
Name Value
---- -----
PSVersion 5.1.22621.4249
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.22621.4249
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
Patches excluding Security Intelligence Updates.
Date Title
---- -----
10/25/2024 9:29:40 AM Intel - System - 2406.5.5.0
10/8/2024 7:07:39 PM Windows Malicious Software Removal Tool x64 - v5.129 (KB890830)
10/8/2024 7:04:11 PM 2024-10 Cumulative Update for Windows 11 Version 23H2 for x64-based Systems (KB5044285)
10/8/2024 6:46:52 PM 2024-10 Cumulative Update for .NET Framework 3.5 and 4.8.1 for Windows 11, version 23H2 for x6...
10/8/2024 5:57:27 PM Visual Studio 2022 version 17.11.5 security update
10/8/2024 5:36:13 PM 2024-10 .NET 6.0.35 Security Update for x64 Client (KB5045998)
9/16/2024 8:22:13 PM Update for Microsoft Defender Antivirus antimalware platform - KB4052623 (Version 4.18.24080.9...
9/16/2024 8:06:51 PM Dell, Inc. - Firmware - 0.1.31.0
9/10/2024 7:09:57 PM Windows Malicious Software Removal Tool x64 - v5.128 (KB890830)
9/10/2024 7:07:54 PM 2024-09 Cumulative Update for Windows 11 Version 23H2 for x64-based Systems (KB5043076)
9/10/2024 6:39:50 PM Visual Studio 2022 version 17.11.3 security update
9/3/2024 10:42:53 AM Intel Corporation - Display - 31.0.101.5333
9/1/2024 8:37:36 AM 2024-08 Cumulative Update Preview for Windows 11 Version 23H2 for x64-based Systems (KB5041587)
I think the last PowerShell build that had the problem (or maybe it was the build at which the problem stopped) was19042. That build was released on 1 Sep 2021.
You and I are running 10.0.22621.4249 (release date 24 Jun 2022).
There's no need to check any patches. This looks to be a problem between PowerShells' way of checking for AppLocker and the AV softwares' objection to the way that check was done. The I/O error may just be the failure induced by the AV blockage of the file.
Since the new way of checking for AppLocker is a file that contains only a comment consisting of a longer set of fixed characters followed by a date/time stamp, the AV no longer sees the check as a malware drop.
Windows 11 Pro 23H2 22631.4391
Name Value
---- -----
PSVersion 5.1.22621.4391
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.22621.4391
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
We'll see.
Thank you so much for your patience.
Bye