Share via

PowerShell creating random ps1 scripts in Windows Temp

Anser Leon 41 Reputation points
2025-05-14T14:56:57.75+00:00

Hi,

One of my Windows 2016 servers randomly starts to create randomly-named PS1 files under the C:\Windows\Temp folder. It does it constantly.

Security software tracks down these and blocks them, but it says that it was generated by SYSTEM initiated by Powershell.

I have reserached vastly and I have not found this as a normal Windows behavior.

I have attached a sample screenshot of the generated screenshots.

Does anyone know what generates these and what function does it have? Is this normal Windows behavior?

Random PS1 Screenshot.png

Windows for business Windows Server User experience Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MotoX80 36,291 Reputation points
    2025-05-14T19:26:53.08+00:00

    Download and run Process Monitor.

    https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

    Start the trace and let it run until you capture the event.

    Double click on a Powershell event and note the command line and the parent PID.

    User's image

    In task manager, in the Details and Services tabs, look for the parent PID. That will tell you the process that launched Powershell.

    Does your security software give you the ability to quarantine any of the these .ps1 files so that you could use notepad and take a look at their contents?

    You can then add a filter for "path contains c:\windows\temp" and see if any other processes are doing something with temp files.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.