This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 31%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENK%3C/text%3E%3C/svg%3E)
Hello ther...
I ran kansa framework on one of my VMs and it reported powershell profiles related to many users. The profiles created for all users are there in their respective Documents folders. But I saw 3 more profiles related to network services, local services and local system. Below are the locations:
Plz explain the relevenace and reason of existence of these profiles. Also, can these profiles be helpful in detecting if any adversary has used powershell for malicious purposes? Also if I have to find all the profiles, what command should I run on the system?
Hi @Naveen krishali ,
Did the answer work for you? Are there any additional questions to this topic?
If you found the answer helpful, it would be great if you please mark it "Accept as answer". This will help others to find answers in Q&A
Regards
Andreas Baumgarten
Hi @Naveen krishali ,
About PowerShell profiles:
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.1
The presence of a PowerShell profile is not necessarily an indication of anomalies.
To find all PowerShell profiles on your disk maybe this helps:
# Search in drive C:
Get-Childitem –Path C:\ -Include Microsoft.Powershell_profiles.ps1 -File -Recurse -ErrorAction SilentlyContinue
----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 94%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIX%3C/text%3E%3C/svg%3E)
Hi,
You can find the paths of the PowerShell profiles available in the current session in $PROFILE.
$PROFILE | select *
For the details of the profiles you may refer to the below links
Understanding the Six PowerShell Profiles
About Profiles
Best Regards,
Ian Xue
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.