This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
While i was playing i saw what looks like a cmd window open and close immediately but i managed to get a screenshot of it. Looking online i barely found any information about it, and i got a bit worried so im making this.
I have never had this happend to me.
I first went to task scheduler to see if there were any tasks that might be suspicious but to no avail. Next i went to the sytem32 folder and searched "SecureBootEncode" and found the .exe and 3 files located in "System32\Tasks\Microsoft\Windows\PI", the files are "SecureBootEncodeUEFI", "Secure-Boot-Update" and "Sqm-Tasks", with no extensions and File type of "File".
I tried to search for the same things on my laptop instead, but i didn't found the .exe, only 2 out of the 3 files, "Secure-Boot-Update" and "Sqm-Tasks".
I tried opening the files in Notepad++ but only "SecureBootEncodeUEFI" could be opened, in XML format, and it looks like a task but with no set trigger.
My Questions are: are all these legit? and what are they exactly? I know they are something related to Secure Boot but i dont know what.
System Info:
Windows 11 version 22H2
Ryzen 5 3600
Nvidia GeForce GTX 1650
8GB DDR4 RAM
If it helps i also have PowerToys installed and UEFI is enabled along with TPM.
This is my first time writing here so apologies if this isn't in the correct topics or i got something wrong.
Images:
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.
For those interested, see this blog post for how to log Console Window Creation Events (4688) in the Windows Event Viewer, complete with the full command invocation. With this logging enabled you won't have to race to grab a screenshot of the short-lived window.
I haven't noticed this with the recent Windows Update, so either our corporate overlords have fixed this silently without any confirmation or the attacking entity has gotten everything they were looking for. Or both. 🤷♂️
This does not happen on all PCs. There is an assumption that this occurs only in the absence of TPM
FWIW I do not have PowerToys installed so we can rule that out.
I for one definitely appreciate you chiming in @vn and keeping this thread alive. It's very concerning we have not heard anything from anyone at Microsoft about this.
Well done for grabbing a screenshot of it... All in the reflexes :)
I've been trying to catch that annoying little pop-up window for a while but I would always see it happen out of the corner of my eye, opening and closing too quickly for me to catch its name.
It's hard to look for help when you can't even put a name to your pain. Was getting to thinking I'd have to install some software to record my desktop and catch it that way.
"Luckily" it just happened again while I was working on a Reason project and I guess my PC was busier than usual because this time the window lingered on-screen long enough for me to read what it was.
SecureBootEncodeUEFI.exe, I have you now...
Looks like another thread here on Microsoft Learn, for awareness: https://learn.microsoft.com/en-us/answers/questions/1286247/securebootencodeuefi-exe-keeps-opening-a-shell-win
