This morning when I work my computer up, I had my first powershell block since running Appguard. I was in shadow mode at the time. I know I should made a screen shot of the block and saved it to a usb stick but didn't. I rebooted out of caution.
- Status
- Jul 3, 2015
- 8,153
I see powershell actions every once in a while on Windows 10, they are usually from default Windows maintenance tasks that don't do anything important. They can also be for an update to a Windows universal app.
Unless you have some specific need to use PowerShell, then it is a well-established best security practice to disable PowerShell. Disabling unneeded, high-risk, often-abused-by-malware-and-other-malicious-attack processes (such as PowerShell) is one of the primary purposes of SRP like AppGuard. Some would argue it is SRP's raison d'être = most important purpose.
On a side not I hate when I bootup my pc not connected to the internet and Appguard can't validate my lic so is not usable again till I reboot while connected to the internet.
It should not do that unless it has been 25 days since you last connected to the internet; AppGuard 5.X needs to validate the license once every 25 days or it will eventually deactivate. AppGuard Professional 4.X does not require this verification and therefore the license should not be disabled if there is no active network.
If you are having issues, then report it to AppGuard@BlueRidge.com.
Last edited by a moderator:
License activation issues you must report to AppGuard@BlueRidge.com. Provide them a step-by-step, detailed explanation of what is happening.
Just a little update. Like I mentioned before this blocking started yesterday and have never had it before. Today it seems to happening every 20 min. Wish I knew what is starting powershell up.
In Shadow Mode, allow PowerShell to launch and use Process Explorer to check the parent. Most commonly the parent is services.exe or svchost.exe. Once you determine the parent, then you can simply reboot the system and it will revert.
Last edited by a moderator:
If Appguards is blocking it, will it even show up in Process Explorer?
I edited the instructions above. Alternatively, you could try different commandline loggers. The one that works the best is SpyShelter's.
- Jul 3, 2015
- 8,153
NVT ProcLogger is good, too. It's no more than a quiet little driver that makes detailed logs, most of the time you can just forget about it, until something happens, and then you check the log. But, like @ticklemefeet said, it won't log a process that was blocked from running in the first place.
Some commandline loggers will fully log what was blocked while others will not. SpyShelter's does...
Making all those individual rules for each file path is not necessary.
Create c:\windows\*\powershell.exe or c:\*powershell* instead.
Use UltraSearch to locate processes in all file paths and use the * wildcard to create a single file path in AppGuard. Disable stuff judiciously. If you are not careful, then you can brick your system. Someone once disabled winlogon.exe and similar...
Dang this is bugging me. I put Appguard in install mode while in shadow mode cranked up Process explorer, waited 20 min
and I took a screen shot of svchost.exe , which had powershell under it plus 3 others under that. One I was not familiar with.
I was then going to put screen shot before rebooting out of shadow mode. Neither IE or Edge would open. Then I was going to copy the screen shot to a usb stick and then my system became so slow I couldn't even open task manager so I did a hard shut down and start up out of shadow mode. Not sure what I should do know except keep blocking it.
I don't use Virtual Box any more so that option is out.
and I took a screen shot of svchost.exe , which had powershell under it plus 3 others under that. One I was not familiar with.
I was then going to put screen shot before rebooting out of shadow mode. Neither IE or Edge would open. Then I was going to copy the screen shot to a usb stick and then my system became so slow I couldn't even open task manager so I did a hard shut down and start up out of shadow mode. Not sure what I should do know except keep blocking it.
I don't use Virtual Box any more so that option is out.
- Jul 3, 2015
- 8,153
In Shadow Mode, disable AppGuard and watch in Process Explorer until PowerShell executes. Then, like I said, double-click on it and find its parent. If it executes and terminates too quickly, then you will have to install a commandline logger on your real system.
- Status
Similar threads
