Powershell block

  • Thread starter ForgottenSeer 69673
  • Start date
Status
Not open for further replies.

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
If Spyshelter requires a reboot I can't use it while in shadow mode. Unless I could put Appguard in install mode install Spyshelter, reboot and put Appguard back in lockdown during the 20 min. And if my system gets borked again I won't be abled to use Spyshelter anyway.
Spyshelter requires a reboot. If I was you, I would take a system image, and then install spyshelter firewall trial version or other logging program.
 
F

ForgottenSeer 69673

Thread author
Ya I might have to go back to an older image. This is really odd. looks to me like an infection but not sure I could have got it.
Is there any logging programs that do not require a reboot? and are easy to use? I do remember the last item listed under powershell was dismhost.
 
5

509322

Thread author
Ya I might have to go back to an older image. This is really odd. looks to me like an infection but not sure I could have got it.
Is there any logging programs that do not require a reboot? and are easy to use? I do remember the last item listed under powershell was dismhost.

If you keep treating it like an infection, then you are not going to get the information you seek because you aren't willing to do the things that are required to obtain that information. That's what is happening here. In the end, you will more than likely find out that PowerShell's parent is services.exe and is running in the background as a scheduled task.

Otherwise open a Malware Removal Assistance thread - because if it is an infection - your system is already compromised and requires remediation. Shadow Mode is not stopping anything... your system is compromised. When you reboot the system, it is still compromised.
 
  • Like
Reactions: askmark
F

ForgottenSeer 69673

Thread author
Appguard is still blocking powershell but I can't get process explorer to see it anymore when Appguard is install mode in shadow mode and Spyshelter is not logging. Wondering now if it doesn't execute while in shadow mode.
 
5

509322

Thread author
Appguard is still blocking powershell but I can't get process explorer to see it anymore when Appguard is install mode in shadow mode and Spyshelter is not logging. Wondering now if it doesn't execute while in shadow mode.

On Windows 10 it is probably a background scheduled task (image courtesy of another AppGuard user). As you can see, the parent is svchost.exe:

powershell block.png


If you give it enough time, it will eventually run on your real system. For whatever reason(s), it could be - as you suspect - being triggered to run in Shadow Mode. Shadow Mode sufficiently changes the image to the extent that it has been known that some software would deactivate when Shadowed. So there is a technical explanation, but for the precise answer you would have to ask Tony as only he knows his soft well enough.
 
F

ForgottenSeer 69673

Thread author
On Windows 10 it is probably a background scheduled task (image courtesy of another AppGuard user). As you can see, the parent is svchost.exe:

View attachment 189604

If you give it enough time, it will eventually run on your real system. For whatever reason(s), it could be - as you suspect - being triggered to run in Shadow Mode. Shadow Mode sufficiently changes the image to the extent that it has been known that some software would deactivate when Shadowed. So there is a technical explanation, but for the precise answer you would have to ask Tony as only he knows his soft well enough.
The problem is it doesn't run in shadow mode and if it does Process explorer and Spyshelter never see's it
 
  • Like
Reactions: shmu26
5

509322

Thread author
The problem is it doesn't run in shadow mode and if it does Process explorer and Spyshelter never see's it

Then you have to let it run on your real system. You have to wait until you see PowerShell launch.

You can look in the Event Viewer > Application Logs > Windows PowerShell for PowerShell launches.

You can use timestamps from logs to cross reference.

If you wish, you can search Task Scheduler for a task that launches PowerShell.
 
Last edited by a moderator:
F

ForgottenSeer 69673

Thread author
I have not had a block yet today without being in shadow mode but I do have some logs of powershell in event viewer.

here is an example of one.

Registry

Started

ProviderName=Registry NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=5.1.17134.81 HostId=03af081c-e0f5-4efd-a4c9-ed13b8658481 HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden & C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=
 
  • Like
Reactions: shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I have not had a block yet today without being in shadow mode but I do have some logs of powershell in event viewer.

here is an example of one.


Started

ProviderName=Registry NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=5.1.17134.81 HostId=03af081c-e0f5-4efd-a4c9-ed13b8658481 HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden & C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=
Yeah, I get that one too. It is a Windows maintenance event, I am sure that @Lockdown can explain exactly what it does. It is not something very important,
 
5

509322

Thread author
I have not had a block yet today without being in shadow mode but I do have some logs of powershell in event viewer.

here is an example of one.

Registry

Started

ProviderName=Registry NewProviderState=Started SequenceNumber=1 HostName=ConsoleHost HostVersion=5.1.17134.81 HostId=03af081c-e0f5-4efd-a4c9-ed13b8658481 HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden & C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Client EngineVersion= RunspaceId= PipelineId= CommandName= CommandType= ScriptName= CommandPath= CommandLine=

What version and build are you running ? Because DisableUnusedSmb1.ps1 does not exist on Windows 10 1803.

Yeah, I get that one too. It is a Windows maintenance event, I am sure that @Lockdown can explain exactly what it does. It is not something very important,

There is no official documentation on it, but - if I recall correctly - inside the script file itself you will find the following comment:

This script is used to automatically removes[sic] support for the legacy SMB 1.0/CIFS protocol when such support isn’t actively needed during normal system usage.

99.999 % of home users do not need SMB. And especially version 1.0.
 
F

ForgottenSeer 69673

Thread author
I am using Win 10 Home 1803.On a side note. I have not seen any powershell blocks in activity report today.

ScreenHunter_111 May. 31 15.34.jpg
 
Last edited by a moderator:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
What version and build are you running ? Because DisableUnusedSmb1.ps1 does not exist on Windows 10 1803.



There is no official documentation on it, but - if I recall correctly - inside the script file itself you will find the following comment:

This script is used to automatically removes[sic] support for the legacy SMB 1.0/CIFS protocol when such support isn’t actively needed during normal system usage.

99.999 % of home users do not need SMB. And especially version 1.0.
Isn't SMB 1 disabled by default on Windows 10?
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
It is supposed to be. You know how it is... searching back through Microsoft's documentation to figure out when they implemented stuff - it's an exercise in utter futility. I know there is no documentation on that script. I have not seen it run since last year sometime.
They can't document it because they don't know themselves. The right hand does not know what the left hand is doing, until the left hand pinches the right hand really hard :)
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top