shmu26

Level 71
Content Creator
Verified
Joined
Jul 3, 2015
Messages
6,048
Operating System
Windows 10
#1
What do you say about this powershell command line? Safe, or malicious? It ran on my computer today, a while after updating to fall creators.

"powershell" -noprofile -noninteractive -inputformat none -executionpolicy bypass add-provisionedappxpackage -online -packagepath "c:\windows\temp\installhevcappxpackage\microsoft.hevcvideoextension_8wekyb3d8bbwe.x64.appx" -dependencypackagepath "c:\windows\temp\installhevcappxpackage\microsoft.vclibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe.appx" -licensepath "c:\windows\temp\installhevcappxpackage\microsoft.hevcvideoextension_8wekyb3d8bbwe.x64.xml"
 
D

Deleted member 65228

Guest
#2
I believe it is to do with installation of Windows Metro applications, the general ones such as your Mail application. Since the "appxpackage" is related to such packages, and there's the "add-" linked up to the instruction. Either a new application was added (Metro style) to the FCU environments, or a re-installation/update happened for one.

I don't think you need to worry about any of it; you were installing the Creators Update and it happened afterwards after all. It's natural for Windows to do additional things in the background after a major update, and the Fall Creators Update changed a whole ton of things so it's not out of the ordinary in my opinion.

You can try to track the execution of the Powershell back to the responsible culprit process, I'm sure you're fine. On that note, I recommend disabling Powershell unless you really need it because a lot of "file-less" attacks as people call them tend to like it.

Edit:
Get HEVC Video Extension - Microsoft Store

I believe this is what was installed via the Powershell command. It's to do with videos/codecs. It allows you to play content in 4K/Ultra HD system-wide across all apps for HEVC content. You'd have to educate me on HEVC because I don't know much on media terms.
 

shmu26

Level 71
Content Creator
Verified
Joined
Jul 3, 2015
Messages
6,048
Operating System
Windows 10
#4
I believe it is to do with installation of Windows Metro applications, the general ones such as your Mail application. Since the "appxpackage" is related to such packages, and there's the "add-" linked up to the instruction. Either a new application was added (Metro style) to the FCU environments, or a re-installation/update happened for one.

I don't think you need to worry about any of it; you were installing the Creators Update and it happened afterwards after all. It's natural for Windows to do additional things in the background after a major update, and the Fall Creators Update changed a whole ton of things so it's not out of the ordinary in my opinion.

You can try to track the execution of the Powershell back to the responsible culprit process, I'm sure you're fine. On that note, I recommend disabling Powershell unless you really need it because a lot of "file-less" attacks as people call them tend to like it.

Edit:
Get HEVC Video Extension - Microsoft Store

I believe this is what was installed via the Powershell command. It's to do with videos/codecs. It allows you to play content in 4K/Ultra HD system-wide across all apps for HEVC content. You'd have to educate me on HEVC because I don't know much on media terms.
Thanks.
When I saw all that appxpackage stuff in the command line, it looked to me like typical Microsoft jargon, so I just assumed that Voodooshield was blocking a false positive, and I sent it on to Dan. But he wasn't happy with "powershell" -noprofile -noninteractive -inputformat none -executionpolicy bypass , which he says is typical of malware.

Anyways, HitmanPro didn't find anything to speak of on my system, so I am not worried. I will sleep tonight.
 

SHvFl

Level 35
Content Creator
Verified
Joined
Nov 19, 2014
Messages
2,419
Operating System
Windows 10
#5
Yeah, it has to be the default hvec app windows 10 installs even on a clean install. I don't have the logs to go check for it but i know for sure it installed the app for me.
 

shmu26

Level 71
Content Creator
Verified
Joined
Jul 3, 2015
Messages
6,048
Operating System
Windows 10
#7

SHvFl

Level 35
Content Creator
Verified
Joined
Nov 19, 2014
Messages
2,419
Operating System
Windows 10
#9
But it is interesting that Microsoft used a powershell script to deliver an install. That's unusual, is it not?
Most of the store crap are delivered and uninstalled that way. I guess it's in order to give administrators more control or it's just more simple for them :p
 
Joined
Jul 5, 2016
Messages
410
Operating System
Windows 10
Antivirus
Malwarebytes
#10
I don't remember seeing that block in Voodooshield or Appguard and I do have Powershell blocked in Appguard.
 

shmu26

Level 71
Content Creator
Verified
Joined
Jul 3, 2015
Messages
6,048
Operating System
Windows 10
#11
Most of the store crap are delivered and uninstalled that way. I guess it's in order to give administrators more control or it's just more simple for them :p
So if a user totally disables powershell, he won't get those store installs/uninstalls. That could be either bad or good, depending on one's opinion of stuff from the microsoft store.
Actually, installation requires a high level of privileges, so even restricting powershell (like with Appguard "guarded apps") would interfere. Correct?
 

shmu26

Level 71
Content Creator
Verified
Joined
Jul 3, 2015
Messages
6,048
Operating System
Windows 10
#13
D

Deleted member 65228

Guest
#14
So if a user totally disables powershell, he won't get those store installs/uninstalls.
Well Microsoft own Windows and thus their own components are active (their kernel for the OS, their components either elevated or not, etc.). Therefore, if Microsoft want, they can push out an update at any time which will temporarily enable Powershell for them to execute Powershell scripts, and then re-disable it.

Then again I am sure they have a non-Powershell variant of what they needed to do somewhere and if not I doubt it'd be tricky for them to make one in a short time span for people who have it disabled.
 
Joined
Jul 5, 2016
Messages
410
Operating System
Windows 10
Antivirus
Malwarebytes
#15
Interesting. Why do you have to also untick it in guarded apps? Powershell is unsigned, so even if it is a guarded app, it should not run once you add it to user space. That is my understanding of it.
I wondered the very same thing until Lockdown advised me as to why. It was in an old thread over at Wilders. I think it was called the unofficial Appguard thread.
 

SHvFl

Level 35
Content Creator
Verified
Joined
Nov 19, 2014
Messages
2,419
Operating System
Windows 10
#16
So if a user totally disables powershell, he won't get those store installs/uninstalls. That could be either bad or good, depending on one's opinion of stuff from the microsoft store.
Actually, installation requires a high level of privileges, so even restricting powershell (like with Appguard "guarded apps") would interfere. Correct?
In theory i assume it will just not update them ever. I have a feeling the basic application are installed even before you get into windows.