Troubleshoot Suspicious command line after Fall Creators Update

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
What do you say about this powershell command line? Safe, or malicious? It ran on my computer today, a while after updating to fall creators.

"powershell" -noprofile -noninteractive -inputformat none -executionpolicy bypass add-provisionedappxpackage -online -packagepath "c:\windows\temp\installhevcappxpackage\microsoft.hevcvideoextension_8wekyb3d8bbwe.x64.appx" -dependencypackagepath "c:\windows\temp\installhevcappxpackage\microsoft.vclibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe.appx" -licensepath "c:\windows\temp\installhevcappxpackage\microsoft.hevcvideoextension_8wekyb3d8bbwe.x64.xml"
 
D

Deleted member 65228

I believe it is to do with installation of Windows Metro applications, the general ones such as your Mail application. Since the "appxpackage" is related to such packages, and there's the "add-" linked up to the instruction. Either a new application was added (Metro style) to the FCU environments, or a re-installation/update happened for one.

I don't think you need to worry about any of it; you were installing the Creators Update and it happened afterwards after all. It's natural for Windows to do additional things in the background after a major update, and the Fall Creators Update changed a whole ton of things so it's not out of the ordinary in my opinion.

You can try to track the execution of the Powershell back to the responsible culprit process, I'm sure you're fine. On that note, I recommend disabling Powershell unless you really need it because a lot of "file-less" attacks as people call them tend to like it.

Edit:
Get HEVC Video Extension - Microsoft Store

I believe this is what was installed via the Powershell command. It's to do with videos/codecs. It allows you to play content in 4K/Ultra HD system-wide across all apps for HEVC content. You'd have to educate me on HEVC because I don't know much on media terms.
 
Upvote 0

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I believe it is to do with installation of Windows Metro applications, the general ones such as your Mail application. Since the "appxpackage" is related to such packages, and there's the "add-" linked up to the instruction. Either a new application was added (Metro style) to the FCU environments, or a re-installation/update happened for one.

I don't think you need to worry about any of it; you were installing the Creators Update and it happened afterwards after all. It's natural for Windows to do additional things in the background after a major update, and the Fall Creators Update changed a whole ton of things so it's not out of the ordinary in my opinion.

You can try to track the execution of the Powershell back to the responsible culprit process, I'm sure you're fine. On that note, I recommend disabling Powershell unless you really need it because a lot of "file-less" attacks as people call them tend to like it.

Edit:
Get HEVC Video Extension - Microsoft Store

I believe this is what was installed via the Powershell command. It's to do with videos/codecs. It allows you to play content in 4K/Ultra HD system-wide across all apps for HEVC content. You'd have to educate me on HEVC because I don't know much on media terms.
Thanks.
When I saw all that appxpackage stuff in the command line, it looked to me like typical Microsoft jargon, so I just assumed that Voodooshield was blocking a false positive, and I sent it on to Dan. But he wasn't happy with "powershell" -noprofile -noninteractive -inputformat none -executionpolicy bypass , which he says is typical of malware.

Anyways, HitmanPro didn't find anything to speak of on my system, so I am not worried. I will sleep tonight.
 
Upvote 0

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
Yeah, it has to be the default hvec app windows 10 installs even on a clean install. I don't have the logs to go check for it but i know for sure it installed the app for me.
 
Upvote 0

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Upvote 0

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
But it is interesting that Microsoft used a powershell script to deliver an install. That's unusual, is it not?
Most of the store crap are delivered and uninstalled that way. I guess it's in order to give administrators more control or it's just more simple for them :p
 
Upvote 0

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Most of the store crap are delivered and uninstalled that way. I guess it's in order to give administrators more control or it's just more simple for them :p
So if a user totally disables powershell, he won't get those store installs/uninstalls. That could be either bad or good, depending on one's opinion of stuff from the microsoft store.
Actually, installation requires a high level of privileges, so even restricting powershell (like with Appguard "guarded apps") would interfere. Correct?
 
Upvote 0

boredog

Level 9
Verified
Jul 5, 2016
416
This is how I was told to disable powershell in Appguard
ScreenHunter_85 Dec. 28 14.48.jpg
ScreenHunter_86 Dec. 28 14.48.jpg
 
Upvote 0

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Upvote 0
D

Deleted member 65228

So if a user totally disables powershell, he won't get those store installs/uninstalls.
Well Microsoft own Windows and thus their own components are active (their kernel for the OS, their components either elevated or not, etc.). Therefore, if Microsoft want, they can push out an update at any time which will temporarily enable Powershell for them to execute Powershell scripts, and then re-disable it.

Then again I am sure they have a non-Powershell variant of what they needed to do somewhere and if not I doubt it'd be tricky for them to make one in a short time span for people who have it disabled.
 
Upvote 0

boredog

Level 9
Verified
Jul 5, 2016
416
Interesting. Why do you have to also untick it in guarded apps? Powershell is unsigned, so even if it is a guarded app, it should not run once you add it to user space. That is my understanding of it.

I wondered the very same thing until Lockdown advised me as to why. It was in an old thread over at Wilders. I think it was called the unofficial Appguard thread.
 
Upvote 0

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,342
So if a user totally disables powershell, he won't get those store installs/uninstalls. That could be either bad or good, depending on one's opinion of stuff from the microsoft store.
Actually, installation requires a high level of privileges, so even restricting powershell (like with Appguard "guarded apps") would interfere. Correct?
In theory i assume it will just not update them ever. I have a feeling the basic application are installed even before you get into windows.
 
Upvote 0

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top