Hey everyone! So, I recently had a really unfortunate (and honestly pretty dumb) experience where my system got infected by malware. It was using PowerShell to make connections to remote IPs and download harmful scripts. The only way I felt safe was to back up my important files, reset all my passwords, wipe my drives, and reinstall Windows from scratch. Now, I'm working on my freshly set up system and have been checking the Event Viewer for any unusual activity.
I noticed a script running in Event Viewer that looks like it's part of some routine operations, but I can't shake the feeling that I might be overreacting considering my recent scare about identity theft. I read about some malware going deep into UEFI, but I've heard it's rare for everyday attackers to go that far. Here's what I see in the Event Viewer:
```
Details:
ProviderName=FileSystem
NewProviderState=Started
SequenceNumber=7
HostName=ConsoleHost
HostVersion=5.1.26100.4768
HostId=e98a2722-9732-4c05-85d9-eb715da691b8
HostApplication=powershell.exe -ExecutionPolicy Restricted -Command
$isBroken = 0
# Define the root registry path
$ShellRegRoot = 'HKCU:SoftwareClassesLocal SettingsSoftwareMicrosoftWindowsShell'
$bagMRURoot = $ShellRegRoot + 'BagMRU'
$bagRoot = $ShellRegRoot + 'Bags'
# Define the target GUID tail for MSGraphHome
$HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000'
$properties = Get-ItemProperty -Path $bagMRURoot
foreach ($property in $properties.PSObject.Properties) {
if ($property.TypeNameOfValue -eq 'System.Byte[]') {
$hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join ''
if ($hexString -eq $HomeFolderGuid) {
$subkey = $property.Name
$nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '' + $subkey) -Name 'NodeSlot'
$isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '' + $nodeSlot + 'Shell*') -Name 'GroupView') -eq 0) { 1 } else { 0 }
break
}
}
}
Write-Host 'Final result:',$isBroken
```
This seems to be a normal system operation, but I wanted to check if anyone recognizes this behavior from their own systems. Is this totally ordinary, or should I be concerned?
P.S. I ran a scan with Windows Defender after the wipe and everything came back clean!
2 Answers
Hey there! Yeah, that script you shared is part of legitimate Microsoft processes. It’s mainly used for file system checks and should be nothing to worry about. You can find more info about it in official Microsoft docs. Sounds like your system is back on track!
Hey! From what you’ve described, that does look like normal behavior for PowerShell, especially after a fresh OS install. As long as you’ve wiped your drives and reinstalled from a clean ISO, you should be in the clear. The remote connection stuff from the malware is concerning, but it seems like you've taken good steps to secure your system after the infection. Just keep an eye on things for a couple more days!
Thanks for your input! I really appreciate it. I’ll keep monitoring for any unusual activity.
Oh wow, that’s a relief to know! Thanks for clearing that up.