I've recently noticed some odd PowerShell processes running in the background when I start my computer, and it's got me worried. I can't figure out what they mean or if they're dangerous. I created a Reddit account just for this, hoping someone here can help! I have a screenshot showing the command line, but all Windows tells me is minimal info. I've also run Process Explorer, which shows some additional details. My system is Windows 11, and I have an Acer N50-656 that I bought a few months ago. Any insights would be greatly appreciated!
5 Answers
It sounds like you might be missing some information after the '-command' part of the PowerShell command. Without that, we can't say for sure if what's running is legit or something sketchy downloading from the internet. If you could provide the full command line, that would help a lot!
I checked, and there's really nothing after that. It just ends there.
You should try running this command in PowerShell: *Get-CimInstance win32_process | where{ $_.name -like "powershell*"} | select name,commandline*. It’ll show you the command line part which is crucial for identifying what's going on.
I ran that command, but Windows says it's not valid. Do I have to edit it in some way?
Yes, that's what you need! We need to see that command line to help.
This could be part of Intune validation scripts. They're meant to run in the background, but if they don't shut down, it can be concerning. Running multiple antivirus scans is good! Just keep an eye on it to ensure it's not malicious.
I’m not entirely sure what Intune validation scripts are. Should they always run in the background? I hope this means it’s not dangerous since I completed a couple of scans and found nothing.
Have you checked if Process Explorer indicates which process started these PowerShell instances? If it doesn’t, you might want to try ProcMon with Boot Logging. That might give you clearer insights.
According to Process Explorer, it shows 'conhost' as the parent process.
If I had to guess, it might involve 'iwr', which stands for Invoke-WebRequest. It's often used to download stuff from a remote machine. That could be bad news, but it’s hard to tell without more specifics on the command line used.
Yeah, it looks suspicious! But sometimes legitimate Windows processes appear that way, especially on enterprise machines. If that command line ends right after '-command', it could mean something is injecting into it. You should check that out.