I've noticed that PowerShell starts running every 30 seconds on my machine, lasting for about 20 seconds each time, and then it restarts 10 seconds later. The command line shown in Task Manager doesn't display any actual command—just `powershell -NoLogo -ExecutionPolicy Bypass -NoProfile -NoExit -Command -`. I've tried to identify what's triggering this, but I haven't had any luck. Has anyone else experienced this, or does anyone have suggestions on how to track down what's invoking PowerShell without a visible command? Also, I'd like to mention that after exiting several tray applications, the issue seems to have resolved, so now I'm going through a process of elimination to find the culprit.
5 Answers
Consider enabling script block logging. It logs every line of PowerShell executed and can fill up quickly but is great for tracking down rogue commands. Here's how to enable it:
New-Item -Path "HKLM:SOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShellScriptBlockLogging" -Force
Set-ItemProperty -Path "HKLM:SOFTWAREWow6432NodePoliciesMicrosoftWindowsPowerShell
Check the Applications and Services -> Windows PowerShell event log. It might confirm how frequently it's running and help narrow it down.
Thanks! I didn't realize that log existed. It confirmed the 30-second cycle but didn't explain why it's happening. I also found out that if I debug the instance with WinDbg, it stops this cycle.
What you're seeing in Task Manager with the `-` command is instructing PowerShell to read from standard input. This means another process is likely starting PowerShell and sending commands to it, which is rare but can be a sign of malware. Use tools like Sysinternals' Process Monitor or Process Explorer to find out which process is spawning those PowerShell instances.
Thanks! Process Explorer helped me figure it out (I haven't used that in ages!). I also learned a lot about how stdin works with PowerShell.
You may have an app installed, especially if you're on a server, that requires PowerShell for its operations. It's worth reviewing your installed applications along with the application event log to see if there's a connection.
It's actually a workstation, and I noticed it while looking for high CPU usage at startup. I suspect it's due to some app I installed, but I have no idea which one.
You might want to check for any scheduled tasks that could be running PowerShell commands. Sometimes these tasks can run without clear indicators in Task Manager.
Great suggestion! I already looked at that, but nothing in the running tasks seems to be causing it.
Keep in mind, you might only be setting the 32-bit keys with that method.