Author Posts

January 29, 2018 at 3:36 pm

I have an antivirus software that can block suspicious activity and it pops up with this below but I dont know powershell very well and I assume it is trying to run DisableUnusedSmb1.ps1 in the background. anyone that could tell me what this is or means I would thank you a million times. Is it just a windows process it is blocking or something else ?

Process: [9660]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent: [1704]C:\Windows\System32\svchost.exe
Rule: BlockWindowStyleHiddenPowerShell
Rule Name: Block "WindowStyle Hidden" on command-line (PowerShell)
Command Line: C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Server"

January 29, 2018 at 3:37 pm

It doesn't like PowerShell being run in a hidden window, which is what Svchost is doing, based on that command line.

January 29, 2018 at 3:50 pm

Thanks but what is DisableUnusedSmb1.ps1 ? does it come with windows powershell and is it standard or harmful in someway ?

January 29, 2018 at 3:54 pm

It'd probably be easiest to open the script file and see what it does. It doesn't "Come with" PowerShell, but I suspect it's something Microsoft added to disable SMBv1 in a prior update.