Powershell being run by svchost.exe

This topic contains 3 replies, has 2 voices, and was last updated by  Don Jones 3 weeks, 1 day ago.

  • Author
    Posts
  • #92357

    Charles Bridges
    Participant

    I have an antivirus software that can block suspicious activity and it pops up with this below but I dont know powershell very well and I assume it is trying to run DisableUnusedSmb1.ps1 in the background. anyone that could tell me what this is or means I would thank you a million times. Is it just a windows process it is blocking or something else ?

    Process: [9660]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Parent: [1704]C:\Windows\System32\svchost.exe
    Rule: BlockWindowStyleHiddenPowerShell
    Rule Name: Block "WindowStyle Hidden" on command-line (PowerShell)
    Command Line: C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Server"

  • #92359

    Don Jones
    Keymaster

    It doesn't like PowerShell being run in a hidden window, which is what Svchost is doing, based on that command line.

  • #92363

    Charles Bridges
    Participant

    Thanks but what is DisableUnusedSmb1.ps1 ? does it come with windows powershell and is it standard or harmful in someway ?

  • #92366

    Don Jones
    Keymaster

    It'd probably be easiest to open the script file and see what it does. It doesn't "Come with" PowerShell, but I suspect it's something Microsoft added to disable SMBv1 in a prior update.

You must be logged in to reply to this topic.