Powershell being run by svchost.exe

Welcome Forums General PowerShell Q&A Powershell being run by svchost.exe

This topic contains 3 replies, has 2 voices, and was last updated by

 
Keymaster
9 months, 3 weeks ago.

  • Author
    Posts
  • #92357

    Participant
    Points: 0
    Rank: Member

    I have an antivirus software that can block suspicious activity and it pops up with this below but I dont know powershell very well and I assume it is trying to run DisableUnusedSmb1.ps1 in the background. anyone that could tell me what this is or means I would thank you a million times. Is it just a windows process it is blocking or something else ?

    Process: [9660]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Parent: [1704]C:\Windows\System32\svchost.exe
    Rule: BlockWindowStyleHiddenPowerShell
    Rule Name: Block "WindowStyle Hidden" on command-line (PowerShell)
    Command Line: C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -NoProfile -WindowStyle Hidden "& C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\SmbShare\DisableUnusedSmb1.ps1 -Scenario Server"

  • #92359

    Keymaster
    Points: 1,638
    Helping HandTeam Member
    Rank: Community Hero

    It doesn't like PowerShell being run in a hidden window, which is what Svchost is doing, based on that command line.

  • #92363

    Participant
    Points: 0
    Rank: Member

    Thanks but what is DisableUnusedSmb1.ps1 ? does it come with windows powershell and is it standard or harmful in someway ?

  • #92366

    Keymaster
    Points: 1,638
    Helping HandTeam Member
    Rank: Community Hero

    It'd probably be easiest to open the script file and see what it does. It doesn't "Come with" PowerShell, but I suspect it's something Microsoft added to disable SMBv1 in a prior update.

The topic ‘Powershell being run by svchost.exe’ is closed to new replies.