Starting powershell.exe Temporarily Generates a PS1 File with Content of '1'

Welcome Forums General PowerShell Q&A Starting powershell.exe Temporarily Generates a PS1 File with Content of '1'

This topic contains 1 reply, has 1 voice, and was last updated by

 
Participant
2 years, 1 month ago.

  • Author
    Posts
  • #51528

    Participant
    Points: 0
    Rank: Member

    I've come across a strange behavior of powershell.exe. Whenever a new powershell.exe process is started, a randomly-named PS1 file (e.g., "x2xj20xc.cez.ps1") is written to the user's temp directory. The file contains only the character '1' and only persists for a few milliseconds.

    (Assuming your temp dir is empty to begin with) Try:

    while ($true) { Get-ChildItem $env:TEMP\*.ps1 }
    

    and/or

    while ($true) { Get-ChildItem $env:TEMP\*.ps1 | Get-Content }
    

    and then start powershell.exe in another window.

    This isn't breaking anything for me. I'm just really curious if anyone knows what this is about.

  • #51778

    Participant
    Points: 0
    Rank: Member

    Answering my own question and posting for posterity, but would love to hear if anyone has their own take.

    I spoke with a colleague who put in a ticket with MS and it sounds like this is a mechanism to test if AppLocker is blocking script execution. Apparently from WMF 5.1 on, they stop doing this check (at least in this fashion).

The topic ‘Starting powershell.exe Temporarily Generates a PS1 File with Content of '1'’ is closed to new replies.