Starting powershell.exe Temporarily Generates a PS1 File with Content of '1'

This topic contains 1 reply, has 1 voice, and was last updated by Profile photo of Tito Aldarondo Tito Aldarondo 1 month ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #51528
    Profile photo of Tito Aldarondo
    Tito Aldarondo
    Participant

    I've come across a strange behavior of powershell.exe. Whenever a new powershell.exe process is started, a randomly-named PS1 file (e.g., "x2xj20xc.cez.ps1") is written to the user's temp directory. The file contains only the character '1' and only persists for a few milliseconds.

    (Assuming your temp dir is empty to begin with) Try:

    while ($true) { Get-ChildItem $env:TEMP\*.ps1 }
    

    and/or

    while ($true) { Get-ChildItem $env:TEMP\*.ps1 | Get-Content }
    

    and then start powershell.exe in another window.

    This isn't breaking anything for me. I'm just really curious if anyone knows what this is about.

    #51778
    Profile photo of Tito Aldarondo
    Tito Aldarondo
    Participant

    Answering my own question and posting for posterity, but would love to hear if anyone has their own take.

    I spoke with a colleague who put in a ticket with MS and it sounds like this is a mechanism to test if AppLocker is blocking script execution. Apparently from WMF 5.1 on, they stop doing this check (at least in this fashion).

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.