Starting powershell.exe Temporarily Generates a PS1 File with Content of '1'

This topic contains 1 reply, has 1 voice, and was last updated by Profile photo of Tito Aldarondo Tito Aldarondo 3 months, 1 week ago.

  • Author
    Posts
  • #51528
    Profile photo of Tito Aldarondo
    Tito Aldarondo
    Participant

    I've come across a strange behavior of powershell.exe. Whenever a new powershell.exe process is started, a randomly-named PS1 file (e.g., "x2xj20xc.cez.ps1") is written to the user's temp directory. The file contains only the character '1' and only persists for a few milliseconds.

    (Assuming your temp dir is empty to begin with) Try:

    while ($true) { Get-ChildItem $env:TEMP\*.ps1 }
    

    and/or

    while ($true) { Get-ChildItem $env:TEMP\*.ps1 | Get-Content }
    

    and then start powershell.exe in another window.

    This isn't breaking anything for me. I'm just really curious if anyone knows what this is about.

  • #51778
    Profile photo of Tito Aldarondo
    Tito Aldarondo
    Participant

    Answering my own question and posting for posterity, but would love to hear if anyone has their own take.

    I spoke with a colleague who put in a ticket with MS and it sounds like this is a mechanism to test if AppLocker is blocking script execution. Apparently from WMF 5.1 on, they stop doing this check (at least in this fashion).

You must be logged in to reply to this topic.