Starting powershell.exe Temporarily Generates a PS1 File with Content of '1'

Welcome Forums General PowerShell Q&A Starting powershell.exe Temporarily Generates a PS1 File with Content of '1'

Viewing 1 reply thread
  • Author
    Posts
    • #51528
      Participant
      Topics: 1
      Replies: 2
      Points: 0
      Rank: Member

      I’ve come across a strange behavior of powershell.exe. Whenever a new powershell.exe process is started, a randomly-named PS1 file (e.g., “x2xj20xc.cez.ps1”) is written to the user’s temp directory. The file contains only the character ‘1’ and only persists for a few milliseconds.

      (Assuming your temp dir is empty to begin with) Try:

      while ($true) { Get-ChildItem $env:TEMP\*.ps1 }
      

      and/or

      while ($true) { Get-ChildItem $env:TEMP\*.ps1 | Get-Content }
      

      and then start powershell.exe in another window.

      This isn’t breaking anything for me. I’m just really curious if anyone knows what this is about.

    • #51778
      Participant
      Topics: 1
      Replies: 2
      Points: 0
      Rank: Member

      Answering my own question and posting for posterity, but would love to hear if anyone has their own take.

      I spoke with a colleague who put in a ticket with MS and it sounds like this is a mechanism to test if AppLocker is blocking script execution. Apparently from WMF 5.1 on, they stop doing this check (at least in this fashion).

Viewing 1 reply thread
  • The topic ‘Starting powershell.exe Temporarily Generates a PS1 File with Content of '1'’ is closed to new replies.