How to stop Powershell from executing remote commands

Page 1 of 2 12 LastLast

  1. Posts : 43
    Windows 10 Pro
       #1

    How to stop Powershell from executing remote commands


    A powershell window opened and closed.
    I checked Event Logs for Application/Microsoft/Windows/Powershell and I found different events.
    I have scriptblock ids, but I do not know what to do with those (No path)

    How can I stop powershell deom executing remote commands?
    How can I find out where my computer is infected?

    Thanks.
      My Computer


  2. Posts : 4,691
    Windows 11 Pro 64 Bit 22H2
       #2

    the Powershell is actually an app that is running, maybe in Task Scheduler. You can download Autoruns and it will tell you what apps are running at startup and you can narrow it down. https://learn.microsoft.com/en-us/sy...loads/autoruns
      My Computer


  3. Posts : 16,573
    Windows 10 Home x64 Version 22H2 Build 19045.3930
       #3

    IMayNeed said:
    A powershell window opened and closed.
    I didn't think that any of the built-in PowerShell tasks displayed any form of window.
    Is there an entry in Task scheduler's opening screen's Task status section at the time you saw the PS window?
    How to stop Powershell from executing remote commands-task-scheduler-local-task-status-section.png

    IMayNeed said:
    I checked Event Logs for Application/Microsoft/Windows/Powershell and I found different events.
    Exactly where were you looking?
    At the bottom of the Event viewer window, what does it say for Log name & Source?
    Is it this?
    Log name - Windows PowerShell
    Source - PowerShell (PowerShell)

    IMayNeed said:
    I have scriptblock ids, but I do not know what to do with those (No path)
    In each PS event's records, there is a line beginning
    HostApplication=
    and I think you are saying that there is no file path identified in that entry.
    How to stop Powershell from executing remote commands-ps-log.png
    Please look up and down the list to see if there is an entry that identifies a file and path around the time you saw that window.

    IMayNeed said:
    How can I stop powershell deom executing remote commands?
    PowerShell does not, by default, execute remote commands.
    This is explained in Change PowerShell Script Execution Policy - TenForumsTutorials


    IMayNeed said:
    How can I find out where my computer is infected?
    Run a Windows Defender Quick scan.
    How to Scan with Windows Defender - TenForumsTutorials

    Best of luck,
    Denis
      My Computer


  4. Posts : 43
    Windows 10 Pro
    Thread Starter
       #4

    I checked Task Scheduler. Could not find any task around that time. (At least a related one, 1 minute before the window opening there was a Vivaldi update task, but this window , and event 4104 happens more than 1 in a day)

    In the events I am looking at Applications/Microsoft/Windows/Powershell/Operational

    The path I am talking about is in event details at the end:

    Code:
    ScriptBlock ID: 22f3f871-*********
    Path:
    Event ID 4104 Executing a remote command

    Log Name : Microsoft-Windows-PowerShell/Operational
    Source: PowerShell (Microsoft-Windows-PowerShell)

    Execution Policy is undefined for everything.

    Currently, I believe, this came from an infected (or infector) USB Stick. It has the characteristics of a virus that hides pretty well.

    I will make a full Defender check, as I know that Defender should recognize this as a virus or threat.
      My Computer


  5. Posts : 16,573
    Windows 10 Home x64 Version 22H2 Build 19045.3930
       #5

    IMayNeed said:
    In the events I am looking at Applications/Microsoft/Windows/Powershell/Operational
    The path I am talking about is in event details at the end:
    OK, I found the log you are looking at. I have several EventID 4104 entries.
    They are categorised as Execute a Remote Command but that is incorrect in my case. The entries are created when I run my own PS1 files. I have not yet found any that lack a Path entry.


    IMayNeed said:
    Execution Policy is undefined for everything.
    Yes, that equals Restricted and that prevents remote scripts running [well, any scripts].
    I believe that any script trying to override that would have to exist on the local computer. I have not considered that question for years and cannot find any documentation to confirm my belief.


    Best of luck,
    Denis
      My Computer


  6. Posts : 43
    Windows 10 Pro
    Thread Starter
       #6

    This is definitely a virus, trying to connect to chatgigi2.com. (I installed a free trial of an antivirus. - Still doing the Windows Defender Scan)
    I checked about the site and about the script , it is a crypto virus related to Vipersoft.
    It is using C:{Windows/System32/WindowsPowershell/v1.0/powershell.exe
    Apparently, it hides in log files.

    I cannot see where it hides from the antivirus (Malwarebytes trial).
    Only information is that it uses powershell.exe

    Either it came from a link in an email or a USB Stick (Can just speculate at the moment)
    I do not see any strange programs or extensions installed.

    The scan should reveal hopefully which program or extension is infected.

    It is outbound and trying to connect to Cloudfare IP Addresses. (Port 80)

    For extra information, this is an unsecured wireless network, which several people has access to router configuration.
      My Computer


  7. Posts : 16,573
    Windows 10 Home x64 Version 22H2 Build 19045.3930
       #7

    The Defender Quick Scan should only have taken a few minutes.
    [Its Full scan is something to run after a Quick scan has detected & removed malware. The Full scan seeks out & removes inactive remnants of malware and takes ages.]

    If Malwarebytes detected it, couldn't it remove it?

    Microsoft Safety Scanner is worth using.
    Its log is
    Code:
    %SYSTEMROOT%\debug\msert.log
    i.e.
    Code:
    C:\Windows\debug\msert.log


    Best of luck,
    Denis
      My Computer


  8. Posts : 43
    Windows 10 Pro
    Thread Starter
       #8

    Malwarebytes just says that it is a trojan and website blocked, but no item in quarantine or removed.
    Running a scan on that too. (Apparently malwarebytes scan stopped Defender scan as it registered itself as the antivirus)
    Will inform the results.

    Thanks.
      My Computer


  9. Posts : 18,045
    Win 10 Pro 64-bit v1909 - Build 18363 Custom ISO Install
       #9

    Post removed as the OP didn't need it.
    Last edited by Paul Black; 07 Mar 2023 at 08:08.
      My Computer


  10. Posts : 16,573
    Windows 10 Home x64 Version 22H2 Build 19045.3930
       #10

    Defender scans can still be run despite Malwarebytes.

    And you can turn off Malwarebytes real-time protection to get back Defender as your normal defence. But there's little point doing that until the problem has been solved.

    You can also use Defender offline scan to check for such things as rootkits.
    Windows Defender Offline Scan - TenForumsTutorials

    Denis
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 18:05.
Find Us




Windows 10 Forums