What's happening in powershell?


  1. Posts : 36
    windows10
       #1

    What's happening in powershell?


    In taskamanger sometimes i see powershell active but without me starting it.
    How can i bring the powershell to the foreground so i can monitor what code it runs?
    I want to see what happens in the powershell but i don't know how.
      My Computer


  2. Posts : 17,011
    Windows 10 Home x64 Version 22H2 Build 19045.4170
       #2

    In Task manager, Processes tab right-click on any column header and select Command line so you can see which PowerShell ps1 file is being run..
    What's happening in powershell?-task-mgr-processes.png
    I have never seen any PowerShell entry there apart from things I have been running myself, such as Sample.ps1 below
    What's happening in powershell?-task-mgr-processes-showing-ps1.png


    Denis
      My Computer


  3. Posts : 1,792
    Windows 10 Pro (+ Windows 10 Home VMs for testing)
       #3

    Run Event Viewer as Administrator and drill down to Applications and Services Logs > Microsoft > Windows > PowerShell > Operational. It will show both user and system's use of PowerShell, although most system usage will be indecipherable.

    Applications and Services Logs > PowerShellCore > Operational shows the startup of the PowerShell console, which I assume is what you are noticing.

    (Applications and Services Logs > Windows PowerShell shows 'engine' usage, i.e. Windows PowerShell ISE... but that's solely user-driven so not of interest here.)

    Read about PowerShell logging in this about_Logging_Windows article.

    Hope this helps...
      My Computer


  4. Posts : 821
    Windows 7
       #4

    Cleaned up typo.

    Enable PowerShell's ability to log every instance PowerShell is launched (even by system processes). Create a temp folder to hold the logs, and run as Administrator:
    Code:
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription" /v EnableTranscripting /t REG_DWORD /d 1 /f
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription" /v OutputDirectory /t REG_SZ /d "C:\Users\GARLIN\Downloads\LOGS" /f
    gpupdate /force

    Every time PowerShell is run, a new log file is created with the name of the user or service account, and script path (if it's not a terminal session). Most times, it's probably a background script run by Windows to update itself.

    To disable PowerShell logging:
    Code:
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription" /v EnableTranscripting /t REG_DWORD /d 0 /f
    gpupdate /force
    Last edited by garlin; 30 Mar 2023 at 12:15.
      My Computer


  5. Posts : 17,011
    Windows 10 Home x64 Version 22H2 Build 19045.4170
       #5

    Do post back in this thread with whatever you find out about those PowerShell activities.

    All the best,
    Denis



    Welcome to TenForums.

    It's really worth making time to browse through the Tutorial index - there's a shortcut to it at the top of every page.
    - At the foot of the Tutorial index is a shortcut to download it as a spreadsheet.
    - I download a new copy each month.
    - By downloading it as a spreadsheet I can benefit from Excel's excellent filtering capabilities when I search for topics of interest.
    - Tutorials are also listed by category at Tutorials - there's also a shortcut to that at the top of every page.
    - Both tutorial lists are searchable.
    - You can also search for TenForumsTutorials in many general search engines, such as Google, by adding site:tenforums.com/tutorials after your search term. For example,
    taskbar toolbars site:tenforums.com/tutorials

    You can search TenForums using the search box in the top-right corner of all TenForums webpages or using Advanced Search - TenForums
    - You can also search TenForums threads in many general search engines, such as Google, by adding site:tenforums.com after your search term. For example,
    Search for drivers by HardwareID site:tenforums.com
    - [This is what the search box in the top-right corner of TenForums webpages does automatically]
      My Computer


  6. Posts : 36
    windows10
    Thread Starter
       #6

    garlin said:
    Cleaned up typo.

    Enable PowerShell's ability to log every instance PowerShell is launched (even by system processes). Create a temp folder to hold the logs, and run as Administrator:
    Code:
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription" /v EnableTranscripting /t REG_DWORD /d 1 /f
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription" /v OutputDirectory /t REG_SZ /d "C:\Users\GARLIN\Downloads\LOGS" /f
    gpupdate /force

    Every time PowerShell is run, a new log file is created with the name of the user or service account, and script path (if it's not a terminal session). Most times, it's probably a background script run by Windows to update itself.

    To disable PowerShell logging:
    Code:
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription" /v EnableTranscripting /t REG_DWORD /d 0 /f
    gpupdate /force
    Used the code you shared.
    Code:
    Microsoft Windows [Version 10.0.19044.1288]
    (c) Microsoft Corporation. All rights reserved.
    
    C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription" /v EnableTranscripting /t REG_DWORD /d 1 /f
    The operation completed successfully.
    
    C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription" /v OutputDirectory /t REG_SZ /d "C:\Users\GARLIN\Downloads\LOGS /f
    The operation completed successfully.
    
    C:\Windows\system32>gpupdate /force
    Updating policy...
    
    Computer Policy update has completed successfully.
    User Policy update has completed successfully.
    Then in taskmanager i saw powerhsell again, but nothing was created in the downloadsfolder.
    When i rightklick to open filelocation it shows this path in windowsexplorer:
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

    Edit: I dont think its relevant but the powershell starts itself always a few moment after opening my vpn.
    Its not a virus or anything. Only want to know why it happens and what excatly happens to understand whats going on.
    Attached Thumbnails Attached Thumbnails What's happening in powershell?-screenshot282.png  
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 06:54.
Find Us




Windows 10 Forums