CMD prompt disappears, every 10 minutes

Hello, ALL:

"Used-To-Be" Power-User now at a loss: Client running Win10 22H2 x64 Pro, currently experiencing an annoyingly unacceptable CMD prompt flashing every 10 minutes. Solid. Every 10 min, I've seen it, just too quick to capture. Many similar issues online, no solution(s).
Checked for new installs/upgrades and several, so uncertainty there. Yes, I've hit the websites based on a basic search; vague at best. Tried screen records, inc. PowerPoint (via o/l recommendation) seeking title bar or other info, but still cannot capture anything about the popup. Defender, Malwarebytes return neg system-wide. Multiple apps on system = potential targets, so who knows, but nothing suspect afaik. I have limited experience with Task Scheduler, but don't see anything on system set to run that often. Eliminated non-essentials in startup, no luck. Tried to d/l MS SysInternals (no exp here), but no joy, could not run after d/l. Dang I really hate to ask for detailed help, but what step-by-step do I take to identify/eliminate her popup issues? Again, I've looked through Task Scheduler for a 00:10:00:00, didn't see anything, but a bit outside my experience. Startup apps: all look good/normal. OS re-install still possible, but possibly break her PC, or at least a major headache. Thought maybe Mozilla/Firefox (based on web-queries), but apparently not. Where to begin, how to narrow/eliminate with solid result(s)? Anybody willing to spend some time/knowledge with me, please do!!! I'll be back on that machine this weekend, and can respond from personal PC directly.

Thanks in advance for reading/helping, all input/suggestions/conv's very much appreciated. Peace.....

-J.D. (JDGiants)

You'll have a hard time capturing data, unless you enable Audit Process Creation.

Every new process and its command line with be recorded in the Event Logs. But you want to use a script to search through the logs faster. As Administrator, enable the policy:

Code:

auditpol /set /subcategory:"Process Creation" /success:enable
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v "ProcessCreationIncludeCmdLine_Enabled" /t REG_DWORD /d 1 /f

Try the included PowerShell script:
powershell -nop -ep bypass -f Audit_CMD.ps1

This script queries for any parent process that starts CMD, or any program that CMD starts. Script reports the timestamp, which process started CMD, and any command line. The search window is the last 24 hours, which works in your case.

When you're ready to stop logging (don't leave it on indefinitely):

Code:

auditpol /clear /y
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v "ProcessCreationIncludeCmdLine_Enabled" /t REG_DWORD /d 0 /f

For your case, I agree it's probably a scheduled task, but the real question is which one? And if you don't know the script name or command line it's executing, tracing it might be difficult. When task scheduler runs CMD, it will be listed as svchost.exe.

You can try the script on your current PC, to get familiar with it.

You could try Procmon from MS Sysinternals. Its tricky to get to grips with, as there is so much going on (on my PC, at least).

I started it up, reset its filters (the key to finding what you are after), then let it build up some monitored history. Shutting down unnecessary programs helps reduce the clutter (browser etc). I then paused the update (3rd button from left) to prevent more stuff scrolling in, and then gradually excluded all the (hopefully) unimportant stuff in the list, one by one (rt-click a given line and 'exclude process'). The list gradually shortens until its small enough to ignore what is left. Then I started monitoring again, opened a cmd prompt, then stopped monitoring again - the above is what I got: many instances of cmd.exe and Conhost.exe. In a list of some 1500 entries, only a handful were other processes.

So if you were to do the same, and then just let Procmon run, it should pick up a reasonably short list of events, and in there might be some cmd and conhost entries. There would hopefully be indicative entries before each 10-minute burst, which might give a clue as to what kicks them off.

Procmon is very capable, but most times I give up, as there is too much going on, but it may help you. atb, Martin

I rewrote my script, and tucked it inside a batch file to make it easy to use. Run these commands as Administrator (if you're not Administrator then Windows will ask you permission to elevate the script):

1. Turn on Audit Process and command line logging:

Code:

C:\Users\GARLIN\Downloads>Audit_CMD.bat enable
Audit Logs: ENABLED

2. Now wait until you see the black windows flash, or long enough for whatever to take place.

For testing, I created a scheduled task ("Run Batch File") that runs a CMD script every 5 min. Scheduled tasks are listed with a leading \.

Whenever available, CMD's command line will be displayed. Due to the fact that event logging isn't very time precise, the order of the calling task and its CMD child process aren't in perfect sequential order. Some tasks listed will be unrelated background jobs, but I can't exclude them in case it's your culprit.

Look for entries with the same timestamp to make sense of what task or program is calling CMD. This script will provide some idea of what's going on in the background.

Code:

C:\Users\GARLIN\Downloads>Audit_CMD.bat

TimeStamp              PID UserContext  Task/Process                                                                   Command Line
---------              --- -----------  ------------                                                                   ------------
05/05/23 09:20:12 PM       GARLIN       \Run Batch File
05/05/23 09:20:12 PM       GARLIN       svchost.exe                                                                    cmd.exe /c C:\Users\GARLIN\Downloads\Test_File.bat
05/05/23 09:20:12 PM  2968 -            cmd.exe
05/05/23 09:20:12 PM  5820 -            cmd.exe                                                                        schtasks /run /tn "Run Batch File"
05/05/23 09:21:50 PM       SYSTEM       \Microsoft\Windows\DeviceDirectoryClient\RegisterDeviceProtectionStateChanged
05/05/23 09:21:54 PM  5820 -            cmd.exe                                                                        more Audit_CMD.bat
05/05/23 09:22:28 PM  5820 -            cmd.exe                                                                        notepad Audit_CMD.bat
05/05/23 09:24:52 PM       GARLIN       svchost.exe                                                                    cmd.exe /c C:\Users\GARLIN\Downloads\Test_File.bat
05/05/23 09:24:52 PM  3952 -            cmd.exe
05/05/23 09:24:52 PM       GARLIN       \Run Batch File
05/05/23 09:26:26 PM       SYSTEM       \Microsoft\Windows\InstallService\ScanForUpdates
05/05/23 09:26:28 PM       SYSTEM       \Microsoft\Windows\DeviceDirectoryClient\RegisterDeviceAccountChange
05/05/23 09:26:28 PM       GARLIN       \Microsoft\Windows\LanguageComponentsInstaller\Installation
05/05/23 09:26:28 PM       GARLIN       \Microsoft\Windows\DeviceDirectoryClient\RegisterUserDevice
05/05/23 09:29:52 PM       GARLIN       \Run Batch File
05/05/23 09:29:52 PM       GARLIN       svchost.exe                                                                    cmd.exe /c C:\Users\GARLIN\Downloads\Test_File.bat
05/05/23 09:29:52 PM  4896 -            cmd.exe
05/05/23 09:34:52 PM  2024 -            cmd.exe
05/05/23 09:34:52 PM       GARLIN       svchost.exe                                                                    cmd.exe /c C:\Users\GARLIN\Downloads\Test_File.bat
05/05/23 09:34:52 PM       GARLIN       \Run Batch File
05/05/23 09:39:52 PM       GARLIN       \Run Batch File
05/05/23 09:39:52 PM  1228 -            cmd.exe
05/05/23 09:39:52 PM       GARLIN       svchost.exe                                                                    cmd.exe /c C:\Users\GARLIN\Downloads\Test_File.bat

Audit Logs: ENABLED

3. When you're satisfied with the logged data, turn off Audit Process and command line logging (don't leave it on indefinitely):

Code:

C:\Users\GARLIN\Downloads>Audit_CMD.bat disable
Audit Logs: DISABLED