2

I never use Powershell for anything, I have no need. This is my own personal home machine with Windows 11 Professional.

I had noticed from time to time, maybe once a day or that with no pattern of note, a blue window which looked like powershell would flash up for a split second and disappear. I checked history and Get-History in Powershell and there is nothing there.

To find the culprit I wrote a small Winforms app in C# which every 10 milliseconds gets the list of open windows on the screen using EnumWindows Windows API with the full path of the owning executable by calling QueryFullProcessImageName with the window handle.

Low and behold today it happens and the window title is Powershell with the path being the full path to windows powershell.

The difference is the path is different when I run it manually using the same command line?

When it showed up in my app, i.e. whatever is executing it randomly, it had a title of C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe with a path of exactly the same.

When I run it myself first I get the same window title but then another pops in because the window title changed with a title of Windows Powershell, the path for both entries when I run it manually is C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.18.3181.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe

How the hell do I proceed from here? Is there a way to report on what runs an executable? I don't run Powershell scripts so I don't mind having it locked down if I need to while I find the culrpit.

Improve this question
8
  • You can use AutoRuns to determine which entry in the registry is automatically starting a script Windows Terminal is the default prompt handler on Windows 11.
    – Ramhound
    Commented Nov 30, 2023 at 12:28
  • Terminal isn't being run automatically, powershell is. It's the other way around than you think. Would the registry open something sporadically? I use my PC for work with a VDI so I sit here all day and it happens about once every two days at random intervals. What is Autoruns?
    – Jay Croghan
    Commented Nov 30, 2023 at 12:31
  • Autoruns shows nothing in Everything for powershell
    – Jay Croghan
    Commented Nov 30, 2023 at 12:37
  • 1
    If it's a scheduled task, you could in Task Scheduler click "Enable All Tasks History", then search for tasks that happened at that time. See How to enable Task Scheduler history on Windows 11.
    – harrymc
    Commented Nov 30, 2023 at 14:04
  • 1
    Thank you @harrymc never even thought to check there. Want to suggest an answer? It was a scheduled task for certbot which I did not manually setup.
    – Jay Croghan
    Commented Nov 30, 2023 at 15:04

1 Answer 1

Reset to default
1

The problem PowerShell job turned out to be a scheduled task for certbot that needed to be disabled.

To track the task, you need to in the Task Scheduler to click "Enable All Tasks History", then wait for the task to appear. A task history can be listed in the History pane:

enter image description here

For more information, see the article How to enable Task Scheduler history on Windows 11.

Improve this answer
1
  • Just for anyone else, I didn't go as far as enabling history, I just right-clicked each scheduled task that didn't look familiar and clicked run and certbot gave me the exact same output as the one I was hunting so I deleted it entirely as I don't need it to run on a schedule.
    – Jay Croghan
    Commented Dec 1, 2023 at 17:11

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .