I have a process running on a server named powershell2.exe. It is not under the path where I would expect PowerShell to be running; instead it is deep in my **C:\Program Files** tree, within a folder associated with a trusted application (Splunk). My colleagues assure me that this isn't some sort of malware, but I'm wondering why there might be a need for an application to have such an executable present and running.
Can anyone shed light on this?
Looks to be some Splunk-specific component, at least according to their blog: http://blogs.splunk.com/2013/09/09/powershell-version-2/
My final advice is on errors. We now have two PowerShell hosts, each with different requirements. When installed on a standard Windows Server 2008R2 host with no updates, only PowerShell2.exe will be running because the .NET Framework 4.5 is not available. You will see errors in the splunkd.log pertaining to the inability to start the PowerShell.exe. In a similar manner, when installed on a standard Windows Server 2012 host, only PowerShell.exe will be running because the .NET Framework 3.5 is not available.
Note that this is probably a PowerShell host and not the runtime itself:
You can host Windows PowerShell in your application. The host application can define the runspace where commands are run, open sessions on a local or remote computer, and invoke the commands either synchronously or asynchronously based on the needs of the application.
So it's very much a Splunk component and not part of the system. They just chose to name it powershell2.exe. They could have named it cmd.exe or explorer.exe if they wanted.
