I never use Powershell for anything, I have no need. This is my own personal home machine with Windows 11 Professional.
I had noticed from time to time, maybe once a day or that with no pattern of note, a blue window which looked like powershell would flash up for a split second and disappear. I checked history
and Get-History
in Powershell and there is nothing there.
To find the culprit I wrote a small Winforms app in C# which every 10 milliseconds gets the list of open windows
on the screen using EnumWindows
Windows API with the full path of the owning executable by calling QueryFullProcessImageName
with the window handle.
Low and behold today it happens and the window title is Powershell with the path being the full path to windows powershell.
The difference is the path is different when I run it manually using the same command line?
When it showed up in my app, i.e. whatever is executing it randomly, it had a title of C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
with a path of exactly the same.
When I run it myself first I get the same window title but then another pops in because the window title changed with a title of Windows Powershell
, the path for both entries when I run it manually is C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.18.3181.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
How the hell do I proceed from here? Is there a way to report on what runs an executable? I don't run Powershell scripts so I don't mind having it locked down if I need to while I find the culrpit.