Windows 10: Powershell обращается к CatRoot и запускается спустя несколько минут работы ПК

Уже месяц после запуска ПК powershell запускается и обращается к catroot windows defender блокирует данное обращение, но помимо этого так же запускается ещё один powershell и в диспетчере задач в пункте "командная строка" он пытается получить какой-то результат. На систему никак не влияет, вирусов нет много чем систему сканировал поэтому уверен в этом.В чём может быть проблема?

:)

 

Why does Powershell V1 (and not V7) trying to access %system%\CatRoot?

Telemetry tasks still use the old Powershell. The relevant tasks that access CatRoot on Windows 11 are:

\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser

\Microsoft\Windows\Application Experience\MareBackup

The only ways to tell the difference between malware using Powershell and otherwise is looking at its command line arguments for malicious or highly obfuscated instructions, see if its running an unknown script, or by analyzing a process dump.

If you use Process Monitor and launch the tasks listed above, you'll see the Powershell instance is launched with the command line:

powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1'

Process Monitor - Sysinternals

 

Why does Powershell V1 (and not V7) trying to access %system%\CatRoot?

Hi, everyone. Defender notificates that Powershell.exe is trying to access %system%\CatRoot. It should be regular BUT the fact that the specific Powershell is NOT the updated pwsh.exe (version 7) I've installed recently, but the old (and potentially unsafe) version 1.

It's strange because when I installed Powershell7, I checked the specific option "Add Run with Powershell7 context menu for Powershell files".

I asked to a nice technical-support operator that said: "The Powershell version that is trying to access to %system%\CatRoot is likely determined by the script or process that is invoking it. If a script or process specifically calls for Powershell v1, then that version will be used." And this sounds good.

But I suspect that Powershell vers.1 is an old and potentially unsafe version, so this worries me a bit... How can I tell the difference between a regular Powershell.exe v.1 operation and a malware that acts behind it?

Thanks in advance.

 

PowerShell instead of Commandline in Creators Update

Interestingly enough my personal laptop just got the update...and still has Command Prompt listed, not PowerShell...

Edit: Not that it matters...I use both regularly. *Toast :toast: