Starting powershell.exe Temporarily Generates a PS1 File with Content of '1'

tito-aldarondo · August 22, 2016, 4:56pm

I’ve come across a strange behavior of powershell.exe. Whenever a new powershell.exe process is started, a randomly-named PS1 file (e.g., “x2xj20xc.cez.ps1”) is written to the user’s temp directory. The file contains only the character ‘1’ and only persists for a few milliseconds.

(Assuming your temp dir is empty to begin with) Try:

while ($true) { Get-ChildItem $env:TEMP\*.ps1 }

and/or

while ($true) { Get-ChildItem $env:TEMP\*.ps1 | Get-Content }

and then start powershell.exe in another window.

This isn’t breaking anything for me. I’m just really curious if anyone knows what this is about.

tito-aldarondo · August 24, 2016, 1:01pm

Answering my own question and posting for posterity, but would love to hear if anyone has their own take.

I spoke with a colleague who put in a ticket with MS and it sounds like this is a mechanism to test if AppLocker is blocking script execution. Apparently from WMF 5.1 on, they stop doing this check (at least in this fashion).

Topic		Replies	Views
PowerGUI exe outputting script to temp? PowerShell Help	0	146	December 31, 2011
Launching PowerShell Script (PS1) Without Waiting to Finish PowerShell Help	1	189	April 16, 2019
Random powershell output files in C:\windows\temp PowerShell Help	2	160	April 18, 2019
Could you look over my script? PowerShell Help	3	153	December 1, 2016
Help: Run in powershell is not showing up on right click on .ps1 files PowerShell Help	1	151	April 22, 2014

Starting powershell.exe Temporarily Generates a PS1 File with Content of '1'

Related Topics