Starting powershell.exe Temporarily Generates a PS1 File with Content of '1'

I’ve come across a strange behavior of powershell.exe. Whenever a new powershell.exe process is started, a randomly-named PS1 file (e.g., “x2xj20xc.cez.ps1”) is written to the user’s temp directory. The file contains only the character ‘1’ and only persists for a few milliseconds.

(Assuming your temp dir is empty to begin with) Try:

while ($true) { Get-ChildItem $env:TEMP\*.ps1 }


while ($true) { Get-ChildItem $env:TEMP\*.ps1 | Get-Content }

and then start powershell.exe in another window.

This isn’t breaking anything for me. I’m just really curious if anyone knows what this is about.

Answering my own question and posting for posterity, but would love to hear if anyone has their own take.

I spoke with a colleague who put in a ticket with MS and it sounds like this is a mechanism to test if AppLocker is blocking script execution. Apparently from WMF 5.1 on, they stop doing this check (at least in this fashion).