none
High CPU RRS feed

  • Question

  • Hi All

    On one my windows 2012 R2 server, Windows PowerShell is utilizing 80 percent CPU, i can see 5 windows powershell process running with a service account.There is no task scheduler also running with this service account. 
    how to trace which backend process is associated with this powershell also when right click powershell and open file location it gives me the powershell path C:\Windows\System32\WindowsPowerShell\v1.0.
    when i run proc monitor i am seeing something like the below for powershell properites

    Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    command line:
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" \\127.0.0.1\admin$\temp\unregistered\psscript_executeRemote_67e48908-ju98-4130-bijk-09ce8d67f63c.ps1 \\127.0.0.1\admin$\temp\unregistered @{'dirs'=@(@{'FullName'='c:\program files*'}, @{'FullName'='c:\windows'}, @{'FullName'='%PATH%'})} @{'dirs'=@(@{})} @{'files'=@('*.exe','*.dll','*.ocx','*.DLL','*.EXE','*.ttf','*.mui','*.jar','*.mxx','*.ide','*.mda','*.pbd','*.pbb','*.DAT','*.pdb','*.ini','*.ax','*.def','*.wmv','*.sys','*.TCE','*.rpt','*.dbs','*.cer','*.fnt','*.bat','*.vbs','*.GID','*.mxw','*.MDB','
    Tuesday, December 24, 2019 11:40 AM

Answers

  • You have to implement Sysmon logging.

    When Sysmon is running it will show you who is starting what at any time..

    \\127.0.0.1\admin$ is the local Admin Share which points to c:\Windows..

    So your process is executed from the "c:\windows\temp" folder have a look there..

    HTH
    -mario

    • Marked as answer by ItsMe-Roger Tuesday, January 7, 2020 12:15 PM
    Tuesday, December 31, 2019 4:39 PM