locked
.PS1 Scripts Being Run from Local Temp Folder By App-V Client and Applocker RRS feed

  • Question

  •                

    We are currently running Applocker in Audit Mode in advance of switching it on.

    I have noticed a number of .ps1 scripts that are being run from %OSDRIVE%\USERS\UserName\APPDATA\LOCAL\TEMP and each is a random name and disappears immediately after running. Each of these coincides with an App-V action so for example when there is a Sync-AppVPublishingServer you will find one of these also.

    I have removed the App-V client from my PC and no more entries in Applocker Event Logs.

    I am pretty confident these .PS1 scripts relate to App-V actions. Surely, when running App-V operations it shouldn't be touching the User's Local Temp folder though?

     

    Wednesday, May 3, 2017 11:00 AM

Answers

  • That's by design with Powershell version 5.0. We had the same issue and opened a support case for this some months ago.

    MS created a "fix" in Win 10 Creators Update. The behavior for the PS script generated on the fly has been adapted. They added a prefix to the PS script, so that we can add an AppLocker exclusion. We hoped for a better fix, but we need to live with it.

    • Marked as answer by AndrewKelly Wednesday, May 3, 2017 1:13 PM
    Wednesday, May 3, 2017 11:28 AM

All replies

  • That's by design with Powershell version 5.0. We had the same issue and opened a support case for this some months ago.

    MS created a "fix" in Win 10 Creators Update. The behavior for the PS script generated on the fly has been adapted. They added a prefix to the PS script, so that we can add an AppLocker exclusion. We hoped for a better fix, but we need to live with it.

    • Marked as answer by AndrewKelly Wednesday, May 3, 2017 1:13 PM
    Wednesday, May 3, 2017 11:28 AM
  • Wow. Appreciate comprehensive and immediate response.
    Wednesday, May 3, 2017 1:13 PM
  • According to Premier Support this issue is still Active meaning even the workaround has not been finalised yet. Do you mind letting me know your Incident Number and I can ask the guy I am speaking to to refer to that.
    Thursday, May 4, 2017 1:39 PM
  • Case number 117012015202527
    Monday, May 8, 2017 4:44 PM
  • Is there a Solution for Windows Server 2016 1607 ?
    Tuesday, February 20, 2018 4:29 PM