JohnnyMusso

Update after reboot and comparison with tasklist, procmon, procexp Tasklist - shows the process Procmon64 - only shows the process in profiling events. Can't catch it otherwise even though it's using 18% cpu right now according to task manager. Procexp - Shows the process is running Debugger - VStudio debugger shows only a couple of eset modules loaded = c:\program files\eset security\ebehmoni.dll c:\program files\eset security\eamsi.dll. So, I don't understand why procmon doesn't show the process running but it does show up everywhere else. Unless you guys have another suggestion, I'll kill the process and carry on. Thank You for the assistance.

Hey Marcos, No, it's behaving the same way. I just have to kill it after each restart or I can uninstall Nod32 to solve the problem and keep it from starting. Like you and ITMan pointed out, it seems to be legitimately getting called and doesn't seem to be encountering or throwing an error an error but it doesn't end and it sits and uses around 15% cpu time until I kill it. And, even though it's reported to be using 15% or more cpu time, I can't really tell it's running at all. Also, it seems to have no effect on any Nod32 operations after I kill it. I'm wondering at this point if task manager is mis-reporting the process as still active when it's not. So, after I restart next time, I think I'm going to check procmon, procexp, and tasklist again to see if it's listed in the active tasks with those utilities. I've already killed it today and can't restart right now. Unless you have another idea, I'll check that out and let yall know the results before I close this. Something tells me that tasklist won't show it running - because maybe it isn't?

Update After Reinstall and Restart = Powershell session did get started during bootup (as expected). Marcos, ... Thanks again for the reply. Yes, it appears to run but returns quietly (of course). Below are the results of the Get-AppxPackage command..

Update #2: I re-Installed Nod32 from the Eset website and the Powershell process has been started again with the same parameters before even restarting the system. Initial (after-installation) scan is being performed as we speak. Again, the powershell process is using 15.4% cpu time - which matches what was going on before uninstall.

Thanks for the feedback ITMan and Marcos. I'll uninstall and reinstall and see what happens. I've been holding off until more details about the problem were evaluated. Marcos, in the bootlog I gathered, I did see/confirm that ekrn.exe appeared to have started the powershell program/process. I assume you were able to see the same? Will update after uninstall and reinstall.

Update #1: Uninstalled Nod32 and the Powershell process was NOT restarted at bootup without Nod32 on the system.

Thanks for the feedback ITMan and Marcos. I'll uninstall and reinstall and see what happens. I've been holding off until more details about the problem were evaluated. Marcos, in the bootlog I gathered, I did see/confirm that ekrn.exe appeared to have started the powershell program/process. I assume you were able to see the same? Will update after uninstall and reinstall.

Thanks for the feedback ITMan and Marcos. I'll uninstall and reinstall and see what happens. I've been holding off until more details about the problem were evaluated. Marcos, in the bootlog I gathered, I did see/confirm that ekrn.exe appeared to have started the powershell program/process. I assume you were able to see the same? Will update after uninstall and reinstall.

Marcos, I have messaged a link to you for the zipped pml bootlog file. Thank You

Thanks ITMan, I believe that's a great assumption and I was thinking along that line as well. If it didn't continue in task manager to run and use around 12-16% cpu I wouldn't have been concerned about it. I did search autoruns and schtasks too and didn't find any direct call like this.

Thanks Marcos, They did start communicating with me by emailing back but their answer was still "we dont use powershell, call MS". Well, since I have a bootlog here showing that ekrn.exe in the eset folder starts powershell, my confidence isn't high in their answer. I'm working on getting this for you. I forgot to turn off hips first time. Will do it again. Either way, fyi, procmon boot shows the start of the process be from ekrn. VERY STRANGE THING I'VE NOTICED THOUGH .. During normal operation, I see the powershell task in Task manager but can NOT find it using procmon! I'd expect to see the opposite behavior with a hidden task or something missing from taskmgr, not from procmon! I should have this zip file for you next posting. Thank You again for your input.

Thanks Marcos, I did raise a support ticket and received a confirmation for it but could not find a place to access the ticket to check for responses. I received no response via email either. So, I opened a chat ticket and the support person said he couldn't access/see the ticket I created which caused me to re-send the problem information / question to him! I showed him everything via remote support, etc. and still he couldn't tell me where the ticket could be accessed to see updated responses OR whether EKRN.EXE uses powershell that way or why it runs continuously, etc. All I got from him was call MS for Powershell problem! Is that the type of support I can expect from ESET? Is it true that I can't access the support ticket myself for updated - as he told me? If so, I am very disappointed after 10 or more years of using the product. Thanks in advance.

Thanks itman. Another thing concerns me a bit... the digital signature of the Eset Executables looks a little strange . . . ESET,spol. s r o. with algorithm sha256.

Can you confirm this is normal or provide a resolution? The powershell.exe process can be stopped manually and does not start again until reboot. Process explorer shows powershell is started by ekrn.exe and the powershell command line looks like the following . . . "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -Command if (((Get-AppxPackage -Name 'EsetContextMenu').length -ne '1') -Or ((Get-AppxPackage -Name 'EsetContextMenu').version -ne '10.39.34.0')) { Get-AppxPackage -Name 'EsetContextMenu' | Remove-AppxPackage; Add-AppxPackage -Path 'C:\Program Files\ESET\ESET Security\EsetContextMenu.msix' -ExternalLocation 'C:\Program Files\ESET\ESET Security\' } parent: ekrn.exe