System startup. Powershell.exe is started by Ekrn.exe which runs continuous and uses 20%+ cpu time.

[JohnnyMusso 0]

Can you confirm this is normal or provide a resolution?   The powershell.exe process can be stopped manually and does not start again until reboot.   Process explorer shows powershell is started by ekrn.exe and the powershell command line looks like the following . . . 

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -Command if (((Get-AppxPackage -Name 'EsetContextMenu').length -ne '1') -Or ((Get-AppxPackage -Name 'EsetContextMenu').version -ne '10.39.34.0')) { Get-AppxPackage -Name 'EsetContextMenu' | Remove-AppxPackage; Add-AppxPackage -Path 'C:\Program Files\ESET\ESET Security\EsetContextMenu.msix' -ExternalLocation 'C:\Program Files\ESET\ESET Security\' }

parent: ekrn.exe

 

[itman 1,667]

This is a strange one.

The posted text would lead one to believe Eset Context Scan of a file is run via PowerShell. I did so with Process Explorer running and observed no PowerShell.exe startup from ekrn.exe or anything else.

[itman 1,667]

Also Microsoft just recently disabled the .msix app installer due to malware abuse as noted in this article: https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html which appears to be used in this PowerShell script.

 

[JohnnyMusso 0]

Thanks itman.   Another thing concerns me a bit... the digital signature of the Eset Executables looks a little strange . . .

ESET,spol. s r o.   with algorithm sha256.   

 

[Marcos 5,085]

Please raise a support ticket to further investigate the issue with PowerShell constantly running.

[JohnnyMusso 0]

Thanks Marcos,

I did raise a support ticket and received a confirmation for it but could not find a place to access the ticket to check for responses.   I received no response via email either.  So, I opened a chat ticket and  the support person said he couldn't access/see the ticket I created which caused me to re-send the problem information / question to him!   I showed him everything via remote support, etc. and still he couldn't tell me where the ticket could be accessed to see updated responses OR whether EKRN.EXE uses powershell that way or why it runs continuously, etc.   All I got from him was call MS for Powershell problem!   Is that the type of support I can expect from ESET?   Is it true that I can't access the support ticket myself for updated - as he told me?   If so, I am very disappointed after 10 or more years of using the product.   Thanks in advance.   

[Marcos 5,085]

Customer support for home users is provided by an external company in the USA, however, the staff should be trained to handle support cases properly. I've asked colleagues from the US to look into it. The technical support should have helped you create a ticket and at least collect ELC logs and pass them to ESET HQ for assistance with the case.

If PowerShell continues to run after Windows starts. please try to create a Procmon boot log by following the instructions in the linked KB. Beforehand please temporarily disable protected service in the HIPS setup in the advanced setup and reboot the machine. When done, save the Procmon log unfiltered, compress it and supply it to me via a personal message or upload it to a safe location and drop me a message with a download link.

[JohnnyMusso 0]

Thanks Marcos,  

They did start communicating with me by emailing back but their answer was still "we dont use powershell, call MS".   Well, since I have a bootlog here showing that ekrn.exe in the eset folder starts powershell, my confidence isn't high in their answer.

I'm working on getting this for you.   I forgot to turn off hips first time.  Will do it again.  Either way, fyi, procmon boot shows the start of the process be from ekrn.   VERY STRANGE THING I'VE NOTICED THOUGH ..  During normal operation, I see the powershell task in Task manager but can NOT find it using procmon!   I'd expect to see the opposite behavior with a hidden task or something missing from taskmgr, not from procmon!    I should have this zip file for you next posting.     Thank You again for your input.

[itman 1,667]

On 12/29/2023 at 12:28 PM, JohnnyMusso said:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -Command if (((Get-AppxPackage -Name 'EsetContextMenu').length -ne '1') -Or ((Get-AppxPackage -Name 'EsetContextMenu').version -ne '10.39.34.0')) { Get-AppxPackage -Name 'EsetContextMenu' | Remove-AppxPackage; Add-AppxPackage -Path 'C:\Program Files\ESET\ESET Security\EsetContextMenu.msix' -ExternalLocation 'C:\Program Files\ESET\ESET Security\' }

It appears the PowerShell command is removing an existing AppxPackage ver. of EsetContextMenu.msix and replacing it with a new ver. of the same.

This might have been created to be run as a run once maintenance activity by Eset at system startup time and then be removed. It appears the removal activity got borked in some way and the command is running at each system startup plus not terminating itself.

Suspect there is a scheduled task that is performing this activity. Or, a registry run key is the source for the activity.

Edited January 9 by itman

[JohnnyMusso 0]

Thanks ITMan,

I believe that's a great assumption and I was thinking along that line as well.  If it didn't continue in task manager to run and use around 12-16% cpu I wouldn't have been concerned about it.  I did search autoruns and schtasks too and didn't find any direct call like this.   

[JohnnyMusso 0]

Marcos, I have messaged a link to you for the zipped pml bootlog file.

Thank You

[Marcos 5,085]

4 hours ago, JohnnyMusso said:

I see the powershell task in Task manager but can NOT find it using procmon!

Yes, I confirm that PowerShell was not run. I'll try to get more details from developers on how registration of the shell extender is implemented on Windows 11.

[itman 1,667]

Also, I tried to run the script. As the below screen shot shows, the script has a syntax error and will not run;

I have to believe that this PowerShell activity at system startup is being created by something else.

[Marcos 5,085]

Just to make sure, does removing ESET with the ESET Uninstall tool in safe mode and installing the latest version from scratch make a difference? PowerShell should be run only once after installation or upgrade to install EsetContextMenu.msix.

[JohnnyMusso 0]

On 12/30/2023 at 12:41 AM, Marcos said:

Please raise a support ticket to further investigate the issue with PowerShell constantly running.

 

On 12/29/2023 at 11:28 AM, JohnnyMusso said:

Can you confirm this is normal or provide a resolution?   The powershell.exe process can be stopped manually and does not start again until reboot.   Process explorer shows powershell is started by ekrn.exe and the powershell command line looks like the following . . . 

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -Command if (((Get-AppxPackage -Name 'EsetContextMenu').length -ne '1') -Or ((Get-AppxPackage -Name 'EsetContextMenu').version -ne '10.39.34.0')) { Get-AppxPackage -Name 'EsetContextMenu' | Remove-AppxPackage; Add-AppxPackage -Path 'C:\Program Files\ESET\ESET Security\EsetContextMenu.msix' -ExternalLocation 'C:\Program Files\ESET\ESET Security\' }

parent: ekrn.exe

 

 

[JohnnyMusso 0]

Thanks for the feedback ITMan and Marcos.   I'll uninstall and reinstall and see what happens.  I've been holding off until more details about the problem were evaluated.   

Marcos, in the bootlog I gathered, I did see/confirm that ekrn.exe appeared to have started the powershell program/process.   I assume you were able to see the same?   

Will update after uninstall and reinstall.

[JohnnyMusso 0]

Thanks for the feedback ITMan and Marcos.   I'll uninstall and reinstall and see what happens.  I've been holding off until more details about the problem were evaluated.   

Marcos, in the bootlog I gathered, I did see/confirm that ekrn.exe appeared to have started the powershell program/process.   I assume you were able to see the same?   

Will update after uninstall and reinstall.

[JohnnyMusso 0]

Update #1:  Uninstalled Nod32 and the Powershell process was NOT restarted at bootup without Nod32 on the system.

 

 

[JohnnyMusso 0]

Thanks for the feedback ITMan and Marcos.   I'll uninstall and reinstall and see what happens.  I've been holding off until more details about the problem were evaluated.   

Marcos, in the bootlog I gathered, I did see/confirm that ekrn.exe appeared to have started the powershell program/process.   I assume you were able to see the same?   

Will update after uninstall and reinstall.

[JohnnyMusso 0]

Update #2:  I re-Installed Nod32 from the Eset website and the Powershell process has been started again with the same parameters before even restarting the system.    Initial (after-installation) scan is being performed as we speak.    Again, the powershell process is using 15.4% cpu time - which matches what was going on before uninstall.

 

[Marcos 5,085]

It is ok that Powershell is run after installation but it should not take long and it should not run repeatedly. Are you able to reproduce it by running the script from the PowerShell console? I didn't have any issues:

Also please post the output of running:
Get-AppxPackage -Name 'EsetContextMenu'

[JohnnyMusso 0]

Update After Reinstall and Restart = Powershell session did get started during bootup (as expected).

Marcos, ... Thanks again for the reply.   Yes, it appears to run but returns quietly (of course).   Below are the results of the Get-AppxPackage command..

 

 

[Marcos 5,085]

2 hours ago, JohnnyMusso said:

Update After Reinstall and Restart = Powershell session did get started during bootup (as expected).

Do you mean that the initially reported issue with PowerShell running continually and consuming a lot of CPU resources has been resolved?

[JohnnyMusso 0]

Hey Marcos, 

No, it's behaving the same way.   I just have to kill it after each restart or I can uninstall Nod32 to  solve the problem and keep it from starting.   Like you and ITMan pointed out, it seems to be legitimately getting called and doesn't seem to be encountering or throwing an error an error but it doesn't end and it sits and uses around 15% cpu time until I kill it.   And, even though it's reported to be using 15% or more cpu time, I can't really tell it's running at all.   Also, it seems to have no effect on any Nod32 operations after I kill it.   I'm wondering at this point if task manager is mis-reporting the process as still active when it's not.   So, after I restart next time, I think I'm going to check procmon, procexp, and tasklist again to see if it's listed in the active tasks with those utilities.   I've already killed it today and can't restart right now.   Unless you have another idea, I'll check that out and let yall know the results before I close this.   Something tells me that tasklist won't show it running - because maybe it isn't?

[JohnnyMusso 0]

Update after reboot and comparison with tasklist, procmon, procexp

Tasklist - shows the process

Procmon64 - only shows the process in profiling events.   Can't catch it otherwise even though it's using 18% cpu right now according to task manager.

Procexp - Shows the process is running

Debugger - VStudio debugger shows only a couple of eset modules loaded =

c:\program files\eset security\ebehmoni.dll

c:\program files\eset security\eamsi.dll.

 

So, I don't understand why procmon doesn't show the process running but it does show up everywhere else.   

Unless you guys have another suggestion, I'll kill the process and carry on.   

Thank You for the assistance.