Jump to content

System startup. Powershell.exe is started by Ekrn.exe which runs continuous and uses 20%+ cpu time.


JohnnyMusso
Go to solution Solved by JohnnyMusso,

Recommended Posts

Can you confirm this is normal or provide a resolution?   The powershell.exe process can be stopped manually and does not start again until reboot.   Process explorer shows powershell is started by ekrn.exe and the powershell command line looks like the following . . . 

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -Command if (((Get-AppxPackage -Name 'EsetContextMenu').length -ne '1') -Or ((Get-AppxPackage -Name 'EsetContextMenu').version -ne '10.39.34.0')) { Get-AppxPackage -Name 'EsetContextMenu' | Remove-AppxPackage; Add-AppxPackage -Path 'C:\Program Files\ESET\ESET Security\EsetContextMenu.msix' -ExternalLocation 'C:\Program Files\ESET\ESET Security\' }

parent: ekrn.exe

 

Link to comment
Share on other sites

This is a strange one.

The posted text would lead one to believe Eset Context Scan of a file is run via PowerShell. I did so with Process Explorer running and observed no PowerShell.exe startup from ekrn.exe or anything else.

Link to comment
Share on other sites

  • 2 weeks later...

Thanks Marcos,

I did raise a support ticket and received a confirmation for it but could not find a place to access the ticket to check for responses.   I received no response via email either.  So, I opened a chat ticket and  the support person said he couldn't access/see the ticket I created which caused me to re-send the problem information / question to him!   I showed him everything via remote support, etc. and still he couldn't tell me where the ticket could be accessed to see updated responses OR whether EKRN.EXE uses powershell that way or why it runs continuously, etc.   All I got from him was call MS for Powershell problem!   Is that the type of support I can expect from ESET?   Is it true that I can't access the support ticket myself for updated - as he told me?   If so, I am very disappointed after 10 or more years of using the product.   Thanks in advance.   

Link to comment
Share on other sites

  • Administrators

Customer support for home users is provided by an external company in the USA, however, the staff should be trained to handle support cases properly. I've asked colleagues from the US to look into it. The technical support should have helped you create a ticket and at least collect ELC logs and pass them to ESET HQ for assistance with the case.

If PowerShell continues to run after Windows starts. please try to create a Procmon boot log by following the instructions in the linked KB. Beforehand please temporarily disable protected service in the HIPS setup in the advanced setup and reboot the machine. When done, save the Procmon log unfiltered, compress it and supply it to me via a personal message or upload it to a safe location and drop me a message with a download link.

Link to comment
Share on other sites

Thanks Marcos,  

They did start communicating with me by emailing back but their answer was still "we dont use powershell, call MS".   Well, since I have a bootlog here showing that ekrn.exe in the eset folder starts powershell, my confidence isn't high in their answer.

I'm working on getting this for you.   I forgot to turn off hips first time.  Will do it again.  Either way, fyi, procmon boot shows the start of the process be from ekrn.   VERY STRANGE THING I'VE NOTICED THOUGH ..  During normal operation, I see the powershell task in Task manager but can NOT find it using procmon!   I'd expect to see the opposite behavior with a hidden task or something missing from taskmgr, not from procmon!    I should have this zip file for you next posting.     Thank You again for your input.

Link to comment
Share on other sites

On 12/29/2023 at 12:28 PM, JohnnyMusso said:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -Command if (((Get-AppxPackage -Name 'EsetContextMenu').length -ne '1') -Or ((Get-AppxPackage -Name 'EsetContextMenu').version -ne '10.39.34.0')) { Get-AppxPackage -Name 'EsetContextMenu' | Remove-AppxPackage; Add-AppxPackage -Path 'C:\Program Files\ESET\ESET Security\EsetContextMenu.msix' -ExternalLocation 'C:\Program Files\ESET\ESET Security\' }

It appears the PowerShell command is removing an existing AppxPackage ver. of EsetContextMenu.msix and replacing it with a new ver. of the same.

This might have been created to be run as a run once maintenance activity by Eset at system startup time and then be removed. It appears the removal activity got borked in some way and the command is running at each system startup plus not terminating itself.

Suspect there is a scheduled task that is performing this activity. Or, a registry run key is the source for the activity.

Edited by itman
Link to comment
Share on other sites

Thanks ITMan,

I believe that's a great assumption and I was thinking along that line as well.  If it didn't continue in task manager to run and use around 12-16% cpu I wouldn't have been concerned about it.  I did search autoruns and schtasks too and didn't find any direct call like this.   

Link to comment
Share on other sites

  • Administrators
4 hours ago, JohnnyMusso said:

I see the powershell task in Task manager but can NOT find it using procmon!

Yes, I confirm that PowerShell was not run. I'll try to get more details from developers on how registration of the shell extender is implemented on Windows 11.

Link to comment
Share on other sites

Also, I tried to run the script. As the below screen shot shows, the script has a syntax error and will not run;

Eset_Script.thumb.png.cb9bf7421dc4a440268dd282f8f85503.png

I have to believe that this PowerShell activity at system startup is being created by something else.

Link to comment
Share on other sites

  • Administrators

Just to make sure, does removing ESET with the ESET Uninstall tool in safe mode and installing the latest version from scratch make a difference? PowerShell should be run only once after installation or upgrade to install EsetContextMenu.msix.

Link to comment
Share on other sites

On 12/30/2023 at 12:41 AM, Marcos said:

Please raise a support ticket to further investigate the issue with PowerShell constantly running.

 

On 12/29/2023 at 11:28 AM, JohnnyMusso said:

Can you confirm this is normal or provide a resolution?   The powershell.exe process can be stopped manually and does not start again until reboot.   Process explorer shows powershell is started by ekrn.exe and the powershell command line looks like the following . . . 

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -Command if (((Get-AppxPackage -Name 'EsetContextMenu').length -ne '1') -Or ((Get-AppxPackage -Name 'EsetContextMenu').version -ne '10.39.34.0')) { Get-AppxPackage -Name 'EsetContextMenu' | Remove-AppxPackage; Add-AppxPackage -Path 'C:\Program Files\ESET\ESET Security\EsetContextMenu.msix' -ExternalLocation 'C:\Program Files\ESET\ESET Security\' }

parent: ekrn.exe

 

 

Link to comment
Share on other sites

Thanks for the feedback ITMan and Marcos.   I'll uninstall and reinstall and see what happens.  I've been holding off until more details about the problem were evaluated.   

Marcos, in the bootlog I gathered, I did see/confirm that ekrn.exe appeared to have started the powershell program/process.   I assume you were able to see the same?   

Will update after uninstall and reinstall.

Link to comment
Share on other sites

Thanks for the feedback ITMan and Marcos.   I'll uninstall and reinstall and see what happens.  I've been holding off until more details about the problem were evaluated.   

Marcos, in the bootlog I gathered, I did see/confirm that ekrn.exe appeared to have started the powershell program/process.   I assume you were able to see the same?   

Will update after uninstall and reinstall.

Link to comment
Share on other sites

Thanks for the feedback ITMan and Marcos.   I'll uninstall and reinstall and see what happens.  I've been holding off until more details about the problem were evaluated.   

Marcos, in the bootlog I gathered, I did see/confirm that ekrn.exe appeared to have started the powershell program/process.   I assume you were able to see the same?   

Will update after uninstall and reinstall.

Link to comment
Share on other sites

Update #2:  I re-Installed Nod32 from the Eset website and the Powershell process has been started again with the same parameters before even restarting the system.    Initial (after-installation) scan is being performed as we speak.    Again, the powershell process is using 15.4% cpu time - which matches what was going on before uninstall.

 

Link to comment
Share on other sites

  • Administrators

It is ok that Powershell is run after installation but it should not take long and it should not run repeatedly. Are you able to reproduce it by running the script from the PowerShell console? I didn't have any issues:

image.png

Also please post the output of running:
Get-AppxPackage -Name 'EsetContextMenu'

image.png

Link to comment
Share on other sites

Update After Reinstall and Restart = Powershell session did get started during bootup (as expected).

Marcos, ... Thanks again for the reply.   Yes, it appears to run but returns quietly (of course).   Below are the results of the Get-AppxPackage command..

image.png.ac7d26f6cd71d1c24a5d6bcfaaa4943e.png

 

 

Link to comment
Share on other sites

  • Administrators
2 hours ago, JohnnyMusso said:

Update After Reinstall and Restart = Powershell session did get started during bootup (as expected).

Do you mean that the initially reported issue with PowerShell running continually and consuming a lot of CPU resources has been resolved?

Link to comment
Share on other sites

Hey Marcos, 

No, it's behaving the same way.   I just have to kill it after each restart or I can uninstall Nod32 to  solve the problem and keep it from starting.   Like you and ITMan pointed out, it seems to be legitimately getting called and doesn't seem to be encountering or throwing an error an error but it doesn't end and it sits and uses around 15% cpu time until I kill it.   And, even though it's reported to be using 15% or more cpu time, I can't really tell it's running at all.   Also, it seems to have no effect on any Nod32 operations after I kill it.   I'm wondering at this point if task manager is mis-reporting the process as still active when it's not.   So, after I restart next time, I think I'm going to check procmon, procexp, and tasklist again to see if it's listed in the active tasks with those utilities.   I've already killed it today and can't restart right now.   Unless you have another idea, I'll check that out and let yall know the results before I close this.   Something tells me that tasklist won't show it running - because maybe it isn't?

Link to comment
Share on other sites

  • Solution

Update after reboot and comparison with tasklist, procmon, procexp

Tasklist - shows the process

Procmon64 - only shows the process in profiling events.   Can't catch it otherwise even though it's using 18% cpu right now according to task manager.

Procexp - Shows the process is running

Debugger - VStudio debugger shows only a couple of eset modules loaded =

c:\program files\eset security\ebehmoni.dll

c:\program files\eset security\eamsi.dll.

 

So, I don't understand why procmon doesn't show the process running but it does show up everywhere else.   

Unless you guys have another suggestion, I'll kill the process and carry on.   

Thank You for the assistance.

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...