How do I find out what powershell script just ran?

3

I'm running Windows 10. I was reading a web page, when suddenly a window popped up. I got just enough time to see that it was powershell -- then it opened another window, and both disappeared. I had a similar experience yesterday, but it looked more like a cmd shell (white on black).

(The website was LinkedIn, and I keep Firefox locked down pretty tight with NoScript, and popups blocked by default, so I don't think it was the browser.)

How do I find out what ran, and who ran it?

BulletCatcher

Posted 2019-06-13T14:53:03.520

Reputation: 63

1i don't think you can find that info with the default settings. there is a local GPO setting that activates logging ... i use it ... but without that i don't think you can get anything. – Lee_Dailey – 2019-06-13T15:05:19.613

Answers

1

Use Process Monitor to catch all execution of powershell.exe, by setting the right filter.

For information on using Process Monitor see the How-To Geek article
Understanding Process Monitor.

Note that running Process Monitor while using the computer, which is what you need to do, may slow your usage of the computer and may need some disk space.

harrymc

Posted 2019-06-13T14:53:03.520

Reputation: 306 093

Asked: 2019-06-13T14:53:03.520

Viewed: 105 times

Active: 2019-06-13T15:07:09.237