Jump to content

File with hkl estension in temp folder


Recommended Posts

  • Root Admin

Please run GPedit.msc and browse to the following tree level

Local Computer Policy -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy

image.png

Double-click and open the Audit object access entry and enable Success and Failure

image.png

 

Then open My Computer or run Windows File Explorer and browse to the following location.

C:\Windows\System32\WindowsPowerShell\v1.0

In that folder please find the file: powershell.exe

Right-Click on powershell.exe and select Properties and go to the Security tab and click the Advanced button

image.png

Then click on the Auditing tab, then the  image.pngContinue button

image.png

After you click the Continue button the controls will unlock to allow editing

Currently the owner should be TrustedInstaller

Highlight the Everyone entry and click the Edit button

Make sure the Principal is set to Everyone  and the Type is All - then click OK a couple of times to close out the boxes

image.png

 

Then restart your computer and once you do see the PowerShell kick off again let me know and we'll track it down in the Event Viewer.

Write down the exact time you saw it run in case we need to isolate the time in the Event Logs

Cheers

 

Link to post
Share on other sites

  • Replies 60
  • Created
  • Last Reply

Top Posters In This Topic

Hello, do not worry! Please spend your time with your family and don't worry about me, seen as it's not an urgent matter (as it's not a virus) we can absolutely talk about it on tuesday, for now just enjoy the holiday!

Thank you,

Mattia

Link to post
Share on other sites

  • 1 month later...

Hello, yes, sorry for making you wait, I got caught up in school. So, powershell is still running, but with the steps you made me do we could, theoretically, track which program is making it run, right? Let me know how to do it and I'll let you know what I find when it runs tomorrow.

Thank you,

Mattia

Link to post
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.