Forum Discussion

odit_89's avatar
odit_89
Copper Contributor
Mar 09, 2023

PowerShell ID 4104 - What are the scripts doing?

Hello everyone.

The system is Windows 10 Home 21H2.

Something happened in my PC and I really want to figure out.

The script ran automatically in the background after I disabled my network adapter.

Since I've never applied Remote Desktop and reset it at 1/24, is it a default setting so the script attempt to acquire my system status?

 

event log snippet 

scripts - onedrive link 

  • There are many scripts in the one drive link , which one you want us to test and explain
    • odit_89's avatar
      odit_89
      Copper Contributor

      Hello Varun_Ghildiyal, sorry I didn't even ask a question😓

      After digging in to some ps language, the scripts turned to be the functions for network diagnose and maintenance usage.

      The script executed in the temp folder with an id 4104 event, and there is one difference that the second script doesn't have ms copyright while others have, and I couldn't find it elsewhere.

      1.Is it normal to have this log given the scenario? I'm still trying to find the trigger.

      2.My diagnose pack was modified recently and I don't see that recorded in Tuesday Patch, do you have any idea about this situation?

       

      Look forward to hearing from you!

      screenshot&file - OneDrive link 

Resources