Hello,
I have been trying to secure Powershell on my machine yet when I look at the logs I see FnKey.exe is running Powershell code. At one point it ran the same piece of code 20 times in 1 minute.
I am looking to block FnKey.exe and powershell completely. I am aware of the argument against blocking powershell, I re-enable it whenever I need it so please don't try and sway my view on this.
So far I've done the following to secure powershell:
1. Disabled PS remoting (just as a precaution)
2. Disabled Powershell as follows: User Configuration -> Administrative Templates -> System -> Don't run specified Windows Applications, added powershell.exe, powershell_ise.exe and pwsh.exe
3. Enabled logging and disabled scripts (in Computer Configuration -> Administrative Templates -> Windows Components -> Windows Powershell
Then to block FnKey.exe, I've added it's full path as Deny for everyone at (Computer Configuration -> Windows Settings -> Security Settings -> Application Control Policies -> AppLocker -> Executable Rules)
When I try and run FnKey.exe myself I am told I can't so that looks good yet somehow it is still being run and it is still running powershell commands (using my Windows username)
Lastly, the following piece of code was used to launch FnKey.exe - it also feels a bit suspicious:
Here is a sample transcript, the same command is called every time:
I have been trying to secure Powershell on my machine yet when I look at the logs I see FnKey.exe is running Powershell code. At one point it ran the same piece of code 20 times in 1 minute.
I am looking to block FnKey.exe and powershell completely. I am aware of the argument against blocking powershell, I re-enable it whenever I need it so please don't try and sway my view on this.
So far I've done the following to secure powershell:
1. Disabled PS remoting (just as a precaution)
2. Disabled Powershell as follows: User Configuration -> Administrative Templates -> System -> Don't run specified Windows Applications, added powershell.exe, powershell_ise.exe and pwsh.exe
3. Enabled logging and disabled scripts (in Computer Configuration -> Administrative Templates -> Windows Components -> Windows Powershell
| Setting | State |
| Turn on Module Logging | Enabled |
| Turn on PowerShell Script Block Logging | Enabled |
| Turn on Script Execution | Disabled |
| Turn on PowerShell Transcription | Enabled |
| Set the default source path for Update-Help | Not configured |
Then to block FnKey.exe, I've added it's full path as Deny for everyone at (Computer Configuration -> Windows Settings -> Security Settings -> Application Control Policies -> AppLocker -> Executable Rules)
When I try and run FnKey.exe myself I am told I can't so that looks good yet somehow it is still being run and it is still running powershell commands (using my Windows username)
Lastly, the following piece of code was used to launch FnKey.exe - it also feels a bit suspicious:
Code:
explorer.exe shell:appsFolder\CLEVOCO.FnhotkeysandOSD_(CENSORED)Here is a sample transcript, the same command is called every time:
Code:
**********************
Windows PowerShell transcript start
Start time: (CENSORED)
Username: [MY WINDOWS USERNAME]
RunAs User: [MY WINDOWS USERNAME]
Configuration Name: (CENSORED)
Machine: (CENSORED) (Microsoft Windows NT 10(CENSORED))
Host Application: C:\Program Files\WindowsApps\CLEVOCO.FnhotkeysandOSD_(CENSORED)\FnKey\FnKey.exe
Process ID: (CENSORED)
PSVersion: (CENSORED)
PSEdition: (CENSORED)
PSCompatibleVersions: (CENSORED)
BuildVersion: (CENSORED)
CLRVersion: (CENSORED)
WSManStackVersion:(CENSORED)
PSRemotingProtocolVersion: (CENSORED)
SerializationVersion: (CENSORED)
**********************
**********************
Command start time: (CENSORED)
**********************
PS>Get-PnpDevice -Class 'USB' | select FriendlyName, Status, InstanceId
FriendlyName Status Instanc
eId
------------ ------ -------
(CENSORED)
(CENSORED)
(CENSORED)
...
Last edited:
