Windows 10: Powershell trying to access "%system%\CatRoot" "C:\ProgramData" when connected to the internet

I dont know why but i think my relative acessing my computer remotely, he knew my password and I think He is acessing my computer remotely i clean installed windows but whenever I connect my ethernet cable and sign in my Microsoft account powershell is trying to acess catroot like a madman, also there are some entries in my azure active directory but i'm not able to remove when I try to remove it says it's controlled by administrator and my account signs out

:)

 

Why is powershell trying to access "%system%\CatRoot" "C:\ProgramData"

it's been weeks since these started to show up in windows controlled folder access, this never happened before in all the time I've had folder acces on
i've done some search on what the catroot folder it's used for and the only clue here it's that i've been avoidind windows updates using the metered connection setting to prevent from doing things on its own

2023-04 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems (KB5025221)

Status: Pending download

this it's the update that it's showing pending since i left the metered connection check on, i'm not able to download big updates frequenty so its the only clue for whatever its trying to do

OS build

Experience

Windows 10 Pro

21H2 22/06/2021 19044.2251

Windows Feature Experience Pack 120.2212.4180.0

[My last update]

still this also trying to acces progam data, i don't know why is powershell trying to acces these 2 locations recently

App or process blocked: powershell_ise.exe

Protected folder: C:\ProgramData

Blocked by: Controlled folder access

should i allow powershell to access?
is it because updates and will stop showing once i intall pending update?
should i worry about it?
*i've already performed a system scan with malwarebytes with no threats detected [haven't on startup]

 

Why is powershell trying to access "%system%\CatRoot" "C:\ProgramData"

Thanks for that. Unfortunately no cause for the blocks was revealed and no malware either. It's a rather odd block as Powershell_ISE is a graphical script editor for Powershell.

If you'd like to investigate what process is initially launching Powershell_ISE, I'd suggest tracing with Process Monitor.

Process Monitor - Sysinternals

Unzip procmon64.exe, right click and select Properties then tick/check "Unblock" > OK.

Download the configuration file linked below.

Microsoft OneDrive

Right click procmon and run as administrator

In the Menu go to File > "Import Configuration", browse to the configuration file

Make sure the Capture button is highlighted blue and leave it running.





When the block activity has been logged, stop the capture.

Go to File > Save - save Logfile.PML

Zip the log, upload/share on Google Drive.

 

W10 can connect to wider internet but cannot access web pages

I have an odd issue with my W10 laptop linked to Sky broadband in the UK via wifi using a Sky router. The effect is that while I can actually access the internet (I can send and receive emails using Outlook and can connect to other machines using TeamViewer) I cannot access any web site (Google, BBC etc). There is no specific error message, merely that the access request timed out and a suggestion that it may be to do with proxy.

I have tried the following:

1. Other systems (W10 and ios) can access web sites using the same Sky router (therefore probably not a router problem)
2. I have sent and received emails using Outlook, so the broadband connection is working (probably not a Sky problem)
3. I have tried two different browsers (Firefox and Edge), no connection (not a browser problem)
4. I am using Windows Defender and have:
   1. Made sure that Firefox is in the list of allowed systems in its Firewall, no connection after a reboot
   2. Turned off the Firewall and tried again - no connection

My next step will be to re-install Windows, but has anyone got any other suggestions? Could it be some sort of virus (I have carried out a complete virus check using Defender)

So - any suggestions?