Windows 10: Why does Powershell V1 and not V7 trying to access %system%\CatRoot?

Hi, everyone. Defender notificates that Powershell.exe is trying to access %system%\CatRoot. It should be regular BUT the fact that the specific Powershell is NOT the updated pwsh.exe version 7 I've installed recently, but the old and potentially unsafe version 1.It's strange because when I installed Powershell7, I checked the specific option "Add Run with Powershell7 context menu for Powershell files".I asked to a nice technical-support operator that said: "The Powershell version that is trying to access to %system%\CatRoot is likely determined by the script or process that is invoking it

:)

 

Why is powershell trying to access "%system%\CatRoot" "C:\ProgramData"

it's been weeks since these started to show up in windows controlled folder access, this never happened before in all the time I've had folder acces on
i've done some search on what the catroot folder it's used for and the only clue here it's that i've been avoidind windows updates using the metered connection setting to prevent from doing things on its own

2023-04 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems (KB5025221)

Status: Pending download

this it's the update that it's showing pending since i left the metered connection check on, i'm not able to download big updates frequenty so its the only clue for whatever its trying to do

OS build

Experience

Windows 10 Pro

21H2 22/06/2021 19044.2251

Windows Feature Experience Pack 120.2212.4180.0

[My last update]

still this also trying to acces progam data, i don't know why is powershell trying to acces these 2 locations recently

App or process blocked: powershell_ise.exe

Protected folder: C:\ProgramData

Blocked by: Controlled folder access

should i allow powershell to access?
is it because updates and will stop showing once i intall pending update?
should i worry about it?
*i've already performed a system scan with malwarebytes with no threats detected [haven't on startup]

 

Why is powershell trying to access "%system%\CatRoot", and %temp%/

Every time I turn my computer on I get a notification that "unauthorized changes blocked", "powershell.exe". I did have a virus a few weeks ago and possibly still have one. I'm also getting a blocked app or "mscorsvw.exe" "%winddir%\assembly\NativeImages_v4.0.30319_64\Temp\4dd4-0". There is also like 10 different versions of the mscorsvw.exe, after Temp\ is another random 4 characters.

Edition Windows 10 Pro

Version 22H2

Installed on ‎4/‎23/‎2021

OS build 19045.3208

Experience Windows Feature Experience Pack 1000.19041.1000.0

App or process blocked: powershell.exe

Protected folder: %system%\CatRoot

Blocked by: Controlled folder access

App or process blocked: powershell.exe

Protected folder: %system%\config\systemprofile\AppData\LocalLow\Temp

Blocked by: Controlled folder access

App or process blocked: powershell.exe

Protected folder: %temp%\

Blocked by: Controlled folder access

App or process blocked: mscorsvw.exe

Protected folder: %winddir%\assembly\NativeImages_v4.0.30319_64\Temp\4dd4-0

Blocked by: Controlled folder access

here is an autoruns of my computer

AutorunsTest.arn

 

Why is powershell trying to access "%system%\CatRoot", and %temp%/

Hi mysticdragz, I think the Powershell ones are from one of the telemetry tasks.

See if this stops the changes blocked notifications:

• Run Autoruns64.exe as administrator
  
• In the Quick Filter box enter: appraiser
  
• You should see a task named \Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser
  
• Uncheck this entry
  

~~~~

FYI, Your Autoruns log is inaccessible, please change the share permissions.