HomePricingCommunityTeamsAboutStart Free TrialLog in
Avatar of Éric Moreau
Éric Moreau
Flag for Canada asked on

AmsiContext errors reported from a PowerShell script running from the Task Scheduler

Since last week, after a server reboot, my powershell scripts running from the tasks scheduler are reporting a strange errors in the logs:

**********************
Windows PowerShell transcript start
Start time: 20211213060003
Username: XXX\yyy
RunAs User: XXX\yyy
Machine: FGLAPPS01 (Microsoft Windows NT 10.0.14393.0)
Host Application: powershell.exe -ExecutionPolicy ByPass -Noninteractive -Noprofile -Command & {&'D:\Apps\FGLApps\Tasks\AzureSiteRecoveryStatus.ps1' }
Process ID: 2728
PSVersion: 5.1.14393.4583
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.4583
BuildVersion: 10.0.14393.4583
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Remove-Variable : Cannot find a variable with the name 'AmsiContext'.
At line:479 char:5
+     Remove-Variable AmsiContext -Scope local -Confirm:$false
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (AmsiContext:String) [Remove-Variable], ItemNotFoundException
    + FullyQualifiedErrorId : VariableNotFound,Microsoft.PowerShell.Commands.RemoveVariableCommand
Remove-Variable : Cannot find a variable with the name 'AmsiInitFailed'.
At line:480 char:5
+     Remove-Variable AmsiInitFailed -Scope local -Confirm:$false
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (AmsiInitFailed:String) [Remove-Variable], ItemNotFoundException
    + FullyQualifiedErrorId : VariableNotFound,Microsoft.PowerShell.Commands.RemoveVariableCommand
Remove-Variable : Cannot find a variable with the name 'AmsiContext'.
At line:479 char:5

Open in new window


It looks like the tasks are running normally but running much slower. Also logs are just unreadable because of these errors. A log that had 250 lines a week ago is not containing 24,500 lines.


I have found 2 interesting links on AMSI but not sure on how to apply any fix: https://pentestlaboratories.com/2021/05/17/amsi-bypass-methods/ & https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/


One strange thing is that issue seems to be related to the Task Scheduler as the very same script runs perfectly fine from the PowerShell ISE.


Also, if I removed the Start-Transcript, scripts run in seconds as it used to do.


One last thing, not sure if it is related or not, we have installed SentinelOne on that server 2 weeks ago but only restarted the server last week. The problem described here started just after the reboot.


Anyway of keeping my logs but not being affected by AMSI?

PowershellWindows OSMicrosoft
Avatar of undefined
Last Comment
Éric Moreau
8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Éric Moreau
Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Plans and Pricing
Resources
Product
Podcasts
Careers
Contact Us
Teams
Certified Expert Program
Credly Partnership
Udemy Partnership
Privacy Policy
Terms of Use

© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent