CMD and Powershell pop ups

[Ash_Ash]

Hi,

I'm wondering if someone can help solve some recent issues I’ve been having with my computer. I believe they started after I installed the Windows 10 creators update, but I'm not completely sure.

The problem is that either the CMD prompt or Powershell suddenly pops up and disappears again before I can read anything that in the window. Conhost.exe was in task manger after the last 3 times I’ve seen the CMD pop up. I think services.exe might have also been using CPU in task manager around the same time.

I originally thought that it might be associated with this problem:
http://www.tomshardware.co.uk/faq/id-3426393/fix-hourly-cmd-window-pop-appearing.html?xtor=EREC-8889&_ga=2.77161245.968671383.1496225325-363358935.1496080980

However, I’ve done the fix shown in the link above and it hasn’t stopped the problem. It seemingly happens at random and can happen several times in one day or not at all.

I can’t find an obvious task in the Task Scheduler with a “next run time” that matches the time when the pop ups occurred. After they occurred, numerous things in both task scheduler and event viewer show that they were last run at the time the pop up occurred. I'm not really familiar with task scheduler and event viewer, so I'm not really sure how to find out what caused all of those things to run. Would it help if I gave examples of the things that the task scheduler and event viewer said was run around the time the pop ups occurred?

I’ve done multiple anti-virus/malware etc scans and I can’t find anything. I'm worried that there’s an issue that it’s not picking up, but I'm currently thinking that the issue is more likely to be with Windows at the moment.

Also, from what I can see, event viewer hasn’t recorded anything for powershell until the most recent pop up occurred. I can copy the details of the two logs that were made when the recent pop up occurred and paste them if you think it will help. There isn’t anything logged for any of the previous pop ups.

Can someone help me with this issue and suggest away to find out what the cause is so that I can fix it? I can try and provide any data that you think might help.

Thanks in advance.

Ash

(Edit note: I removed the copy of the logs because one was very long, but I can post them again if needed)

 

[Colif]

did you do a restart after the fix? it may not help but its worth a try. I only had it happen 3 times, and never actually needed to do the fix i wrote about

i too checked event viewer, task scheduler, ran 2 AV scans, checked the shop and windows update.. no sign of it at all.

conhost is either part of windows or a bitcoin miner - http://www.file.net/process/conhost.exe.html

 

[Ash_Ash]

did you do a restart after the fix? it may not help but its worth a try. I only had it happen 3 times, and never actually needed to do the fix i wrote about

i too checked event viewer, task scheduler, ran 2 AV scans, checked the shop and windows update.. no sign of it at all.

conhost is either part of windows or a bitcoin miner - http://www.file.net/process/conhost.exe.html

Thanks for the reply.

Yeah, I did do a restart after the fix and it still happened. I was hoping that the fix would sort it but it looks like it hasn’t. Today was the 4th time it happened to me that I know of and I had gone for a few days without seeing it until now.

Conhost.exe is the process that appears in task manager when powershell or CMD prompt is running, so it’s part of Windows. I don’t have any bitcoin miner stuff.

My concern is that conhost.exe stays open even after the CMD prompt window disappears and it’s now starts after about 2 minutes after I turn on my PC and stays running. If I end the process, it then occasionally reappears for a few seconds then disappears again. Also, it doesn’t appear to be running on my tablet, which also is running Windows 10, and I hadn’t noticed it running in the past when I’ve had task manager open.

Could it be some Windows maintenance or update task causing it, or an error? I’ve noticed that WERmgr.exe and WERfault.exe have been running after the pop ups occurred and sometimes on start up too. If this is the case, where would I begin to find out what the cause might be?

Also, according to task scheduler, things like Provtool.exe, cleanmgr.exe, MRT.exe, compattelrunner.exe and tashhostw.exe, so provisioning, disc clean up, removal tools, program data updater and temp signed licence exchange were running. Things associated with Windows Defender were triggered at the same time as the pop up occurred too. Could it be something to do with Window’s Defender?

 

[Colif]

The conhost.exe process sitting in the middle between CSRSS and cmd.exe allows Windows 7 to fix both of the problems in previous versions of Windows—not only do the scrollbars draw correctly, but you can actually drag and drop a file from Explorer straight into the command prompt:"

https://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/what-is-conhostexe/38a69fb8-ded2-4f35-85c5-4d69cb8d016b

it is needed to run command prompt but its not the cause of the popups, csrss is the Client/Server Run-Time Subsystem and is essential for windows to work, its the client for your user. these are just processes associated with starting cmd

search cortana for reliability and open the reliability monitor and see if it reports anything unusual

can Download Process explorer and run it as admin (it comes from Microsoft so its safe)

the default view is tree structure meaning like your task manager screen, it will show what processes are under service, but unlike task manager, it shows the ram usage of each part

Private bytes = actual ram usage
Working set = Ram + page file usage

This page shows what all the colours and headings mean, link at bottom of it shows how to use it to find problems. You can right click headers and run an av scan from within the program.

I don't know if it will help but it shows a lot more info than Task manager ever will. Might help figure out if it is defender or not.
try running a clean boot and see if it changes anything - this will tell us if its windows or a start up program causing it. If it doesn't happen, you will need to add the programs slowly to figure out which is causing it.

 

[Ash_Ash]

Thanks Colif for the link explaining conhost.exe in more detail and thanks for the link to process explorer. Process explorer already seems much better and more helpful than task manager.

After reading the link and running process manager, I’m fairly certain that my concerns about conhost.exe running were unfounded. The reason it’s running seems to be because of Nvidia GeForce Experience, so it seems to be legitimate. The reason I wouldn’t have seen it before was because I installed GeForce Experience when I recently updated my graphics card drivers to make sure they weren’t the reason for the pop ups.

I’ve used task scheduler to look further into what tasks were run each time I’ve seen the pop up and I’ve found that a lot of them seemed to be associated with the automatic maintenance that runs when my computer is idle. I clicked manual start maintenance under control panel and noticed that a lot of the same tasks were run, but the pop up didn’t appear. Because of this, I decided to change the time of the automatic maintenance and the pop up happened at the time I picked for the start of this maintenance. I manually ran the maintenance straight after and the pop up didn’t happen.

It seems to be associated with the automatic maintenance, which explains why it seemed to be random to begin with. The maintenance time was set for a time that I would rarely be on my computer and, if I was on my pc at that time, I would have been doing something so it wouldn’t be idle. So, it meant that the automatic processes would run at some point during the day when my computer was idle, thus it happened at seemingly random times to begin with. Now I’ve set the automatic maintenance to time when I can continue to observe it.

I looked through task scheduler to see what ran while during the automatic maintenance but not during the manually initiated maintenance and found a few tasks. One task stands out and makes sense at the likely culprit based on what you posted regarding office. I now feel really stupid for missing this before because I only disabled OfficeBackgroundTaskHandlerRegistration and left OfficeBackgroundTaskHandlerLogon active. Both tasks run the same .exe file so it makes sense that this is the cause. I’ve now disabled both tasks and I’ll continue to look out for these pop ups.

At some point over the next few days, I’ll post whether this has stopped the pop ups or not. Hopefully it has.

 

[Colif]

I have added your findings to the tutorial as its based on others findings as well, and if both call same exe then they may not be to blame and it is... what exe btw?

 

[Ash_Ash]

It's officebackgroundtaskhandler.exe

The location on both my pc and tablet is C:\Program Files (x86)\Microsoft Office\root\Office16.

 

[Colif]

it appears MS are working on a fix for it... as they should since everyone with win 10 has the applications concerned: https://www.tenforums.com/software-apps/83846-popup-microsoft-office-2016-officebackgroundtaskhandler-exe.html

https://answers.microsoft.com/en-us/msoffice/forum/msoffice_other-mso_win10/strange-office-background-task-handler-window/6334eca3-63c1-450e-a260-e41b0472227e

 

[Ash_Ash]

Stopping officebackgroundtaskhandler.exe from running looks like it has sorted it.

Yeah, Microsoft should definitely be fixing this because it's effecting a lot of people.