Hi,
I found in a timeline that there where several entries in
c/Users/<user>/AppData/Local/Microsoft/Windows/PowerShell/CommandAnalysis/PowerShell_AnalysisCacheEntry_*
Googled around for PowerShell_AnalysisCacheEntry but couldn't find anything meaningful. What does the AnalysisCacheEntry mean? Is that a cache for a PowerShell script run, or a cache for libraries, which are needed by a PowerShell script?
Thanks.
Have you looked at it in a hex view to see if you can make out anything?
Check this
https://
Seemingly it is a cache storage written to by various operations (WMI/WMF in that reference).
jaclaz
If I took with strings (Linux) I can see some function calls as it seem. E.g.
Add-ADCentralAccessPolicyMember
Add-ADComputerServiceAccount
/Add-ADDomainControllerPasswordReplicationPolicy
&Add-ADFineGrainedPasswordPolicySubject
Add-ADGroupMember
Add-ADPrincipalGroupMembership
Add-ADResourcePropertyListMember
Clear-ADAccountExpiration
Clear-ADClaimTransformLink
Disable-ADAccount !
Disable-ADOptionalFeature $
Enable-ADAccount '
Enable-ADOptionalFeature *
Get-ADAccountAuthorizationGroup -
/Get-ADAccountResultantPasswordReplicationPolicy 0
Get-ADAuthenticationPolicy 3
Get-ADAuthenticationPolicySilo 6
Get-ADCentralAccessPolicy 9
Get-ADCentralAccessRule <
Get-ADClaimTransformPolicy ?
Get-ADClaimType B
Get-ADComputer E
Get-ADComputerServiceAccount H
My question what creates this entries? Is it a PowerShell script, or libs loaded?
