Is it common that Powershell.sys file be flagged as malware by the antivirus?

Question

Is it common that Powershell.sys file be flagged as malware by the antivirus?

Silverio Morales 25

I am writing to seek clarification regarding an issue we have encountered with our antivirus software (Bitdefender). Recently, PowerShell version 7.5.1.0 has been auto updated in some of our workstations and the PowerShell.sys file on our system was flagged as malware by our antivirus application. Given the critical nature of this file, I wanted to inquire if it is common for this file to be flagged as a potential threat.

Could you please provide any insights or guidance on this matter? Specifically, we are interested in understanding whether this is a known issue and if there are any recommended steps we should take to address it.

Thank you for your assistance.

0 comments

Answer accepted by question author

Michael Taylor 61,221

Powershell.sys? That would seem to indicate a kernel driver that has something to do with Powershell. AFAIK there is no such file or feature in Powershell. Powershell is .NET based so running it in kernel doesn't even make sense anyway.

The only online references to such a file I can find is related to installing Marvel Rivals. It appears that the game uses Powershell and it uses a kernel driver, this file, to do something. That isn't an MS product.

I did a quick grep on 2 different systems with the latest PS installed and they don't have that file either. I install PS using WinGet but I don't know that it matters how you installed it.

Can you confirm that this file was actually installed by Powershell? Can you confirm it is digitally signed by Microsoft? Can you look at the path to the file and confirm it is in a path of an MS product (most of the time it is in C:\windows\system32\drivers)?

My gut instinct is that your AV may be right. Either that or somebody is installing a game on their PC.

Silverio Morales 25 Reputation points

2025-05-29T16:08:41.95+00:00

This path C:\Windows\System32\WindowsPowerShell\v1.0 is where the PowerShell.sys was supposed to be stored but, since the antivirus blocked and deleted the file, there is no way for us to find the file in place.

Please see picture reference of the Bitdefender below:
Michael Taylor 61,221 Reputation points

2025-05-29T16:21:47.4633333+00:00

The path you gave isn't PS Core 7.x. PS Core installs to C:\Program Files. The path you gave is for the older Windows Powershell 5 that ships with the OS. So PS 7.x won't touch that directory structure at all.

Irrelevant even Windows Powershell 5 didn't have, AFAIK, a powershell.sys file. PS doesn't run in kernel mode and doesn't need a driver.

I stand by either AV is right or a game is installed that put it there.
Silverio Morales 25 Reputation points

2025-05-30T14:44:01.5466667+00:00

Thank you very much for your responses, Michael, we are further investigating more details with our antivirus representatives to determine if this is a false positive or an actual virus.
Oliver 0 Reputation points

2025-09-21T23:32:19.32+00:00

I also had C:\Windows\System32\WindowsPowerShell\v1.0\powershell.sys detected as a problem when using Defender to try and find source of my Win11 machine's fragility.
The problems started with a BSOD (IRQL) during shutdown - and this file had a date-time corresponding with that shut down. So I think malware dropped it there.
It was detected as "VulnerableDriver:WinNT/Winring0.G"
The internet is telling me that Winring0 was a legitimate (but overpowerful, and signed) driver that can be used by malware.

1 additional answer

Your answer

Silverio Morales 25 Reputation points

2025-05-29T16:08:41.95+00:00

This path C:\Windows\System32\WindowsPowerShell\v1.0 is where the PowerShell.sys was supposed to be stored but, since the antivirus blocked and deleted the file, there is no way for us to find the file in place.

Please see picture reference of the Bitdefender below:
Michael Taylor 61,221 Reputation points

2025-05-29T16:21:47.4633333+00:00

The path you gave isn't PS Core 7.x. PS Core installs to C:\Program Files. The path you gave is for the older Windows Powershell 5 that ships with the OS. So PS 7.x won't touch that directory structure at all.

Irrelevant even Windows Powershell 5 didn't have, AFAIK, a powershell.sys file. PS doesn't run in kernel mode and doesn't need a driver.

I stand by either AV is right or a game is installed that put it there.
Silverio Morales 25 Reputation points

2025-05-30T14:44:01.5466667+00:00

Thank you very much for your responses, Michael, we are further investigating more details with our antivirus representatives to determine if this is a false positive or an actual virus.
Oliver 0 Reputation points

2025-09-21T23:32:19.32+00:00

I also had C:\Windows\System32\WindowsPowerShell\v1.0\powershell.sys detected as a problem when using Defender to try and find source of my Win11 machine's fragility.
The problems started with a BSOD (IRQL) during shutdown - and this file had a date-time corresponding with that shut down. So I think malware dropped it there.
It was detected as "VulnerableDriver:WinNT/Winring0.G"
The internet is telling me that Winring0 was a legitimate (but overpowerful, and signed) driver that can be used by malware.

Answer 1

JeffreyVanDerSluis-8126 0

Same issue here with Norton Anti Virus. File was quarantined however this powershell infected goes away for a while and then has popped us by the AV as an infected file? Any other clarification from anyone? Is it a false postiive?

MotoX80 37,686 Reputation points

2026-04-18T13:18:41.14+00:00

It sounds like you have some other process that is trying to recreate that file. You need to find that process and get rid of it.

One option would be to run Sysinternal's Process Monitor and trace activity to anything named powershell.sys.

https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

In the filter menu, enable drop filtered events. You may need to let this run for a long time and initially you don't need to capture everything.

Add a filter to capture "path contains powershell.sys".

These icons manage the capture.

Open a command prompt and verify that the capture works. When you catch the real event, double click it to see what process is trying to create the file and what it's command line parameters are.

If you reboot, you will have to restart procmon.

Share via

Is it common that Powershell.sys file be flagged as malware by the antivirus?

1 additional answer

Your answer