Command Prompt Flashes and Closes Quickly at Startup or Random Intervals

If the Command Prompt, PowerShell, or an unknown program window flashes during logon or at random intervals without you doing anything, there are many chances that it’s a Task Scheduler job. The windows popping up frequently can be a huge distraction when you’re working or playing a game on the computer.

Sometimes, 2 or 3 CMD windows may open and close quickly (like 2-3 seconds) during Windows startup. You’ll need to know which program ran just to make sure that it’s not malware.

Command Prompt Pops up Randomly Closes Quickly

By the time you open Task Manager and check the Processes or Details tab, the Command Prompt process or the unknown program will have already finished running. The Command Prompt or the PowerShell window may close so quickly that you may not even have the time to see what it is running or even to take a screenshot using PrintScreen.

This post tells you the possible reasons why the Command Prompt or the PowerShell window pops up randomly and how to find the exact name of the unknown task that last ran.

Cause

If a Command Prompt window opens up and closes quickly, it could be due to automatic maintenance task(s) kicking in. This is especially if the Command Prompt window flashes when the system is left idle for a few minutes. You can view the list of automatic maintenance tasks using PowerShell.

If that’s not the case, then it could be a non-maintenance Scheduled Task — e.g., Office 365 Updater, Norton 360 Task, Driver updater task, etc., configured to run at specific intervals. Also, there may be tasks that are configured to run only on AC Power. Some tasks may trigger when you connect the power adapter/charger.

Find exactly why the CMD or PowerShell window popped up!

What if you don’t use Office 365 or Driver Updater? If the list of tasks mentioned in the “Cause” section doesn’t apply, here are the tracking methods you can follow to narrow down the program or task being triggered.

The built-in Task Scheduler lists the Last Run Time and all other details about the tasks. However, manually checking each task folder is time-consuming.

To track scheduled tasks, you may use PowerShell, the built-in Task Scheduler console tool SchTasks.exe, or the 3rd party TaskSchedulerView utility. Here is how to determine if the Command Prompt window that last flashed on the screen was launched as a Task Scheduler job.

Method 1: Using PowerShell

Launch PowerShell as administrator, and run the following command-line:

Get-ScheduledTask | Get-ScheduledTaskInfo | select TaskName, TaskPath, LastRunTime | out-gridview

This shows the list of scheduled tasks, the corresponding “last run time” data, and the branch (Task Scheduler).

Sort the results by LastRunTime (descending) to know the list of tasks that ran most recently.

scheduled tasks list - last run task - powershell

Or, to get it sorted (descending) by LastRunTime automatically, run this command:

Get-ScheduledTask |  Get-ScheduledTaskInfo | Select TaskName, TaskPath, LastRunTime | Sort LastRunTime -Descending | out-gridview

Or if you want to see the program name and arguments executed by each task, use the following PowerShell snippet.

List scheduled tasks with Program name, arguments, and Last Run Time

To get the executable file name and the arguments field for each scheduled task, sorted by LastRunTime, copy the following snippet and paste it into the PowerShell window and press Enter.

$tasks = @()
foreach ( $task in (Get-ScheduledTask)) { 
    $taskinfo = Get-ScheduledTaskInfo $task
    $tasks += [PSCustomObject]@{
        URI = $task.URI
        Program = $task.Actions.Execute
        Arguments = $task.Actions.Arguments
        LastRunTime = $taskinfo.LastRunTime
    }
}
$tasks | Select URI, LastRunTime, Program, Arguments | Sort LastRunTime -Descending | OGV

The output looks like below. Open the link in a new window to see the maximized image.

scheduled task list out-gridview - lastruntime

Now, you can easily narrow down the task that ran recently by matching the above timestamp with the approximate time you saw the CMD or PowerShell window popping up. From the narrowed-down results, it’s very easy to find the task that initiated the Command Prompt or a console program that, inturn, started the command shell.

Method 2: Using TaskSchedulerView Utility

TaskSchedulerView from NirSoft shows you all the information about Tasks. This tool displays the list of all tasks from the Task Scheduler and lets you disable or enable multiple tasks at once. For every task listed, the following information is displayed:

  • Task Name
  • Description
  • Status
  • Hidden (Yes/No)
  • Last Run/Next
  • Run Times
  • Task Folder
  • EXE filename or COM handler of the task
  • Number of missed runs
  • and more…

In TaskSchedulerView, sort the listing by the “Last Run” column and double-click the last run task to find exactly which program was last executed.

scheduled tasks list - last run task - taskschedulerview

If the task is a standard Windows task, simply ignore it. Should the task name or the program name be suspicious, do a full system scan using Malwarebytes antimalware in addition to running a full antivirus scan with updated signatures.

(However, not all programs that run in the background are scheduled tasks. It can be possible that a program that’s currently running, launches another program or command-line for legitimate reasons. Or it could be running from one of the several startup entry points. Autoruns, Process Explorer, and Process Monitor utilities (see “Method 4” at the end of this article) should give you a clear picture of running processes and autostart entries.)

Method 3: Using SchTasks.exe to Get Tasks List and Last Run Time

The Task Scheduler run history can be queried using the schtasks.exe console tool.

Open an elevated Command Prompt window and type in:

schtasks /query /FO TABLE /v | clip

Note: For querying tasks, SchTasks.exe doesn’t require you to run from an elevated Command Prompt.

The output is copied to the clipboard. Open Notepad and paste the output.

You’ll see the list of Tasks and their complete details, including the Last Run Time. Match the time with the actual time the unknown program window appeared and disappeared.

We are particularly interested in the three columns – Last Run Time, TaskName, and Task to Run. Inspect these fields till the end of the file, as this list is not grouped or sorted by Last Run Time.

Importing into Excel

For a detailed inspection, generate a CSV report instead of the TABLE or LIST format, using this command:

schtasks /query /FO CSV /V >d:\tasks-list.csv

For example, d:\tasks-list.csv is the file name and path where the output will be written to. Open the CSV file using Excel, rearrange columns as required, and format it accordingly. Sort by Last Run Time (descending).

Method 4: Process Monitor

Process Monitor or Process Explorer from Windows Sysinternals should tell you exactly what’s currently running in the background. If you run a Process Monitor trace to watch for new process or thread creation activities in real time, you should be able to determine if the Command Prompt window or any other program that popped up on the screen (and exited quickly) was launched by Task Scheduler or not.



Here is a sample Task Scheduler job that opened a Command Prompt window. The process creation was traced using Process Monitor.

Command Prompt Pops up Randomly Closes Quickly

After you know the PID or the parent process, all you need to do is look up that PID in the Task Manager Details tab. It could be pointing to svchost.exe which is a host process that runs Windows Services. Turning on the command-line column in Task Manager will display the service group. If the service group name says "Schedule", it’s Task Scheduler.

If an unknown program or Command Prompt window pops up and closes quickly before you can read the Window title, you now know how to find which program was run.


Additional Info: Scheduled Tasks Examples

NortonCleanupTask

Norton 360 adds a scheduled task named “NortonCleanupTask”, which runs “NortonCleanup.BAT” frequently. Running the “Get-ScheduledTask” PowerShell command, as mentioned in “Method 1” above, shows this:

nortoncleanuptask command window pop up

Disabling “NortonCleanupTask” using Task Scheduler or Autoruns should resolve the issue.

See also: Batch file runs on startup and every 20 minutes .. starting at 6 minutes past hour. | Norton Community

Office 365 background task

There are two scheduled tasks in Task Scheduler Library Microsoft\Office:

  • OfficeBackgroundTaskHandlerLogon runs when a user logs on
  • OfficeBackgroundTaskHandlerRegistration runs every hour

When the above tasks run, they open and close a Command Prompt window in a flash, which can be very annoying to the user. Both tasks are set to run under the “Users” account group. Setting OfficeBackgroundTaskHandlerRegistration to run under the “System” account will prevent the Command Prompt pop-ups from appearing, and the task will run hidden.

  1. Open Task Scheduler, and go to the \Microsoft\Office branch.
  2. Select OfficeBackgroundTaskHandlerRegistration, right-click and select Properties.
  3. Click on Change User Or Group, type System, OK, OK.
    Command Prompt Pops up Randomly Closes Quickly - OfficeBackgroundTaskHandlerRegistration

Driver Setup Utility

There is a 3rd party software named Driver Setup Utility which runs tasks (via Scheduler) to update the drivers at certain intervals, causing the Command Prompt to open up and close automatically. OEMs such as Acer, Gateway, and Packard Bell seem to bundle the DriverSetupUtility in the computers. The DriverSetupUtility or the driver updater program is set to run as a scheduled task every hour as a daily task, and you’ll see a screen something like this when they run:

Command Prompt Randomly Open and Close - driver setup utility

FINDSTR: Cannot open C:\ProgramData\acer\updater2\updater2.xml
The system cannot find the path specified.
Cannot access file C:\Program Files\DriverSetupUtility\FUB\+
FINDSTR: Cannot open C:\ProgramData\packard bell\updater2\updater2.xml
The system cannot find the path specified.
Cannot access file C:\Program Files\DriverSetupUtility\FUB\+
FINDSTR: Cannot open C:\ProgramData\gateway\updater2\updater2.xml
The system cannot find the path specified.
Cannot access file C:\Program Files\DriverSetupUtility\FUB\+
FINDSTR: Cannot open C:\ProgramData\gateway\updater2\updater2.xml

The third-party driver updater programs are not essential for the system. If you don’t plan to use the driver updater program(s), open Control Panel → Programs and Features → uninstall Driver Setup Utility (or DriverSetupUtility) from there.

Dell, on the other hand, has its own SupportAssist utility which doesn’t run those crazy batch files. It has a neat interface and the user is notified of any updates for the system.Command Prompt Randomly Open and Close

“Microsoft Compatibility Appraiser” Task

The “Microsoft Compatibility Appraiser” task collects program telemetry information if opted-in to the Microsoft Customer Experience Improvement Program.

When this task runs, it briefly launches two powershell.exe processes and a conhost.exe process. Here are the command-line for the two processes:

powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Infs = Get-Item -Path ($env:WinDir + '\inf\*.inf'); foreach ($Inf in $Infs) { $Data = Get-Content $Inf.FullName; if ($Data -match '\[defaultinstall.nt(amd64|arm|arm64|x86)\]') { $Res = 1; break; } } Write-Host 'Final result:', $Res;
powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';

You can disable the telemetry task via Task Scheduler.

  • Launch Task Scheduler, go to “\Microsoft\Windows\Application Experience“.
  • Right-click “Microsoft Compatibility Appraiser” and choose “Disable”

“Firefox Default Browser Agent” Task

In Firefox, there is a scheduled task that will collect telemetry data and send it to Mozilla. For more information about this task, see Understanding default browser trends – Data on the Mozilla website.

This task is named “Firefox Default Browser Agent”, located under the “Task Scheduler Library” → “Mozilla” folder.

The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspicious circumstances, it will prompt users to change back to Firefox no more than two times. This task is installed automatically by Firefox and is reinstalled when Firefox updates.

When the task is triggered, it launches the file “C:\Program Files\Mozilla Firefox\default-browser-agent.exe

To disable this task, update the “default-browser-agent.enabled” preference on the about:config page or the Firefox enterprise policy setting “DisableDefaultBrowserAgent”.

firefox disable scheduled task about:config

Other programs to watch out for:

  • CoolerMaster cm-blackhawk.exe program. cm-blackhawk.exe may auto-start at login and may keep coming up every minute or so.
  • PinVantageToolbarToast and the related task in the Task Scheduler under the name “BatteryGaugeMaintenance“. It might be related to the Lenovo Vantage app, a software that can manage your device settings, update your drivers, run device diagnostics, etc.

See also

I hope the above information was useful. Let’s know your comments.


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

8 thoughts on “Command Prompt Flashes and Closes Quickly at Startup or Random Intervals”

  1. This is all nice information. BUT it doesn’t explain why these background and/or scheduled tasks create a screen pop-up “How Do You Want To Open This File?” that interrupts our work. It seems that most of these processes don’t require any user input and have no relevance to what we are doing on the screen. Please give us a way to block this pop-up.

    Reply
  2. Would like to thank you for this information!
    Every time I play a full screen game, it interrups the gameplay and forces it to minimize.

    Thanks!

    Reply
  3. Thank you for all the detailed advice here. I have tried everything in here, but still don’t know what causes my command prompt black window to open and shut quite often, regardless of what I am doing. The window that flashes open and closes in about a second has no text in it. It is a blank command prompt. All of the things you recommended drew a blank for me. I don’t have “Office 365” anywhere and there was no “Driver Setup Utility” in “Programs”. Then all the tracing things, including downloading and running TaskSchedulerView and running the command prompt that generates the csv file and sorting that in excel, showed no tasks or activities as recently or frequently as times the command window opens.

    Please do you have any other ideas?

    Reply
  4. Thanks for picking up on this so quickly! It happens about every five or ten minutes. I’ll try to do the process monitor trace now.

    Reply
  5. Hi Ramesh,
    Ok -it just happened, and I have the zipped logfiles. I saved one with “All Events”, as you recommend. That is 32MB zipped (337MB raw)!! So I saved another with just “Events Displayed Using Current Filters” selected and that is 52kB zipped. Perhaps there was some long history that I didn’t effectively delete or exclude that is still captured in the “All Events” one?
    Please, which one do you prefer, and what’s the best way to get it to you?
    Thanks again!

    Reply
    • @Peasmould: “All Events” one will do. You may upload it to your OneDrive cloud account and share the read-only link to me.

  6. I discovered the cause on my PC to be java inspired. I had a program called bigly on my PC and it created a java folder that was causing the CMD windows to open. I discovered by accident while I was trying to figure out who or what kept installing Google sheets as an extension to my Edge Browser. While investigating sheets I found it was also connected to .json files, I deleted the entire folder of these Java connected files and so far no recurrences. Only some java files were on my PC not all of Java, just the ones Bigly needed to function. I also deleted Bigly by uninstalling through control panel. This may not be everyone’s problem or solution and it may take you a few days to discover the cause on your machine but keep alert and you will solve the problem.

    Reply

Leave a Reply