Command Prompt Flashes and Closes Quickly at Startup or Random Intervals

If the Command Prompt, PowerShell, or an unknown program window flashes during logon or at random intervals without you doing anything, there are many chances that it’s a Task Scheduler job. The windows popping up frequently can be a huge distraction when you’re working or playing a game on the computer.

Sometimes, 2 or 3 CMD windows may open and close quickly (like 2-3 seconds) during Windows startup. You’ll need to know which program ran just to make sure that it’s not malware.

By the time you open Task Manager and check the Processes or Details tab, the Command Prompt process or the unknown program will have already finished running. The Command Prompt or the PowerShell window may close so quickly that you may not even have the time to see what it is running or even to take a screenshot using PrintScreen.

This post tells you the possible reasons why the Command Prompt or the PowerShell window pops up randomly and how to find the exact name of the unknown task that last ran.

Cause

If a Command Prompt window opens up and closes quickly, it could be due to automatic maintenance task(s) kicking in. This is especially if the Command Prompt window flashes when the system is left idle for a few minutes. You can view the list of automatic maintenance tasks using PowerShell.

If that’s not the case, then it could be a non-maintenance Scheduled Task — e.g., Office 365 Updater, Norton 360 Task, Driver updater task, etc., configured to run at specific intervals. Also, there may be tasks that are configured to run only on AC Power. Some tasks may trigger when you connect the power adapter/charger.

Find exactly why the CMD or PowerShell window popped up!

What if you don’t use Office 365 or Driver Updater? If the list of tasks mentioned in the “Cause” section doesn’t apply, here are the tracking methods you can follow to narrow down the program or task being triggered.

The built-in Task Scheduler lists the Last Run Time and all other details about the tasks. However, manually checking each task folder is time-consuming.

To track scheduled tasks, you may use PowerShell, the built-in Task Scheduler console tool SchTasks.exe, or the 3rd party TaskSchedulerView utility. Here is how to determine if the Command Prompt window that last flashed on the screen was launched as a Task Scheduler job.

Method 1: Using PowerShell

Launch PowerShell as administrator, and run the following command-line:

Get-ScheduledTask | Get-ScheduledTaskInfo | select TaskName, TaskPath, LastRunTime | out-gridview

This shows the list of scheduled tasks, the corresponding “last run time” data, and the branch (Task Scheduler).

Sort the results by LastRunTime (descending) to know the list of tasks that ran most recently.

Or, to get it sorted (descending) by LastRunTime automatically, run this command:

Get-ScheduledTask |  Get-ScheduledTaskInfo | Select TaskName, TaskPath, LastRunTime | Sort LastRunTime -Descending | out-gridview

Or if you want to see the program name and arguments executed by each task, use the following PowerShell snippet.

$tasks = @()
foreach ( $task in (Get-ScheduledTask)) { 
    $taskinfo = Get-ScheduledTaskInfo $task
    $tasks += [PSCustomObject]@{
        URI = $task.URI
        Program = $task.Actions.Execute
        Arguments = $task.Actions.Arguments
        LastRunTime = $taskinfo.LastRunTime
    }
}
$tasks | Select URI, LastRunTime, Program, Arguments | Sort LastRunTime -Descending | OGV

Now, you can easily narrow down the task that ran recently by matching the above timestamp with the approximate time you saw the CMD or PowerShell window popping up. From the narrowed-down results, it’s very easy to find the task that initiated the Command Prompt or a console program that, inturn, started the command shell.

Method 2: Using TaskSchedulerView Utility

TaskSchedulerView from NirSoft shows you all the information about Tasks. This tool displays the list of all tasks from the Task Scheduler and lets you disable or enable multiple tasks at once. For every task listed, the following information is displayed:

• Task Name
• Description
• Status
• Hidden (Yes/No)
• Last Run/Next
• Run Times
• Task Folder
• EXE filename or COM handler of the task
• Number of missed runs
• and more…

In TaskSchedulerView, sort the listing by the “Last Run” column and double-click the last run task to find exactly which program was last executed.

If the task is a standard Windows task, simply ignore it. Should the task name or the program name be suspicious, do a full system scan using Malwarebytes antimalware in addition to running a full antivirus scan with updated signatures.

(However, not all programs that run in the background are scheduled tasks. It can be possible that a program that’s currently running, launches another program or command-line for legitimate reasons. Or it could be running from one of the several startup entry points. Autoruns, Process Explorer, and Process Monitor utilities (see “Method 4” at the end of this article) should give you a clear picture of running processes and autostart entries.)

Method 3: Using SchTasks.exe to Get Tasks List and Last Run Time

The Task Scheduler run history can be queried using the schtasks.exe console tool.

Open an elevated Command Prompt window and type in:

schtasks /query /FO TABLE /v | clip

Note: For querying tasks, SchTasks.exe doesn’t require you to run from an elevated Command Prompt.

The output is copied to the clipboard. Open Notepad and paste the output.

You’ll see the list of Tasks and their complete details, including the Last Run Time. Match the time with the actual time the unknown program window appeared and disappeared.

We are particularly interested in the three columns – Last Run Time, TaskName, and Task to Run. Inspect these fields till the end of the file, as this list is not grouped or sorted by Last Run Time.

Importing into Excel

For a detailed inspection, generate a CSV report instead of the TABLE or LIST format, using this command:

schtasks /query /FO CSV /V >d:\tasks-list.csv

For example, d:\tasks-list.csv is the file name and path where the output will be written to. Open the CSV file using Excel, rearrange columns as required, and format it accordingly. Sort by Last Run Time (descending).

Method 4: Process Monitor

Process Monitor or Process Explorer from Windows Sysinternals should tell you exactly what’s currently running in the background. If you run a Process Monitor trace to watch for new process or thread creation activities in real time, you should be able to determine if the Command Prompt window or any other program that popped up on the screen (and exited quickly) was launched by Task Scheduler or not.

Here is a sample Task Scheduler job that opened a Command Prompt window. The process creation was traced using Process Monitor.

After you know the PID or the parent process, all you need to do is look up that PID in the Task Manager Details tab. It could be pointing to svchost.exe which is a host process that runs Windows Services. Turning on the command-line column in Task Manager will display the service group. If the service group name says "Schedule", it’s Task Scheduler.

If an unknown program or Command Prompt window pops up and closes quickly before you can read the Window title, you now know how to find which program was run.

Additional Info: Scheduled Tasks Examples

NortonCleanupTask

Norton 360 adds a scheduled task named “NortonCleanupTask”, which runs “NortonCleanup.BAT” frequently. Running the “Get-ScheduledTask” PowerShell command, as mentioned in “Method 1” above, shows this:

Disabling “NortonCleanupTask” using Task Scheduler or Autoruns should resolve the issue.

See also: Batch file runs on startup and every 20 minutes .. starting at 6 minutes past hour. | Norton Community

Office 365 background task

There are two scheduled tasks in Task Scheduler Library Microsoft\Office:

• OfficeBackgroundTaskHandlerLogon runs when a user logs on
• OfficeBackgroundTaskHandlerRegistration runs every hour

When the above tasks run, they open and close a Command Prompt window in a flash, which can be very annoying to the user. Both tasks are set to run under the “Users” account group. Setting OfficeBackgroundTaskHandlerRegistration to run under the “System” account will prevent the Command Prompt pop-ups from appearing, and the task will run hidden.

1. Open Task Scheduler, and go to the \Microsoft\Office branch.
2. Select OfficeBackgroundTaskHandlerRegistration, right-click and select Properties.
3. Click on Change User Or Group, type System, OK, OK.
   

Driver Setup Utility

There is a 3rd party software named Driver Setup Utility which runs tasks (via Scheduler) to update the drivers at certain intervals, causing the Command Prompt to open up and close automatically. OEMs such as Acer, Gateway, and Packard Bell seem to bundle the DriverSetupUtility in the computers. The DriverSetupUtility or the driver updater program is set to run as a scheduled task every hour as a daily task, and you’ll see a screen something like this when they run:

FINDSTR: Cannot open C:\ProgramData\acer\updater2\updater2.xml
The system cannot find the path specified.
Cannot access file C:\Program Files\DriverSetupUtility\FUB\+
FINDSTR: Cannot open C:\ProgramData\packard bell\updater2\updater2.xml
The system cannot find the path specified.
Cannot access file C:\Program Files\DriverSetupUtility\FUB\+
FINDSTR: Cannot open C:\ProgramData\gateway\updater2\updater2.xml
The system cannot find the path specified.
Cannot access file C:\Program Files\DriverSetupUtility\FUB\+
FINDSTR: Cannot open C:\ProgramData\gateway\updater2\updater2.xml

The third-party driver updater programs are not essential for the system. If you don’t plan to use the driver updater program(s), open Control Panel → Programs and Features → uninstall Driver Setup Utility (or DriverSetupUtility) from there.

“Microsoft Compatibility Appraiser” Task

The “Microsoft Compatibility Appraiser” task collects program telemetry information if opted-in to the Microsoft Customer Experience Improvement Program.

When this task runs, it briefly launches two powershell.exe processes and a conhost.exe process. Here are the command-line for the two processes:

powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Infs = Get-Item -Path ($env:WinDir + '\inf\*.inf'); foreach ($Inf in $Infs) { $Data = Get-Content $Inf.FullName; if ($Data -match '\[defaultinstall.nt(amd64|arm|arm64|x86)\]') { $Res = 1; break; } } Write-Host 'Final result:', $Res;

powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';

You can disable the telemetry task via Task Scheduler.

• Launch Task Scheduler, go to “\Microsoft\Windows\Application Experience“.
• Right-click “Microsoft Compatibility Appraiser” and choose “Disable”

“Firefox Default Browser Agent” Task

In Firefox, there is a scheduled task that will collect telemetry data and send it to Mozilla. For more information about this task, see Understanding default browser trends – Data on the Mozilla website.

This task is named “Firefox Default Browser Agent”, located under the “Task Scheduler Library” → “Mozilla” folder.

The Default Browser Agent task checks when the default changes from Firefox to another browser. If the change happens under suspicious circumstances, it will prompt users to change back to Firefox no more than two times. This task is installed automatically by Firefox and is reinstalled when Firefox updates.

When the task is triggered, it launches the file “C:\Program Files\Mozilla Firefox\default-browser-agent.exe”

To disable this task, update the “default-browser-agent.enabled” preference on the about:config page or the Firefox enterprise policy setting “DisableDefaultBrowserAgent”.

Other programs to watch out for:

• CoolerMaster cm-blackhawk.exe program. cm-blackhawk.exe may auto-start at login and may keep coming up every minute or so.
• PinVantageToolbarToast and the related task in the Task Scheduler under the name “BatteryGaugeMaintenance“. It might be related to the Lenovo Vantage app, a software that can manage your device settings, update your drivers, run device diagnostics, etc.

See also

• How to Find Which Program Caused An Unknown Error Message
• How to Use Process Monitor to Track Registry and File System Changes
• How to Determine the Parent Process of a Running Process in Windows

I hope the above information was useful. Let’s know your comments.