When "Controlled Folder Access" is enabled, PowerShell 7.4.2 is so Slow it's Unusable

[DesertBear]

Prerequisites

• Write a descriptive title.
• Make sure you are able to repro it on the latest released version
• Search the existing issues.
• Refer to the FAQ.
• Refer to Differences between Windows PowerShell 5.1 and PowerShell.

Steps to reproduce

PowerShell "PowerShell-7.4.1-win-x64.msi" was working OK. After it updated to "PowerShell 7.4.2" through Windows Update, it because so slow that PowerShell is now completely unusable.

When opening PowerShell, just getting it to display a prompt takes a long time – it will just show a flashing cursor for a long time. Then, if you're able to actually get to the point where it displays the prompt, it's next to impossible to use PowerShell due to the slowness. I'm not talking about just being a bit sluggish, it is quite literally unusable as it won't do anything.

In addition, it gets even slower as time goes by. If I boot Windows and immediately go to PowerShell, I may just be able to do something like Get-ChildItem. If I boot Windows and wait 5 minutes before opening PowerShell, it's so slow it's not even possible to get to the prompt, it just stays on a flashing cursor indefinitely.

This happens whether using PowerShell in Windows Terminal, VSCode with the PowerShell Extension or just using "C:\Program Files\PowerShell\7\pwsh.exe" directly. VSCode also displays a dialogue saying it's taking too long to load.

Even worse though, is it affects PowerShell 5.1 too, so I can't even use that – as it has the same slowness issue. I have no idea why PowerShell 7 is affecting PowerShell 5.1, but it does. I also tried downloading the Microsoft Store version of PowerShell 7 and it affects this as well. So, I can't use PowerShell anywhere. Windows Command Prompt is unaffected.

I tried to uninstall and reinstall PowerShell, however it wouldn't allow me to reinstall it. During the installation process, the progress bar stopped moving half way through installing it and wouldn't ever complete.

Therefore, I reinstalled Windows from scratch and installed "PowerShell-7.4.2-win-x64.msi". PowerShell was initially fine, however after 1-2 days the same thing has happened and it has become unusable again.

All other applications on the machine work fine, just anything related to PowerShell is super slow to the point of not being usable at all.

---

Windows 11 23H2 (22631.3447)
PowerShell-7.4.2-win-x64.msi

Expected behavior

When opening PowerShell, it should quickly show the prompt and allow running PowerShell commands.

Actual behavior

When opening PowerShell, just getting it to display a prompt takes a long time – it will just show a flashing cursor for ages. Then, if you're able to actually get to the point where it displays the prompt, it's next to impossible to use it due to the slowness.

Error details

No response

Environment data

Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Visuals

Screenshot showing it's not even possible to get to the prompt, it just stays on a flashing cursor indefinitely:

[mklement0]

affects PowerShell 5.1 too, so I can't even use that – as it has the same slowness issue.

Given that Windows PowerShell and PowerShell (Core) do not share technical underpinnings, I suspect that your problem isn't specific to the latter.

• Does starting either CLI with -NoProfile make a difference?

• Does defining environment variable POWERSHELL_TELEMETRY_OPTOUT with a value of 1, and POWERSHELL_UPDATECHECK with a value of Off before invoking pwsh make a difference?

[DesertBear]

Initially I though the problem was due to PowerShell environment variables too, because I had added them using the below System.Environment methods.

[System.Environment]::SetEnvironmentVariable("POWERSHELL_TELEMETRY_OPTOUT", "1", "Machine")

[System.Environment]::SetEnvironmentVariable("POWERSHELL_UPDATECHECK", "Off", "Machine")

However, after the slowness problem I deleted them from [Windows Settings > System > About > Advanced System Settings > Environment Variables > System Variables] (because PowerShell was frozen) hoping that would be where the issue lies – but, deleting them made no difference. Also, adding them again through those Advanced System Settings made no difference either.

I also tried pwsh -NoProfile through the Run dialogue, however the problem is still present.

In addition, I tried setting Windows Terminal back to default settings and uninstalled VSCode and the PowerShell Extension for VSCode, so it was just PWSH left on the machine, and that made no difference either.

I leave PowerShell pretty standard. The only other thing I changed was when I first installed PWSH after clean installing Windows it was using Windows Console Host, rather than Windows Terminal and so I changed the font size, window width and background colour by right-clicking the PWSH title bar and selecting Defaults. However, I'm not sure how to put that back to standard now.

[DesertBear]

I've determined that this issue occurs when Microsoft Defender "Controlled Folder Access" is enabled. When temporarily changing the below Controlled Folder Access Group Policy setting to "Not configured", PowerShell works as normal again.

Group Policy Management Editor > Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled folder access > Configure Controlled folder access

However, both the below PowerShell applications are on the Controlled Folder Access list of allowed applications.

%SystemRoot%\System32\WindowsPowershell\v1.0\Powershell.exe

%ProgramFiles%\powershell\7\pwsh.exe

Therefore I'm not sure what PowerShell 7.4.2 is doing that is being blocked by Controlled Folder Access – as neither PowerShell 5.1 nor PowerShell 7 are blocked from writing to folder locations protected by Controlled Folder Access. I can only assume it's trying to do something in an unconventional way, which is causing it to be blocked by Controlled Folder Access.

In addition, ordinarily when an application is blocked by Controlled Folder Access, Event ID 1123 - Blocked controlled folder access event is logged in Windows Event Viewer under the Microsoft-Windows-Windows Defender/Operational logs. However, whatever PowerShell is doing, there are no Controlled Folder Access events logged – which is odd.

Event IDs:
https://learn.microsoft.com/en-us/defender-endpoint/controlled-folders?view=o365-worldwide#review-controlled-folder-access-events-in-windows-event-viewer

# Timescale
$StartTime = (Get-Date).AddDays(-60)


# Defender
$Defender = Get-WinEvent -FilterHashtable @(

    # AttackSurfaceReduction
    @{
        "StartTime"    = $StartTime
        "LogName"      = "Microsoft-Windows-Windows Defender/Operational"
        "ProviderName" = "Microsoft-Windows-Windows Defender"
        "ID"           = "1121".."1128"
    }
)


# Output
@($Defender) | 
Sort-Object -Property TimeCreated | 
Format-List -Property TimeCreated, Message, ID

While Controlled Folder Access is not part of the Windows 11 Security Baseline, it is a recommended setting in the Microsoft Security Baseline blog, therefore this is something that needs to be addressed.

Security Baseline Blog:
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-23h2-security-baseline/ba-p/3967618

"…Configure Controlled folder access is not configured in the baseline but it is highly encouraged for the organization to set it to Enabled: Audit Mode for a period of time, until enough logging has occurred to make informed decisions. From there organizations are encourage to fully configure CFA and move from Audit Mode to Block state."

[iSazonov]

Can you try to run pwsn -NoInteractive and share results?

[DesertBear]

The problem is still present when launching PowerShell using pwsh -NonInteractive.