Windows security log shows pycharm64.exe running from $Recycle.Bin during update
Hi,
I'm on a managed Win 11 workstation without administrator rights. When launching PyCharm this morning, I saw a prompt to update.
Our security team let me know about two concerning logged events a few minutes apart:
1. ParentBaseFileName = explorer.exe, FileName = pycharm64.exe
2. ParentBaseFileName = restarter.exe, FileName = pycharm64.exe
Both events showed the FilePath pointing directly to a $RECYCLE.BIN directory, not the usual installation folder.
I had launched PyCharm from my normal shortcut and used the in-app update prompts. I can't share raw logs or further detail out of caution due to organizational policy.
Is it expected or possible for the JetBrains updater to rename or move running executables to hidden $RECYCLE.BIN paths during updates? If so, is there any supported way to avoid this at all costs so I do not cause problems with the institution's security team?
Thank you for any help
请先登录再写评论。
To investigate this, navigate to Help | Show Log in Explorer. In the parent folder, open idea_updater.log, there you can find any details about it.
Are you using any custom properties (Help > Edit Custom Properties… maybe idea.system.path, idea.config.path)?
Regarding explorer.exe, its just what happens when you open PyCharm and restarter.exe is just a way to restart the IDE after the update. I don't believe its intended it to be pointing to $RECYCLE.BIN though. It could be Windows shell while deleting the old version. Its hard to pinpoint without logs etc...
Also i would suggest (if possible) to use JetBrains Toolbox for managing IDEs. Do you get the same behavior if you use it?
Best regards,
Uros Glogovac
IntelliJ Support