Have you ever noticed that some PowerShell scripts result in the execution of the C# compiler csc.exe?
This happens when a PowerShell script uses cmdlet Add-Type.
Like in this command:
powershell -Command “Add-Type -TypeDefinition \”public class Demo {public int a;}\””
This command just adds the definition of a class (Demo) with one member (a).
When this Add-Type cmdlet is executed, the C# compiler is invoked by PowerShell to compile this class definition (a C# program) into an assembly (DLL) with the .NET type to be used by the PowerShell script.
A temporary file (oj5zlfcy.cmdline in this example) is created inside folder %appdata%\local\temp with extension .cmdline. This is passed as argument to the invoked C# compiler csc.exe, and contains directions to compile a C# program (oj5zlfcy.0.cs):
/t:library /utf8output /R:”System.dll” /R:”C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll” /R:”System.Core.dll” /out:”C:\Users\testuser1\AppData\Local\Temp\oj5zlfcy.dll” /debug- /optimize+ /warnaserror /optimize+ “C:\Users\testuser1\AppData\Local\Temp\oj5zlfcy.0.cs”
The C# program (oj5zlfcy.0.cs in this example) contains the class definition passed as argument to cmdlet Add-Type:
public class Demo {public int a;}
Both these files start with a UTF-8 BOM (EF BB BF).
The C# compiler (csc.exe) can invoke compilation tools when necessary, like the resource compiler cvtres.exe.
This results in the creation of several temporary files:
All these files are removed when cmdlet Add-Type terminates.
Article Link: PowerShell, Add-Type & csc.exe | Didier Stevens