: It triggers the creation of Shadow Users , which are non-privileged local users used to run third-party applications (like SSMS or Toad) on the PSM. Configuration and Pathing
In short: for the Puppet Windows Agent.
[User Connection Request] ──> [PVWA Portal] ──> [PSM Gateway Server] │ (Spawns psminitsession.exe) │ ┌──────────────┴──────────────┐ ▼ ▼ [Enforces AppLocker / GPO] [Launches Target Component] The Ingress Connection Flow [PSM] - This initial program cannot be started - CyberArk psminitsessionexe
It helps initiate the PSMRecorder.exe , which captures the visual and text-based data of the session for auditing purposes. Common Locations and Verification
Right-click the process in Task Manager → . : It triggers the creation of Shadow Users
| Attribute | Details | |-----------|---------| | | C:\Program Files\Palo Alto Networks\Traps\bin\psminitsessionexe (may vary slightly by version) | | Signed by | Palo Alto Networks, Inc. | | SHA256 (example) | (varies by version – always verify via digital signature) | | Typical size | 100–300 KB | | Execution trigger | User logon (via scheduled task or Winlogon notification) |
Use "Add or Remove Programs" to uninstall any PowerBroker or BeyondTrust applications. Common Locations and Verification Right-click the process in
The name breaks down logically:
However, cybercriminals sometimes name malware to mimic legitimate Windows or enterprise processes. Here's how to stay safe: