6

The following process seems to be running all the time:

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding

Anyone know what it is?

Scanned with MalwareBytes and Kaspersky Internet Security 2011

Using Windows 7 Ultimate 64 bits.

Pylsa
  • 30,630
  • 16
  • 89
  • 116
  • 1
    rundll32.exe is a standard Windows/MS program to initialize a DLL. shell32.dll is a standard Windows/MS extension. The interesting part is the SHCreateLocalServerRunDll. Google doesn't shed any light on that. Does Registry Editor find anything in your registry for the hex argument at the end? – Nathan G. Jan 03 '11 at 00:17
  • @Nathan did not find anything of interest when looking for "995C996E-D918-4a8c-A302-45719A6F4EA7" – Pylsa Jan 03 '11 at 00:43
  • Why are you suspicious of this legit Windows system file? – Moab Jan 03 '11 at 01:26
  • @Moab because I can't seem to find the source of why this is running... I've never had this process before and I haven't installed anything in the meantime. – Pylsa Jan 03 '11 at 01:50
  • 2
    Try Process Explorer, a powerful tool if you know how to use it..http://technet.microsoft.com/en-us/sysinternals/bb896653 – Moab Jan 03 '11 at 02:09
  • You can also use PE to enable boot logging, maybe this will show what is loading it...http://www.msigeek.com/6231/how-to-enable-system-boot-time-logging-using-process-monitor-tool – Moab Jan 03 '11 at 02:10
  • @Moab Process Explorer didn't help, it was the first thing I looked for. The process seems to be owned by svchost.exe – Pylsa Jan 03 '11 at 02:12
  • I guess its a mystery, post back if you solve it. – Moab Jan 03 '11 at 02:17
  • @Moab I most certainly will... It real bad practice of leaving a question unsolved if you've solved it yourself... – Pylsa Jan 03 '11 at 02:18
  • After googling, I cannot find anything negative about "shell32.dll,SHCreateLocalServerRunDll" Have you scanned for nasties? – Moab Jan 03 '11 at 02:26
  • Reading back my own comments and questions, I can only cringe. I am so sorry everyone – Pylsa Dec 20 '19 at 06:28

2 Answers2

7

It is a Microsoft Windows DistributedCOM server. It is safe as far as I can tell. I have seen it on other systems that were couple of weeks old and didn't get chance to get infected :).

digitxp
  • 14,432
  • 9
  • 56
  • 76
  • @digitxp - According to Wiki it's a long deprecated technology, why would this still be on my Win7 64 bits computer? – Pylsa Jan 03 '11 at 00:48
  • I guess backwards compatibility with .net frameworks –  Jan 03 '11 at 00:53
  • 1
    Microsoft always uses long deprecated technology! You must be a Linux/Unix user. – Moab Jan 03 '11 at 01:16
  • @Moab Well mainly yes xD Is it that obvious huh? – Pylsa Jan 03 '11 at 01:51
  • @BloodPhilia, yes you seem to be Bright, logical, polite and a bit pragmatic, none of which works well when solving problems in Windows.. ;-) – Moab Jan 03 '11 at 02:05
  • @Moab Haha, well I'll consider that a compliment sir... And what brilliant deduction abilities! Chapeau! – Pylsa Jan 03 '11 at 02:07
  • @BloodPhilia, how did you know I am a Sir, now you are scaring me with your 6th sense! – Moab Jan 03 '11 at 02:15
  • @Moab And I think the Linux Badge might've given me away as well ;) Ah well, a Sir you behave good Sir! – Pylsa Jan 03 '11 at 02:15
  • Badge?, I don't look at that stuff, actually was a logical conclusion after reading many of your posts. – Moab Jan 03 '11 at 02:28
  • @Moab Read many of my post have you? I'll consider you my first fan! ;D – Pylsa Jan 03 '11 at 02:56
  • @Bloodphilia, its hard not to, you are all over this place! – Moab Jan 03 '11 at 15:48
  • @Moab hope that isn't a bad thing! :D – Pylsa Jan 03 '11 at 17:36
  • Its all good... – Moab Jan 03 '11 at 18:32
  • @Moab Good good! :D As a matter of fact, I do come across your name more often and often! Keep up the good work! – Pylsa Jan 03 '11 at 22:54
  • @Bloophilia, interesting one here....http://superuser.com/questions/224112/virus-malware-explorer-window-with-strange-user-logged-into-hotmail/228615#228615 – Moab Jan 03 '11 at 23:39
2

This is an old question. But the correct answer can be found here: http://www.sevenforums.com/performance-maintenance/218109-rundll32-exe-running-all-time.html

That GUID maps to the "Shell Hardware Mixed Content Handler", which is a COM handler that needs to run as "Interactive User", meaning run in a logged-on user's session (that's you ). The reason it needs to run in the context of a logged-on user is that it's actually the Autorun handler (enabling Autorun on my own Win7 box causes the same process to be spawned).

If you don't want to see it, go into the control panel and disable Autorun. Otherwise, it needs to run for Autorun to work properly.

answered there by cluberti on 07 Mar 2012

clst
  • 521
  • 3
  • 5