What is this process?

windows-7 process

15,432

Solution 1

It is a Microsoft Windows DistributedCOM server. It is safe as far as I can tell. I have seen it on other systems that were couple of weeks old and didn't get chance to get infected :).

Solution 2

This is an old question. But the correct answer can be found here: http://www.sevenforums.com/performance-maintenance/218109-rundll32-exe-running-all-time.html

That GUID maps to the "Shell Hardware Mixed Content Handler", which is a COM handler that needs to run as "Interactive User", meaning run in a logged-on user's session (that's you ). The reason it needs to run in the context of a logged-on user is that it's actually the Autorun handler (enabling Autorun on my own Win7 box causes the same process to be spawned).

If you don't want to see it, go into the control panel and disable Autorun. Otherwise, it needs to run for Autorun to work properly.

answered there by cluberti on 07 Mar 2012

15,432

Pylsa

SO has abandoned its ideals some time ago https://meta.stackexchange.com/questions/333965/firing-mods-and-forced-relicensing-is-stack-exchange-still-interested-in-cooper https://meta.stackexchange.com/questions/342039/firing-community-managers-stack-exchange-is-not-interested-in-cooperating-with https://meta.stackexchange.com/questions/336526/stack-overflow-is-doing-me-ongoing-harm-its-time-to-fix-it https://meta.stackexchange.com/questions/336731/to-reach-out-on-monica-the-lavender-community-and-the-future-of-the-stack-exc/336760#336760 https://meta.stackexchange.com/questions/336639/what-if-anything-can-se-do-to-resolve-the-ongoing-conflict-in-a-timely-way/336642#336642 https://meta.stackexchange.com/questions/336177/feedback-post-moderator-review-and-reinstatement-processes/336280#336280

Updated on September 17, 2022

Comments

Pylsa over 1 year
The following process seems to be running all the time:
```
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
```
Anyone know what it is?

Scanned with MalwareBytes and Kaspersky Internet Security 2011

Using Windows 7 Ultimate 64 bits.
- Nathan G. over 13 years
  
  rundll32.exe is a standard Windows/MS program to initialize a DLL. shell32.dll is a standard Windows/MS extension. The interesting part is the SHCreateLocalServerRunDll. Google doesn't shed any light on that. Does Registry Editor find anything in your registry for the hex argument at the end?
- Pylsa over 13 years
  
  @Nathan did not find anything of interest when looking for "995C996E-D918-4a8c-A302-45719A6F4EA7"
- Moab over 13 years
  
  Why are you suspicious of this legit Windows system file?
- Pylsa over 13 years
  
  @Moab because I can't seem to find the source of why this is running... I've never had this process before and I haven't installed anything in the meantime.
- Moab over 13 years
  
  Try Process Explorer, a powerful tool if you know how to use it..technet.microsoft.com/en-us/sysinternals/bb896653
- Moab over 13 years
  
  You can also use PE to enable boot logging, maybe this will show what is loading it...msigeek.com/6231/…
- Pylsa over 13 years
  
  @Moab Process Explorer didn't help, it was the first thing I looked for. The process seems to be owned by svchost.exe
- Pylsa over 13 years
  
  @Moab I most certainly will... It real bad practice of leaving a question unsolved if you've solved it yourself...
- Moab over 13 years
  
  After googling, I cannot find anything negative about "shell32.dll,SHCreateLocalServerRunDll" Have you scanned for nasties?
- Pylsa over 4 years
  
  Reading back my own comments and questions, I can only cringe. I am so sorry everyone 😭
Pylsa over 13 years

@digitxp - According to Wiki it's a long deprecated technology, why would this still be on my Win7 64 bits computer?
Admin over 13 years

I guess backwards compatibility with .net frameworks
Moab over 13 years

Microsoft always uses long deprecated technology! You must be a Linux/Unix user.
Pylsa over 13 years

@Moab Well mainly yes xD Is it that obvious huh?
Moab over 13 years

@BloodPhilia, yes you seem to be Bright, logical, polite and a bit pragmatic, none of which works well when solving problems in Windows.. ;-)
Pylsa over 13 years

@Moab Haha, well I'll consider that a compliment sir... And what brilliant deduction abilities! Chapeau!
Moab over 13 years

@BloodPhilia, how did you know I am a Sir, now you are scaring me with your 6th sense!
Pylsa over 13 years

@Moab And I think the Linux Badge might've given me away as well ;) Ah well, a Sir you behave good Sir!
Moab over 13 years

Badge?, I don't look at that stuff, actually was a logical conclusion after reading many of your posts.
Pylsa over 13 years

@Moab Read many of my post have you? I'll consider you my first fan! ;D
Moab over 13 years

@Bloodphilia, its hard not to, you are all over this place!
Pylsa over 13 years

@Moab hope that isn't a bad thing! :D
Moab over 13 years

Its all good...
Pylsa over 13 years

@Moab Good good! :D As a matter of fact, I do come across your name more often and often! Keep up the good work!
Moab over 13 years

@Bloophilia, interesting one here....superuser.com/questions/224112/…