question

Hellohalo343434-2850 avatar image
0 Votes"
Hellohalo343434-2850 asked Hellohalo343434-2850 commented

Win10 64 21h1 - Unknown process that runs on boot under rundll32.

Hello everyone. Always on the lookout for weird behaviour/processes on my computer. This one's weird.

This is the info I can get from Process Hacker:
C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding

Regedit:
Computer\HKEY_CLASSES_ROOT\AppID{995C996E-D918-4a8c-A302-45719A6F4EA7}
Key Default : Shell Hardware Mixed Content Handler
Key RunAs : Interactive User

Also in:
Computer\HKEY_CLASSES_ROOT\CLSID{995C996E-D918-4a8c-A302-45719A6F4EA7}\LocalServer32
Computer\HKEY_CLASSES_ROOT\Shell.Autoplay\CLSID
Computer\HKEY_CLASSES_ROOT\Shell.Autoplay.1\CLSID

Computer\HKEY_CLASSES_ROOT\WOW6432Node\AppID{995C996E-D918-4a8c-A302-45719A6F4EA7}
Key Default : Shell Hardware Mixed Content Handler
Key RunAs : Interactive User

So far I've found (on very old forums posts) that it's possibly related to autorun/autoplay. So I disabled both in gpedit.
The process still appears after reboot.

Is there a tool or some way for me to know what this process is doing and why it starts?
Thanks


windows-10-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Castorix31 avatar image
0 Votes"
Castorix31 answered Hellohalo343434-2850 commented

Is there a tool or some way for me to know what this process is doing and why it starts?

No, it is used internally by MS, the GUID {995C996E-D918-4a8c-A302-45719A6F4EA7} = CLSID_ShellAutoplay
not in SDK headers
This command creates a COM Desktop local server (some details at LocalServer32) used by the Shell to handle AutoPlay


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the answer Castorix.
Few questions then:

1) Does it run because I have something plugged-in like a usb stick or controller that is detected and plug-and-played automatically?
2) Can this process be used by malicious programs and act as legit autoplay but mount an image or monitor drives that are plugged-in?
3)"not in SDK headers. This command creates a COM Desktop local server" Wording that doesn't sound "safe" but probably is. Care to explain in simplier terms? Thx

0 Votes 0 ·
Castorix31 avatar image Castorix31 Hellohalo343434-2850 ·

I don't know the conditions to launch this process, but it is used since Windows XP, so I don't think there is a risk
For SDK headers, I mean it is not documented in Windows SDK


0 Votes 0 ·

This is somewhat reassuring.
Thanks for your time Castorix.

0 Votes 0 ·