Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SBS 2003 - conhost.exe legitimacy?


  • Please log in to reply
4 replies to this topic

#1 misec

misec

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 03 May 2010 - 06:26 PM

Hi,

I am in the process of stabilizing an SBS 2003 environment, I have addressed a lot of issues with this system over the last few weeks. The server has been running well for the last week, no problems with anything, but I have been keeping a close eye on everything.

I was checking the startup entries today, and I noted a new entry for the following executable:

C:\Windows\conh\conhost.exe

The creation date was 4/29/2010, and this is the only file in the 'conh' folder. The file size is 572KB.

Task Manager indicates that the process is using 200,000K memory.

I googled, nothing about it and SBS 2003, but referred to as legitimate Win7 process on several pages. No reference anywhere to the "conh" folder.

No virus alerts from Forefront Server Security or Malwarebytes. Just seems a little fishy to me. Not familiar with any other Windows system process executable that has it's own folder... could be wrong of course and I'm probably being hypervigilent, or missing something obvious, but I would appreciate any help or experience offered.

Thanks so much...

BC AdBot (Login to Remove)

 


#2 peakbagger

peakbagger

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 04 May 2010 - 04:14 PM

Hi,

I am in the process of stabilizing an SBS 2003 environment, I have addressed a lot of issues with this system over the last few weeks. The server has been running well for the last week, no problems with anything, but I have been keeping a close eye on everything.

I was checking the startup entries today, and I noted a new entry for the following executable:

C:\Windows\conh\conhost.exe

The creation date was 4/29/2010, and this is the only file in the 'conh' folder. The file size is 572KB.

Task Manager indicates that the process is using 200,000K memory.

I googled, nothing about it and SBS 2003, but referred to as legitimate Win7 process on several pages. No reference anywhere to the "conh" folder.

No virus alerts from Forefront Server Security or Malwarebytes. Just seems a little fishy to me. Not familiar with any other Windows system process executable that has it's own folder... could be wrong of course and I'm probably being hypervigilent, or missing something obvious, but I would appreciate any help or experience offered.

Thanks so much...


Have you found anything out about this? I have this too. Same directory, even. It crashed several times before it successfully executed...

#3 peakbagger

peakbagger

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 04 May 2010 - 04:45 PM

Well, shortly after I posted the question, I noticed that conhost.exe was attempting to query numerous external IPs for an open remote desktop connection (port 3389). It raised an alarm for me and so I killed the process and removed it from the Run key in the registry. Not sure how it got there in the first place, though.

#4 misec

misec
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:17 AM

Posted 05 May 2010 - 02:01 PM

Thanks very much for the reply, that helped me make up my mind. Deleted, removed from startup, no evident changes in functionality. Would still love to know what it is and where it came from. I copied the exe onto a flash drive, I'm going to take it home and decompile it...

#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:17 AM

Posted 14 May 2010 - 01:11 PM

I would check the integrity of your system as per this article: http://www.howtogeek.com/howto/4996/what-i...-is-it-running/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users