Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What does IIS worker process (w3wp.exe) do, why have I never seen it before


  • Please log in to reply
5 replies to this topic

#1 rp88

rp88

  • Members
  • 3,060 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:39 PM

Posted 03 December 2015 - 06:36 PM

I took a look in task manager earlier and saw a process running, IIS worker process, w3wp.exe. I searched on google for this process and got results of two kinds: the usual useless sites (all trying to sell optimizers and other such tools) which have standard text for any .exe file you care to name and always say the same thing about it, and forum posts by people running websites.

I don't run a website or anything like that but have seen this in task manager, I don't look at task manager constantly but take a glance several times most days, I have NEVER seen this process before in all the thousands of times over the years I have looked.

Finding the file in question within C:\Windows\system32\inetsrv\w3wp.exe indicates that it is an old file, it has creaton and modification dates from ages ago, and although it isn't digitally signed it appears to be a file from microsoft.

The concering thing about this situation is that it happened just after I had followed a link to an image on a site I had never heard of before, a certain hxxp://i.xomf.com/{removed particular filename/random digit string denoting the file}.png . Could this process running mean I had just been drive-by exploited or seomthing, I run noscript and malwarebytes antiexploit along with avast antivirus but perhaps there could have been some sort of exploit in the png file? But this timing could ofcourse just be co-incidence.

I want to check whether this strange appearance of this process is something I should be concerned about, is this something which should normally be found running on a windows 8.1 computer, what is it's precise purpose, could it have been something malicious or a symptom of an exploit attack occuring?

I checked my entire C:\ drive for files modified today but there's "nothing" (well there's browser temp files and such but no exe files or dll files modified)modified recently enough to have taken place after the time when I saw this process running.

As further information, when it was running this exe file had a very long "description" in the "command line" column of task manager's details tab. I could not tell whether the file ended naturally on it's own or for other reasons because my task manager is set to the "paused" setting of refresshing, but when I refreshed this thing had gone.

It was running from a user (as in the "users" column in task manager's details tab) called DefaultAppPool, I've never seen that user at all before.

Please clarify what this thing is: should it be running on a laptop which doesn't host any websites? or is it something that should only run on computers that host websites or are involved in large office networks? could it's running be either something malicius or a symptom of a drive-by attack having just occured? What is that "DefaultAppPool" user for, I've never seen it running before, does it mean some strange new feature of windows has turned on which was previously inactive? Your advice is greatly appreciated. Thank you.

Edited by rp88, 03 December 2015 - 06:37 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

BC AdBot (Login to Remove)

 


#2 rp88

rp88
  • Topic Starter

  • Members
  • 3,060 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:39 PM

Posted 06 December 2015 - 01:51 PM

Any more information on this anyone? Thanks
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#3 mgrzeg

mgrzeg

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 07 December 2015 - 01:18 PM

Hello,

 

use the IIS Manager and see if you can find something interesting.

DefaultAppPool is a special service identity used by the IIS service to launch the w3wp hosted apps in a secure manner.

By default the IIS feature is not installed, but some applications require it.

 

m.g.



#4 GoFigure

GoFigure

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Olney, Illinois
  • Local time:11:39 AM

Posted 07 December 2015 - 04:05 PM

It handles requests sent to a webserver for a specific application pool.  Each application will start at least one instance of w3wp.exe and this is what actually processes requests in your application. This process is normally found on windows server, however if you have Visual Studio installed it will install this process.  If you want to stop it I would recommend you obtain Autoruns from systernals (https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx) and use this to find its start location and disable it.



#5 rp88

rp88
  • Topic Starter

  • Members
  • 3,060 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:39 PM

Posted 10 December 2015 - 04:52 PM

"Internet Information Services (IIS) Manager" is nowhere to be seen under "administartive tools" in the "control panel" of my computer. Visual studio MIGHT be installed in some way or another, I'm not sure. As far as it's startup location goes, it certainly isn't starting from any of the normal startup locations, it doesn't get listed as a startup within CCleaner's startups list.

Any idea of what other applications might be causing this w3wp.exe thing to run?

Also could a user who knows they DON'T have this Internet Information Services (IIS) thing on their system and doesn't have any applications which use it, look at C:\Windows\system32\inetsrv\ and see if w3wp.exe is present in that folder for them.
Thanks

Edited by rp88, 10 December 2015 - 04:52 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#6 mgrzeg

mgrzeg

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 11 December 2015 - 05:58 AM

Also could a user who knows they DON'T have this Internet Information Services (IIS) thing on their system and doesn't have any applications which use it, look at C:\Windows\system32\inetsrv\ and see if w3wp.exe is present in that folder for tchem.

The directory is empty if the feature is not installed. You can check the features to see if it's installed or not [CLICK] It looks that it's enabled, but without the IIS Manager (consider adding this option)

 

If you wish to see the parents of the w3wp use the Process Hacker tool [CLICK] and see what is the parent process for w3wp (should be: svchost.exe hosting the W3SVC service). To be absolutely sure that w3wp.exe is a child of the w3svc, install the Sysmon tool: [CLICK] and analyze it's log (available via event viewer) after restarting the system (and after the w3wp start).

 

m.g.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users