Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rempl/remsh.exe wakes up sleeping PC every day


  • Please log in to reply
21 replies to this topic

#1 Learning123

Learning123

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 25 October 2017 - 07:16 AM

Dear experts,
 
Whenever my PC (Windows 10 build 14393.1770) is in hibernate mode, it decides to wake up at 10am every day on its own.
 
With bios preventing all kinds of wake ups, after searching EventViewer and not finding much of anything interesting there, I finally came across the "powercfg -waketimers" command which showed (one and only) wake timer for 10am. Task Scheduler confirmed that rempl/remsh.exe is auto-configured to wake up my PC.
 
Questions:
 
- What does rempl/shell.exe task specifically do? What does this specific task maintain?
 
- Does it want to wake up and do something only on my environment or ALL Windows 10 users will have this task waking up their PC at 10am?
 
- Hibernate mode does not seem very useful if we know the PC will be awake within a day. It does not shut down or go back to hibernate afterwards from my experience. Is this normal?
 
- If I disable timers, would the rempl/shell.exe maintenance still be automatically performed? Just later when I am actually logged in? If I want my PC mostly be in hibernate mode and use it rarely, is there any downsides from disabling all timers (even "Important Wake Timers")?
 
Thank you!

Edited by Al1000, 27 October 2017 - 02:10 PM.
moved from Win 10 Support


BC AdBot (Login to Remove)

 


#2 xrobwx

xrobwx

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Panama City Beach, FL USA
  • Local time:08:22 AM

Posted 26 October 2017 - 07:22 AM

https://answers.microsoft.com/en-us/windows/forum/windows_10-performance/windows-task-wakes-up-computer/c11c1c0c-6d4d-4f96-bfc1-78324d8c19bf?auth=1



#3 Learning123

Learning123
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 26 October 2017 - 07:36 AM

That thread does not answer my questions



#4 xrobwx

xrobwx

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Panama City Beach, FL USA
  • Local time:08:22 AM

Posted 26 October 2017 - 03:46 PM

That thread does not answer my questions

Perhaps someone else with more experience will chime in soon. 



#5 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,276 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:22 AM

Posted 27 October 2017 - 09:08 AM

Open the Control Panel and select Security and Maintenance.

 

Click/tap on the down arrow in Maintenance, then select Change maintenance settings.

 

Under Automatic Maintenance you will see what time the maintenance is scheduled to run.  See if it is set for the time the computer is being awakened.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#6 Learning123

Learning123
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 27 October 2017 - 11:27 AM

Thanks, Bleeping Tree Hugger

 

What you mentioned looks like a whole other area that can wake up a computer. On my system, it's checked and scheduled for 2am every day.

 

I assume this is unrelated to "Task Scheduler" rempl/remsh.exe task that was scheduled to wake up every day at 10am (which is what I observed).

 

So, thanks for pointing out this whole other configuration that may wake up my computer - I should turn it off as well, right?

 

My original 4 questions in the OP remain though...



#7 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,276 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:22 AM

Posted 27 October 2017 - 01:58 PM

The is a possibility that this could be malware.  To rule this out or discover it is I would like for you to the scans below.  These are security applications which are not allowed in the Windows Forums.  For this reason this topic will need to be moved to the Am I Infected, What Do I Do?.  If the scan turn up negative you can request a Moderator to reopen this topic in the Windows 10 forum.
 
Please download Malwarebytes Anti-Malware 2.2.

1)  Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.

2)  Malwarebytes will automatically open.  You will see an image like the one below, click on Update Now.  

4YSU8ND.png

3)  Click on Settings, you will see a image like the one below.

35AFYEE.png

When Settings opens click on Detection and Protection, then under Non-Malware Protection, click on the down arrow for PUP (Potentially Unwanted Programs) detections and select Treat detections as malware.  Under Detection Options place a check in the box for Scan for rootkits

4)  Click on Scan (next to Settings), then click on Scan Now.  The scan will automatically run now.

5)  When the scan is complete the results will be displayed.  Click on Delete All.

jEVtTTK.png

6)  Please post the Malwarebytes log.

To find the Malwarebytes log do the following.  Copy and paste the log in your topic.

*Open Malwarebytes Anti-Malware.
*Click the Scan Tab at the top.
*Click the View detailed log link on the right.
*Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
*Alternatively, you can click Export and save the log as a .txt file on yout Desktop or another location.
*Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
 
 
Please download AdwCleaner and install it.

When AdwCleaner opens click on Scan to start the scan.

ZQk62WV.png

Once the search is complete a list of the pending items will be displayed.  If you see any which you do not want removed, remove the check mark next to it.

If there are no malicious programs are found you will receive a message informing you of this.  
 
Click on Clean to remove the selected items.  If you have any questions about any items in the list please copy and paste the list in your topic so we can review it.  

CsqnoTW.png
 
You will receive a message telling you that all programs will be closed so that the infections can be removed.  Click on OK.  The computer will be restarted to complete the cleaning process.
 
When the cleaning process is complete a log of what was removed will be presented.  Please copy and the paste this log in your topic.


Please run the ESET OnlineScan

This scan takes quite a long time to run, so be prepared to allow this to run
till it is completed.

***Please note. If you run this scan using Internet Explorer you won't need
to download the Eset Smartinstaller.***

ESET Online Scanner

  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that
    here
    .
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • If threats are found click on Save to text file in Documents.
  • Open Documents, find the report, copy and paste it in your topic.

Edited by dc3, 27 October 2017 - 02:01 PM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#8 Learning123

Learning123
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 27 October 2017 - 05:04 PM

This is a brand new Win10 PC shipped from OEM. I've hardended it as much as I could via Windows-only settings and only installed Avira Anti-Virus and Comodo suite and Firefox there prior to connecting to internet (pre-downloaded from their respective official sites and delivered via USB drive with auto-run/autoPlay disabled for all devices). I then connected to internet for the first time and updated these security software along with activating Windows and downloading most recent Windown updates. I have not used this PC for anything else or browsed anything else (I am using different, older PC to post these messages for example), or ran any other software aside from Avira and Comodo to access internet... so while there is always some chance a very large OEM shipped a PC with malware, it seems quite doubtful it's malware. Seems like other people have recently reported seeing %ProgramFiles%\rempl\remsh.exe waking up their PCs at 10am - I just have not been able to find answers as to what this is.


Edited by Learning123, 27 October 2017 - 05:13 PM.


#9 jenae

jenae

  • Members
  • 386 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 27 October 2017 - 06:16 PM

Hi, well there was an old virus called remsh.exe, it however did not create a scheduled task and is long gone, so this is not an infection, although running the checks Dc3 suggests will do no harm.
 
It is in effect a MS download received through windows updates and is designed to address issues created by Usoclient.exe, looking through Scheduled Task, action executable & directory, it starts Windows Update scan (Update Session Orchestrator). Further if you open a cmd prompt c:\program files\rempl> dir logs you will see many instances and all ending in .etl (windows updates).
 
It came down as a KB and I cannot find the specific one since it was selectively rolled out (none of our machines have it) I suspect it is to repair an issue with third party AV's preventing windows updates, another reason to ditch these now unecessary utils (defender is, since creators the most secure AV, for the home user).
 
We already have reported instances of a cmd prompt flash by during start caused by usoclient.exe, this is a scheduled task.
 
Do you have the latest version of windows? It's your machine, so it's your choice if you wish you can disable the task OR wake for your computer, It would be safe for you to disable this and checking manually for updates at your convenience could then occur.
 
This site discusses a problem similar to yours and has the correct solution:-
 
 


#10 Learning123

Learning123
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 27 October 2017 - 10:39 PM

Thanks, jenae! Both for the info you happened to know and share, and for a great link to how to shutdown all kinds of other tasks.

 

I hope to get more info on this issue from other experts as well.

 

On the one hand, I don't want my PC to run without me being present. On the other hand, I want to make sure it's up to date. I'd like the system to run whatever update tasks it needs while it's awake (this is how Win7 appears to work); or even if I have to manually execute them... but not sure how to ensure this after I turn all those tasks off that your link mentions :-(


Edited by Learning123, 27 October 2017 - 10:39 PM.


#11 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,276 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:22 AM

Posted 28 October 2017 - 09:14 AM

You posted that you installed both Avira antivirus and Comodo Suite antivirus.  You should only have one antivirus installed at any given time.  You need to uninstall one of these.

 

IMPORTANT NOTE: Using more than one anti-virus program is not advisable. Why? The primary concern with doing so is due to Windows resource management and significant conflicts that can arise especially when they are running in real-time protection mode simultaneously. Even if one of them is disabled for use as a stand-alone on demand scanner, it can affect the other and cause conflicts. Anti-virus software components insert themselves deep into the operating systems core where they install kernel mode drivers that load at boot-up regardless of whether real-time protection is enabled or not. Thus, using multiple anti-virus solutions can result in kernel mode conflicts causing system instability, catastrophic crashes, slow performance and waste vital system resources. When actively running in the background while connected to the Internet, each anti-virus may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.


Credit for this information goes to quietman7.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#12 Learning123

Learning123
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:22 AM

Posted 28 October 2017 - 06:17 PM

Thanks Bleeping Tree Hugger, I appreciate the reminder for myself and other readers.

 

While what you indicate is a good and standard advice that I would give myself to others, the issue I have is that I like Avira for its Anti-Virus and I like Comodo for its firewall, HIPS, and other features like the sandbox and importantly, safe shopping. I don't think Comodo anti-virus is up there yet though for me to drop Avira (at least according to the independent tests I had seen).

 

Unfortunately (!), I believe I have to have Comodo anti-virus installed for the safe-shopping feature to be available. :-(

 

If I turn off Comodo anti-virus real time protection (i.e. just have it installed, but not running in real time), Comodo bugs me with the red "X" status icon for whole product and alerts saying protection is off. With that, I don't know if rest of Comodo protections and firewall are ON correctly or not...

 

So, while having read in the past everything you said, I had crossed my fingers and been running both anti-viruses without too many problems on other systems for some time now.

 

I had not noticed any big instability or slow downs (I don't run demanding tasks either). Also, I am fine with occasional slow downs if I get two anti-viruses running (and again, I have not observed any slow-downs that would bother me yet).

 

My plan has been that once I start noticing weird behavior, I will turn off real time protection of Comodo first. If that does not help, I have not decided which feature to sacrifice but hope it won't come to that.

 

In either case, our exchange here is off topic I think, since I do not believe the %ProgramFiles%/rempl/remsh.exe 10am auto-wake-up timer would be related to running both anti-viruses vs one.



#13 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,276 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:22 AM

Posted 29 October 2017 - 09:47 AM

In either case, our exchange here is off topic I think, since I do not believe the %ProgramFiles%/rempl/remsh.exe 10am auto-wake-up timer would be related to running both anti-viruses vs one.

 

If you read and understood the warning that quietmen7 wrote you would realize that running or even just having two antivirus programs can and usually does cause instability issues.  This most certainly isn't off topic.  It's not unusual to find multiple problems when pursuing a repair.  This is one of those surprises and needs to be addressed.  We know that this is a known problem, so we will eliminate this problem and move on from there.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#14 jenae

jenae

  • Members
  • 386 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 29 October 2017 - 05:30 PM

Hi, Dc3 is correct it's far from off topic, it is the reason you are having the remsh.exe problem. As explained it's MS trying to save you from yourself "(I suspect it is to repair an issue with third party AV's preventing windows updates)" It's the conflict caused by poor code in third party AV's conflicting with the new security measures being employed by MS 

 

You will receive better AV protection with defender and windows firewall, please ignore so called independent tests, you find on the internet, if you look at a number of them you would note that they all seem to have different outcomes, as a scientist it tells us immediately that the methodology, and original hypothesis was flawed.   Defender since the fall creators update, has incorporated new security measures, far superior to any third party AV sold to home users, read up on the new security features now being offered.

 

Disabling the remsh task will not effect your ability to receive updates, you don't have to follow all the suggestions made in the link I posted, that was for advanced users to play with. All you need to do is stop the computer waking, easiest way is to be smart and use defender.



#15 xrobwx

xrobwx

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Panama City Beach, FL USA
  • Local time:08:22 AM

Posted 29 October 2017 - 05:42 PM

Hi, Dc3 is correct it's far from off topic, it is the reason you are having the remsh.exe problem. As explained it's MS trying to save you from yourself "(I suspect it is to repair an issue with third party AV's preventing windows updates)" It's the conflict caused by poor code in third party AV's conflicting with the new security measures being employed by MS 
 
You will receive better AV protection with defender and windows firewall, please ignore so called independent tests, you find on the internet, if you look at a number of them you would note that they all seem to have different outcomes, as a scientist it tells us immediately that the methodology, and original hypothesis was flawed.   Defender since the fall creators update, has incorporated new security measures, far superior to any third party AV sold to home users, read up on the new security features now being offered.
 
Disabling the remsh task will not effect your ability to receive updates, you don't have to follow all the suggestions made in the link I posted, that was for advanced users to play with. All you need to do is stop the computer waking, easiest way is to be smart and use defender.


For instance: https://www.windowscentral.com/whats-new-windows-defender-security-center-windows-10-fall-creators-update 


Edited by xrobwx, 29 October 2017 - 10:19 PM.





4 user(s) are reading this topic

0 members, 4 guests, 0 anonymous users