[German]Recently I stumbled over a question in a German forum, asking, what the file REMSH.exe is for. Here are a few information I found, after I investigated this question.
The first case, I've seen
The first time I stumbled within this German forum discussion about the program file REMSH.exe and the question what this file is for. A user wrote:
Firewall reports since a few weeks ago that REMSH. exe wants to connect to MS
Since some time I'm receiving firewall alerts, that the file remsh. exe wants to use the path C: \Program Files\rempl\ to establish a connection to an IP which, according to the IP address of the server query belongs to Microsoft Corporation, or more precisely to Microsoft Azure.
Can someone tell me what this file wants to do and where it comes from? All affected computers are Windows 10 Pro with Commodo Firewall 10.
Browsing the Internet doesn't seems to help at a first glance. The first MS Answers forum entry I found, claimed (faulty) it was malware.
What is remsh.exe?
remsh.exe (C:\Program Files\rempl\remsh.exe) try to access the Internet these days
remsh.exe is signed by Microsoft. It also has high CPU usage and disk writing sometimes.
What is remsh.exe? What is it for?
Also this Microsoft Answers forum thread seems to walk in the same direction – note the answer of the Microsoft employee. And here we have a discussion, that Rempl triggers a daily task.
Could REMSH.exe be malware?
The first question to check would be: Is remsh.exe malware or something from Microsoft. Checking several forum entries, I found out, that the file is located within the path:
C:\Program Files\rempl\
as mentioned above. And what the user cited above wrote, was, that he program tries to connect a Microsoft Azure server. So it seems, that the program is legit. But checking some test machines with Windows 10, I wasn't able to detect this file. This triggers 'worse fears' that it could be malware.
The best you can do in such a case: Right click the file, select Properties and check the Digital Signatures property page. Here I found a user, who has posted the screen shown above. The file has been digitally signed by Microsoft, so it's not malware.
What you also should do: Upload the file to Virus Total and let it check for malware.
But what is REMSH.exe?
The remaining question is: Why is REMSH.exe available only on some machine and is there an explanation, what the file is for? Searching the web for the file name brought me to Microsoft's KB article 4023057 that gives us some clue. At the time this blog post was written, KB4023057 stands for Update to Windows 10 Versions 1507, 1511, and 1607 for update reliability: November 2, 2017. Microsoft says:
This update includes reliability improvements that affect the update components in Windows 10 Versions 1507, 1511, and 1607.
This update includes files and resources that address issues that affect the update processes in Windows 10. These improvements ensure that quality updates are installed seamlessly to improve the reliability and security of Windows 10.
Only certain builds of Windows 10 Versions 1507, 1511, and 1607 require this update. Devices that are running those builds will automatically get the update downloaded and installed through Windows Update.
And there I found a mention of Remsh.exe:
File name | File version | File size | Date | Time |
Remsh.exe | 10.0.14393.1273 | 707,064 | 29-Sep-2017 | 03:28 |
The file version given in the table above may vary. But we have a firm explanation for our questions. First of all, the file may be found on 'certain builds of Windows 10 Versions 1507, 1511, and 1607 [that] require this update'. And it address issues that affect the update processes in Windows 10. Hope this has shed some light into this topic.
Addendum: Parts of the remsh.exe has been replanced, see also my remarks within the blog post Windows 10: update KB4023057 released (Sept. 6, 2018).
That's very clever of Microsoft to clearly attribute their exe as malware. Strange name, running at startup, folder directly inside Program Files, high CPU and disk usage, files .ETL with unknown data inside.
F.. them.
.ETL files are mostly "EvenT Log" saved files as Tracelog, which are used numerous times by Microsoft applications. You can do search for *.ETL on Windows computer.
They can be opened using EventLog, RMB to SavedLogs, click Open it will ask for EVT/EVTX/ETL file or you can use commandline tool TRACERPT.EXE
So if I see MS digitally signed EXE with ETL files inside ProgramFiles – it is SAFE. It it started by TaskScheduler, like many other MS programs.
I have this same thing on my 2 PC's both run currently w10 1607 version(NOT Creators release) and both are *FREE :) upgrade to WIN 10
1) asus laptop N750 *FREE :) upgrade from W8.1 (64b) to win 10 (Home)
2) custom Desktop is *FREE :) upgrade from Win 7 Ultimate(64bit) to Win 10 Pro (64b)
this unintended wakeup was so annoying , i have struggled with this almost 3 months and this thing is still present on both my machines.
so far haven't seen any proper answer from M$ either.
The ETL files in the log folder for REMSH are readable by "Microsoft Message Analyzer" and show information like this
MessageNumber DiagnosisTypes Timestamp TimeDelta EventRecord.Header.ProcessId EventRecord.Header.ThreadId Module Summary
114 None 2018-01-16T08:18:55.0392656 0.0000031 7916 21660 Microsoft_Windows_Remediation Information: Message=OneSettings entry key: ETag value: ,PackageVersion=2018.1B
115 None 2018-01-16T08:18:55.0392686 0.0000030 7916 21660 Microsoft_Windows_Remediation Information: Message=OneSettings entry key: RefreshAfter value: 榔Ⳉ辕Ǔ,PackageVersion=2018.1B
116 None 2018-01-16T08:18:55.0396012 0.0003326 7916 21660 Microsoft_Windows_Remediation RemediationShellExecutionCloudControlStateEventId: cloudControlState=1,CV=7CL6mE4vmEyrQuW+.0,GlobalEventCounter=1041,PackageVersion=2018.1B
117 None 2018-01-16T08:18:55.0396905 0.0000893 7916 21660 Microsoft_Windows_Remediation Information: Message=For Shell plugin : (Current Iteration Count: 3 | Maximum Run Count: 100).,PackageVersion=2018.1B
118 None 2018-01-16T08:18:55.0399460 0.0002555 7916 21660 Microsoft_Windows_Remediation RemediationShellStateEventId: applicabilityCheck=1,CV=7CL6mE4vmEyrQuW+.0,GlobalEventCounter=1042,PackageVersion=2018.1B
119 None 2018-01-16T08:18:55.0401900 0.0002440 8984 12620 Microsoft_Windows_Remediation WindowsUpdateTelemetryDataEvent: AuOptions=,CV=+NbRN3eMQkqBM0jm.0,DoNotConnectToWindowsUpdate=,GlobalEventCounter=1043,isRegisteredWithDCAT=0,isRegisteredWithMU=1,isRegisteredWithOther=0,isRegisteredWithWS=1,isRegisteredWithWU=0,NoAutoUpdate=0,PackageVersion=2018.1B,SetDisableUXWUAccess=
120 None 2018-01-16T08:18:55.0402482 0.0000582 8984 12620 Microsoft_Windows_Remediation Information: Message=CheckSystemDiskFreeSpace: Start Function CheckSystemDiskFreeSpace,PackageVersion=2018.1B
121 None 2018-01-16T08:18:55.0403166 0.0000684 8984 12620 Microsoft_Windows_Remediation Information: Message=CheckSystemDiskFreeSpace: C: is the system drive,PackageVersion=2018.1B
122 None 2018-01-16T08:18:55.0404204 0.0001038 8984 12620 Microsoft_Windows_Remediation Information: Message=CheckSystemDiskFreeSpace: MB of free space: 149333 is the available disk space,PackageVersion=2018.1B
123 None 2018-01-16T08:18:55.0409183 0.0004979 7916 21660 Microsoft_Windows_Remediation Information: Message=Start GetRestoreHealthMarker,PackageVersion=2018.1B
124 None 2018-01-16T08:18:55.0409351 0.0000168 7916 21660 Microsoft_Windows_Remediation Information: Message=End GetRestoreHealthMarker,PackageVersion=2018.1B
125 None 2018-01-16T08:18:55.0409491 0.0000140 7916 21660 Microsoft_Windows_Remediation Information: Message=AC Power Status: 1,PackageVersion=2018.1B
Stop the task for it or run SHUTUP O&O free for home use. This will remove garbage like this.
Because we use Win 10 IoT systems in 24/7 production environments we Disabled Windows Update service and scheduled tasks. We also install alternate timesync server. So we also Disabled Windows Time service.
Suddenly we had some systems on which these services were set to Manual (Triggered start) again. And again each time we Disabled them. It seems to happen on random times.
While digging through the registry I found HKLM\SOFTWARE\Microsoft\rempl\remediationresults. Here I found something about Windows Update en Windows Time services and about the scheduled tasks.
So it seems REMSH.EXE is resposible for resetting the services to Manual start.
According to Microsoft REMSH.EXE is part of a reliability update. Well, in our case it is definitly NOT!
To solve this issue I have disabled the 2 scheduled tasks under Microsoft\Windows\rempl.
@Bert: Thanks for your feedback and insights. Or in other Words: Win 10 IoT is a mess (after weighting all things you have done, to keep things alive).
After analysing rempl we can see, the software generate logs. These logs get deleted after some while. The logs have a database format and readable as part of data base.
There are clear text where telemetry data are collected – these are data about the PC.
As we can see in a analysing the logs and data, data are collected and software activities started automatically.
You might call that "support".
If somebody stranger just secret came into your house/flat and starting working in the kitchen and rooms, you will not call that support, but theft or crime.
Of course Microsoft states this is only for improvements. What has been expected?
You need to be quite naive to believe this.
I use Linux on my Laptop while my wife uses Win10. I do not have remsh files, collected data and people who "supporting" me on my private laptop.
I just got hit with this today. This Rempl service showed up in procxp. Never seen it before and shortly thereafter, I got a notice that windows 10 needed to be updated to the most recent version. WTF! I turned off Windows update, disabled and removed the gpedit settings and disabled windows update on services.msc. BUT, here it is enabled again and downloading that damnable creator update.
Software I run crashes on the creator update, so I cannot install it. Business can't run without the software, and windows 10 Anniversary edition (1607)works just great. So I wiped the hard drive, re-installed windows 10 1607 and disabled Windows update.
So I wiped the folder rempl and deleted ALL instances of rempl from the windows registry. It was set to run silent in the background on system start. It never installed a single damned update, but instantly tried to download and install windows 10 Creator update. Luckily, I am over my bandwidth cap and connection was slow as molasses in January. Killed the rempl process, deleted the $BT folder and set to finding out HOW windows update got enabled.
Simple answer. Rempl unlocked the SIH process (Server Initiated Healing) . Which means they can then again force Windows 10 creator update down your throat whether you want it or not. Is that not the definition of Malware?
So now, ALL windows update files have been deleted off of my system, All instances of wuauserv have been removed from the registry and the initiation of wuauserv entry has been removed from svchost -netsvcs. It will be a cold day in hell before Windows update bothers me again.
Microsoft and their Winblows is starting to blow even harder than before. Since they force these updates, one would think that they would be responsible if it crashes your computer and makes it unusable. Maybe people should send them the bill for the restoration of the windows anniversary update and the lost time and Business due to their negligence. The only thing that seems to get through to these screwballs is when you hit their pocket book.
"So now, ALL windows update files have been deleted off of my system, All instances of wuauserv have been removed from the registry and the initiation of wuauserv entry has been removed from svchost -netsvcs. It will be a cold day in hell before Windows update bothers me again."
for the love off all that is holy. please master teach me how to do this.
ive struggled for years with this 100% disk and the only culprit i can find is windows update. ive tried everything from superfetch to reinstall. but even after hard reset to factory i cant make it go away. please im just a dumb girl in search for answers. help me get rid of this update madness that scourges the land!!!
Thank you, thank you and thank you, Bert. I've been tortured by mysterious windows updates for a month! You are right! I have identified few resurrecting update related tasks during last weeks. These tasks turned on update services back on every time I logged in. Also, there is a perfect match between time of three REMPL scheduled tasks (unlock, unlock-sih, usoscan) and the time of mysterious events (ID 7040) about changing update related services from "disabled" to "on demand".
As seen in registry, REMPL resurrects these disabled/deleted scheduled tasks:
Microsoft\Windows\UpdateOrchestrator\Schedule Scan
and
Microsoft\windows\WindowsUpdate\Scheduled Start, sih, sihboot
Some of these tasks repairs more update related tasks and services to default values.
So glad to read this. I will delete every instance of wuauserv and remsh and hope that stops my machine waking in the night and costing me money for going over my bandwidth cap by several gig. I had to pay my ISP twice my normal bill because I was so far over without knowing it!
Not updating from Anniversary Edition? You're probably a bot farm by now, since you aren't getting security patches anymore because you are past end of support.
Don't worry – my Linux machines are getting updates – and the Win 7 machines too ;-).
BTW: Windows 10 V1607 still get's security updates – if you are in the right box
We need to delete this or not ? If we must delete, how ? Right click and Delete or use anti-malware ?
Am I wrong in linking this executable with enabling the Windows Insider Program?
:)
RemSh.exe isn't related to WIP – but it has now replaced by other files (see Windows 10: What are Rempl.exe, Remsh.exe, WaaSMedic.exe?).
2023-04 Update for Windows 10 Version 20H2 for x64-based Systems (KB4023057)