I just upgraded to Win 10 From Win 7. I am puzzled by the file shown in the below screen shot, R00000000000d.clb, that is being injected into every running process. Only info I can glean from the web is its a necessary file. It certainly didn't exist in Win 7. Appears that when a process starts up in Win 10, svchost.exe is doing the injection but can't determine what service is being used. Is this something to do with Win 10 telemetry? It is something to do with com+ looking at string details using Process Explorer.
It probably runs an Internet process that calls home to Microsoft servers. Welcome to the cloud in Windows 10.
Hi itman, FWIW, I've just completed a clean Win10 install on this machine and I have that file as well, but only one though, so the other may be a copy.
@itman I've pinged the MDL forums to see if they know more about it. I was able to confirm with Process Hacker myself as well. Interesting to note, though, is that it was not able to inject into AppContainer protected Chromium processes.
I have two such files in \Windows\Registration, R00000000000c.clb and R00000000000d.clb, both dated from when I installed Win10 10586-1511, both identical timestamps. Open either one in Notepad, scroll down a lot, and you will see a long blurb about it having to do with COM+ components, who can modify configuration of COM+ applications, etc. Seems that only the one with "d" in name is used here and the list varies as time goes on. Are these COM+ applications? I have no clue. Just offering what I see in Process Explorer. Krusty13 - just use Find - see arrow.
VirusTotal refers to those files as COM+ catalog files, but that is all that I can figure out thus far. Why they are injected into every running process is the big question still.
LOL, that was also my first thought. Why on earth did you decide to upgrade itman? You're better off with Win 8.
It was eventually coming. Google Chrome OS was the first OS running as a service entirely in the cloud. Windows 10 is Microsoft's response. Since most people are connected online, its the future. We're moving away slowly but surely from the desktop PC metaphor. Some people will welcome it, others will want to stick with what works for them now.
Thanks for the replies, guys. My main concern was the injection legit and that appears to be the case. My best guess at this point is the injection being done by one of the Win 10 system processes running under svchost.exe - Dcom; like ShellExperienceHost.exe, etc.. Note that even svchost.exe processes are injected although not all. Again, I believe this somehow related to the telemetry crap. A side note is that .clb files were a XP creation for COM+. Why MS is using such crap in Win 10 is beyond me. Also this activity makes monitoring process injection somewhat precarious since you have to allow svchost.exe modification for this Win 10 injection to occur. So if a malware service somehow gets installed, you're screwed. So much for Win 10 improved security -EDIT- Will also add that when I see a in mass in injection like this, it usually is security based. Possible that this Com+ module is interfacing with either the new antimalware filter in Win 10 or something to do with Win Defender although that is currently disabled due to my other security software running. Might be one reason there is no info available for this .clb file on the web. Also there is a new AppInit_Dlls registry key added in Win 10 and it is populated with what appears to be a ref. to Win system directory. This also could be what this Com+ module could be doing; preventing any highjacking of dll loading from the knowndlls and knowndlls32 kernel root tables.
I had Win 7, not 8. Also wanted the free upgrade. I took a disk image of my Win 7 installation prior to upgrading. So I can do a image restore to Win 7 whenever I want.
My Windows10 is not an upgrade. I did clean install of free Windows10 into its own partition. Windows 7 is intact. My list in post#7 is based on this state: Windows Defender is running in Windows10 as are NVT ERP, MBAE, MBAM and I run as limited user. The blurb in the clb file makes me think it is related to security/file integrity of some sort. It sure is puzzling.
Here's some text from what is inside the .clb file. Appears its COM+ utilities. Again I believe this is to support the telemetry crap. Might be used to capture process behavior stats that MS will use to create their own AI based antimalware solution?
Just found another "goody." Nividia driver backend update process sets up a local proxy server i.e. 127.0.0.1 to send crap back and forth from home. This will zip through most 3rd party firewall outbound firewall monitoring since local host is considered a trusted network. Also, disabling Nvidia updates has no effect on this by the way. I am blocking C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe start-up with a Eset HIPS rule. You can also delete its run key in the registry or disable it using Autoruns. -EDIT- Appears the only way stop NvBackend.exe is to block it via HIPS or anti-exec. It will startup dynamically after boot time. Here's the localhost connection it makes: Source port: 127.0.0.1:xxxxx and destination port: 127.0.0.1:23401 TCP. I have absolutely no clue why it is doing this.
Yes I know, but I meant you could rather upgrade to Win 8, but that isn't free of course. Win 8 is pretty good, without all (or most) of the Win Telemetry crap. I don't believe this is used to phone home? On my system it doesn't really transfer any data.
No. It does upload data because I got a Eset firewall alert about NvBackend.exe trying to connect outbound on port 443 shortly after I installed Win 10. That could have been for an update check(?) which I promptly disabled in the NVidia control panel. Any kind of localhost proxy activity makes me nervous. Again, I have no idea why the process is doing this. Best to block its startup unconditionally.
its something from the repair option (read last answer) http://answers.microsoft.com/en-us/...n/fcb13c3d-79d8-40c1-966b-432ce7f0fa6c?auth=1
Nvidia GeForce Experience, Cloud Based Game Configuration Service It is a tool that can make automatic configuration changes to the system based on the games you play. In addition to that, it is cloud-based which means that it will receive updates regularly to take new cards, drivers, hardware or games into account. I always uninstalled, or skip Nvidia GeForce Experience installations.
I read that thread initially. All the last reply states is the file has something to do with COM+ registration. Actually, the .clb file is COM+utilities, so you can do anything to COM+ with it. At this point, appears that Win 10 is dynamically registering COM+ components as they are used by a process? Best answer, I can come up with. Might have something to do with improving security against the new wave of COM+ malware that is impossible to detect?
Another goody I just discovered is it appears the Win 10 upgrade turns off IE11's enhanced protected mode - go figure So anyone using IE11 should check that setting.
was off here, but i never noticed it - i dont use IE is your setting lost with restart? http://www.eightforums.com/tutorials/31977-internet-explorer-enhanced-protected-mode-turn-off.html
No, it sticks after a reboot. Ditto for the "64 bit tabs option." BTW - I never had the "64 bit tabs option" when I was running Win 7 x64, SP1? -EDIT- Also check your cookies settings. Just noticed those when set to defaults i.e. accept all cookies.
For what it's worth, I've done a clean install recently and this injection behaviour is not happening on this machine nor do the R00000000000d.clb file(s) even exist. Very strange. The machine that I had initially confirmed your findings on was upgraded. So I'm starting to think that this injection finding only occurs on machines in which had upgrade installs of Windows 10.
act8192 stated in reply #13 that his was a clean Win 10 install and he was also seeing the .clb injection? I wonder if has something to do with the Win 10 build installed? Mine is the initial 10240.
