regsvr32.exe and wuacuclt.exe

Discussion in 'other anti-malware software' started by beethoven, Aug 23, 2007.

Thread Status:
Not open for further replies.
  1. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Not sure which forum is the most appropriate now that PG has been closed but I am hoping someone will have an answer to this:

    My Xp is configured to notifiy about new updates and I usually check first re any experience others made before updating.
    This morning two of my pc came up with some PG (Processguard) alerts about regsvr32.exe looking for some dll.
    Looking up that file, it seemed ok to allow. However, this has continued to further alerts now relating to wuaclt.exe and I am a bit concerned especially as it is not a normal update patch.

    This is the latest alert from PG:
    wuauclt.exe in folder x\windows\system32\ launched by windows32\svchost.exe
    commandline x\windows\system32\wuauclt.exe"/runstoreascomserver local \[458]suds and various numbers

    Can anybody tell me what is happening and whether this is normal?
     
  2. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
  3. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,044
    Thanks Climenole,
    I was just concerned that this update seemed to be following a very different process than the normal Tuesday updates when I get a notification that an update is available, the option to download and install at my leisure.
    Seems this one started by stealth.
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I think it's looking for wups.dll and wups2.dll. ;)
    I'm not concerned but I am annoyed, wuauclt.exe has changed and it looks like we could be lumbered with svchost.exe starting up Regsvr32.exe regularly from now on. That's annoying 'cos I like to have Regsvr32.exe set to permit 'once' 'cos it is potentially dangerous if exploited - that means pop-ups from now on. :mad:

    Fortunately SSM users can make use of the parameters option.
    No it's not a normal patch; wuauclt seems to have been changed. :eek:
     
  5. alfa1

    alfa1 Registered Member

    Joined:
    May 3, 2006
    Posts:
    61
    The same for me.

    ProSecurity Log:

    wuauclt.exe
    [EXECUTE] 2007.08.24 08:35:46
    [ALLOW] C:\WINDOWS\system32\wuauclt.exe
    Command Line:"C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[5d0]SUSDS797ccd7755d1c349821bfdd4d1e8bc7b
    [FROM] C:\WINDOWS\System32\svchost.exe
    Command Line:C:\WINDOWS\System32\svchost.exe -k netsvcs


    regsvr32.exe
    [EXECUTE] 2007.08.24 08:38:32
    [ALLOW] C:\WINDOWS\system32\regsvr32.exe
    Command Line:/s "C:\WINDOWS\system32\wuapi.dll"
    [FROM] C:\WINDOWS\System32\svchost.exe
    Command Line:C:\WINDOWS\System32\svchost.exe -k netsvcs


    regsvr32.exe
    [EXECUTE] 2007.08.24 08:38:56
    [ALLOW] C:\WINDOWS\system32\regsvr32.exe
    Command Line:/s "C:\WINDOWS\system32\wucltui.dll"
    [FROM] C:\WINDOWS\System32\svchost.exe
    Command Line:C:\WINDOWS\System32\svchost.exe -k netsvcs


    wuauclt.exe
    [EXECUTE CHANGED PROGRAM] 2007.08.24 08:40:06
    [ALLOW] C:\WINDOWS\system32\wuauclt.exe
    Command Line:"C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[5d0]SUSDS287dc77c19ee3040a021c628a516a8de
    [ACCESS TO] C:\WINDOWS\System32\svchost.exe
    Command Line:C:\WINDOWS\System32\svchost.exe -k netsvcs

    -----------------------------------------------
    After reboot,

    regsvr32.exe
    [EXECUTE] 2007.08.24 08:46:12
    [ALLOW] C:\WINDOWS\system32\regsvr32.exe
    Command Line:/s "C:\WINDOWS\system32\wups.dll"
    [FROM] C:\WINDOWS\System32\svchost.exe
    Command Line:C:\WINDOWS\System32\svchost.exe -k netsvcs



    regsvr32.exe
    [EXECUTE] 2007.08.24 08:46:12
    [ALLOW] C:\WINDOWS\system32\regsvr32.exe
    Command Line:/s "C:\WINDOWS\system32\wups2.dll"
    [FROM] C:\WINDOWS\System32\svchost.exe
    Command Line:C:\WINDOWS\System32\svchost.exe -k netsvcs
     
Thread Status:
Not open for further replies.