Strange Win 10 Behavior

Discussion in 'other software & services' started by itman, Jul 30, 2016.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I just upgraded to Win 10 From Win 7.

    I am puzzled by the file shown in the below screen shot, R00000000000d.clb, that is being injected into every running process. Only info I can glean from the web is its a necessary file. It certainly didn't exist in Win 7. Appears that when a process starts up in Win 10, svchost.exe is doing the injection but can't determine what service is being used. Is this something to do with Win 10 telemetry?

    It is something to do with com+ looking at string details using Process Explorer.

    Win10_Registration_7-30-2016.png
     
    Last edited: Jul 30, 2016
  2. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,441
    It probably runs an Internet process that calls home to Microsoft servers.

    Welcome to the cloud in Windows 10.
     
  3. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,887
    Location:
    Australia
    Hi itman,

    FWIW, I've just completed a clean Win10 install on this machine and I have that file as well, but only one though, so the other may be a copy.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    See in its injected into all your running processes.
     
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,887
    Location:
    Australia
    I don't have Process Explorer and wouldn't know how to use it anyway. :doubt:
     
  6. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,635
    Location:
    Toronto, Canada
    @itman I've pinged the MDL forums to see if they know more about it.

    I was able to confirm with Process Hacker myself as well. Interesting to note, though, is that it was not able to inject into AppContainer protected Chromium processes.
     
  7. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    I have two such files in \Windows\Registration, R00000000000c.clb and R00000000000d.clb, both dated from when I installed Win10 10586-1511, both identical timestamps.
    Open either one in Notepad, scroll down a lot, and you will see a long blurb about it having to do with COM+ components, who can modify configuration of COM+ applications, etc.
    Seems that only the one with "d" in name is used here and the list varies as time goes on. Are these COM+ applications? I have no clue. Just offering what I see in Process Explorer. Krusty13 - just use Find - see arrow.
    R00000file-inPE.png
     
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,635
    Location:
    Toronto, Canada
    VirusTotal refers to those files as COM+ catalog files, but that is all that I can figure out thus far. Why they are injected into every running process is the big question still.
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    LOL, that was also my first thought. :D

    Why on earth did you decide to upgrade itman? You're better off with Win 8.
     
  10. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,441
    It was eventually coming.

    Google Chrome OS was the first OS running as a service entirely in the cloud.

    Windows 10 is Microsoft's response. Since most people are connected online, its the future.

    We're moving away slowly but surely from the desktop PC metaphor.

    Some people will welcome it, others will want to stick with what works for them now.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Thanks for the replies, guys.

    My main concern was the injection legit and that appears to be the case. My best guess at this point is the injection being done by one of the Win 10 system processes running under svchost.exe - Dcom; like ShellExperienceHost.exe, etc.. Note that even svchost.exe processes are injected although not all. Again, I believe this somehow related to the telemetry crap.

    A side note is that .clb files were a XP creation for COM+. Why MS is using such crap in Win 10 is beyond me.

    Also this activity makes monitoring process injection somewhat precarious since you have to allow svchost.exe modification for this Win 10 injection to occur. So if a malware service somehow gets installed, you're screwed. So much for Win 10 improved securityo_O

    -EDIT- Will also add that when I see a in mass in injection like this, it usually is security based. Possible that this Com+ module is interfacing with either the new antimalware filter in Win 10 or something to do with Win Defender although that is currently disabled due to my other security software running. Might be one reason there is no info available for this .clb file on the web.

    Also there is a new AppInit_Dlls registry key added in Win 10 and it is populated with what appears to be a ref. to Win system directory. This also could be what this Com+ module could be doing; preventing any highjacking of dll loading from the knowndlls and knowndlls32 kernel root tables.
     
    Last edited: Jul 31, 2016
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I had Win 7, not 8. Also wanted the free upgrade. I took a disk image of my Win 7 installation prior to upgrading. So I can do a image restore to Win 7 whenever I want.
     
    Last edited: Jul 31, 2016
  13. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    My Windows10 is not an upgrade. I did clean install of free Windows10 into its own partition. Windows 7 is intact.
    My list in post#7 is based on this state: Windows Defender is running in Windows10 as are NVT ERP, MBAE, MBAM and I run as limited user. The blurb in the clb file makes me think it is related to security/file integrity of some sort.
    It sure is puzzling.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Here's some text from what is inside the .clb file. Appears its COM+ utilities. Again I believe this is to support the telemetry crap. Might be used to capture process behavior stats that MS will use to create their own AI based antimalware solution?

    Win10_COM+_Utilities-7-31-2016.png
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Just found another "goody."

    Nividia driver backend update process sets up a local proxy server i.e. 127.0.0.1 to send crap back and forth from home. This will zip through most 3rd party firewall outbound firewall monitoring since local host is considered a trusted network. Also, disabling Nvidia updates has no effect on this by the way.

    I am blocking C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe start-up with a Eset HIPS rule. You can also delete its run key in the registry or disable it using Autoruns.

    -EDIT- Appears the only way stop NvBackend.exe is to block it via HIPS or anti-exec. It will startup dynamically after boot time.

    Here's the localhost connection it makes:

    Source port: 127.0.0.1:xxxxx and destination port: 127.0.0.1:23401 TCP.​

    I have absolutely no clue why it is doing this.
     
    Last edited: Aug 2, 2016
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Yes I know, but I meant you could rather upgrade to Win 8, but that isn't free of course. Win 8 is pretty good, without all (or most) of the Win Telemetry crap.

    I don't believe this is used to phone home? On my system it doesn't really transfer any data.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    No. It does upload data because I got a Eset firewall alert about NvBackend.exe trying to connect outbound on port 443 shortly after I installed Win 10. That could have been for an update check(?) which I promptly disabled in the NVidia control panel.

    Any kind of localhost proxy activity makes me nervous. Again, I have no idea why the process is doing this. Best to block its startup unconditionally.
     
  18. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
  19. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Nvidia GeForce Experience, Cloud Based Game Configuration Service

    It is a tool that can make automatic configuration changes to the system based on the games you play. In addition to that, it is cloud-based which means that it will receive updates regularly to take new cards, drivers, hardware or games into account.

    I always uninstalled, or skip Nvidia GeForce Experience installations.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I read that thread initially. All the last reply states is the file has something to do with COM+ registration. Actually, the .clb file is COM+utilities, so you can do anything to COM+ with it.

    At this point, appears that Win 10 is dynamically registering COM+ components as they are used by a process? Best answer, I can come up with. Might have something to do with improving security against the new wave of COM+ malware that is impossible to detect?
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Another goody I just discovered is it appears the Win 10 upgrade turns off IE11's enhanced protected mode - go figureo_O So anyone using IE11 should check that setting.
     
  22. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Last edited: Aug 3, 2016
  24. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,635
    Location:
    Toronto, Canada
    For what it's worth, I've done a clean install recently and this injection behaviour is not happening on this machine nor do the R00000000000d.clb file(s) even exist. Very strange. The machine that I had initially confirmed your findings on was upgraded. So I'm starting to think that this injection finding only occurs on machines in which had upgrade installs of Windows 10.
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    act8192 stated in reply #13 that his was a clean Win 10 install and he was also seeing the .clb injection? I wonder if has something to do with the Win 10 build installed? Mine is the initial 10240.
     
Loading...