This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello everyone. Always on the lookout for weird behaviour/processes on my computer. This one's weird.
This is the info I can get from Process Hacker:
C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
Regedit:
Computer\HKEY_CLASSES_ROOT\AppID{995C996E-D918-4a8c-A302-45719A6F4EA7}
Key Default : Shell Hardware Mixed Content Handler
Key RunAs : Interactive User
Also in:
Computer\HKEY_CLASSES_ROOT\CLSID{995C996E-D918-4a8c-A302-45719A6F4EA7}\LocalServer32
Computer\HKEY_CLASSES_ROOT\Shell.Autoplay\CLSID
Computer\HKEY_CLASSES_ROOT\Shell.Autoplay.1\CLSID
Computer\HKEY_CLASSES_ROOT\WOW6432Node\AppID{995C996E-D918-4a8c-A302-45719A6F4EA7}
Key Default : Shell Hardware Mixed Content Handler
Key RunAs : Interactive User
So far I've found (on very old forums posts) that it's possibly related to autorun/autoplay. So I disabled both in gpedit.
The process still appears after reboot.
Is there a tool or some way for me to know what this process is doing and why it starts?
Thanks
Is there a tool or some way for me to know what this process is doing and why it starts?
No, it is used internally by MS, the GUID {995C996E-D918-4a8c-A302-45719A6F4EA7} = CLSID_ShellAutoplay
not in SDK headers
This command creates a COM Desktop local server (some details at LocalServer32) used by the Shell to handle AutoPlay
Thanks for the answer Castorix.
Few questions then:
1) Does it run because I have something plugged-in like a usb stick or controller that is detected and plug-and-played automatically?
2) Can this process be used by malicious programs and act as legit autoplay but mount an image or monitor drives that are plugged-in?
3)"not in SDK headers. This command creates a COM Desktop local server" Wording that doesn't sound "safe" but probably is. Care to explain in simplier terms? Thx
I don't know the conditions to launch this process, but it is used since Windows XP, so I don't think there is a risk
For SDK headers, I mean it is not documented in Windows SDK
This is somewhat reassuring.
Thanks for your time Castorix.