This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 34%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
Hello everyone. Always on the lookout for weird behaviour/processes on my computer. This one's weird.
This is the info I can get from Process Hacker:
C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
Regedit:
Computer\HKEY_CLASSES_ROOT\AppID{995C996E-D918-4a8c-A302-45719A6F4EA7}
Key Default : Shell Hardware Mixed Content Handler
Key RunAs : Interactive User
Also in:
Computer\HKEY_CLASSES_ROOT\CLSID{995C996E-D918-4a8c-A302-45719A6F4EA7}\LocalServer32
Computer\HKEY_CLASSES_ROOT\Shell.Autoplay\CLSID
Computer\HKEY_CLASSES_ROOT\Shell.Autoplay.1\CLSID
Computer\HKEY_CLASSES_ROOT\WOW6432Node\AppID{995C996E-D918-4a8c-A302-45719A6F4EA7}
Key Default : Shell Hardware Mixed Content Handler
Key RunAs : Interactive User
So far I've found (on very old forums posts) that it's possibly related to autorun/autoplay. So I disabled both in gpedit.
The process still appears after reboot.
Is there a tool or some way for me to know what this process is doing and why it starts?
Thanks
Is there a tool or some way for me to know what this process is doing and why it starts?
No, it is used internally by MS, the GUID {995C996E-D918-4a8c-A302-45719A6F4EA7} = CLSID_ShellAutoplay
not in SDK headers
This command creates a COM Desktop local server (some details at LocalServer32) used by the Shell to handle AutoPlay
Thanks for the answer Castorix.
Few questions then:
1) Does it run because I have something plugged-in like a usb stick or controller that is detected and plug-and-played automatically?
2) Can this process be used by malicious programs and act as legit autoplay but mount an image or monitor drives that are plugged-in?
3)"not in SDK headers. This command creates a COM Desktop local server" Wording that doesn't sound "safe" but probably is. Care to explain in simplier terms? Thx
I don't know the conditions to launch this process, but it is used since Windows XP, so I don't think there is a risk
For SDK headers, I mean it is not documented in Windows SDK
This is somewhat reassuring.
Thanks for your time Castorix.
