Windows 10: What is REMSH.exe for?

[German]Recently I stumbled over a question in a German forum, asking, what the file REMSH.exe is for. Here are a few information I found, after I investigated this question.


Advertising
 


The first case, I’ve seen

The first time I stumbled within this German forum discussion about the program file REMSH.exe and the question what this file is for. A user wrote:

Firewall reports since a few weeks ago that REMSH. exe wants to connect to MS

Since some time I’m receiving firewall alerts, that the file remsh. exe wants to use the path C: \Program Files\rempl\ to establish a connection to an IP which, according to the IP address of the server query belongs to Microsoft Corporation, or more precisely to Microsoft Azure.

Can someone tell me what this file wants to do and where it comes from? All affected computers are Windows 10 Pro with Commodo Firewall 10.

Browsing the Internet doesn’t seems to help at a first glance. The first MS Answers forum entry I found, claimed (faulty) it was malware.

What is remsh.exe?

remsh.exe (C:\Program Files\rempl\remsh.exe) try to access the Internet these days

remsh.exe is signed by Microsoft. It also has high CPU usage and disk writing sometimes.

What is remsh.exe? What is it for?

Also this Microsoft Answers forum thread seems to walk in the same direction – note the answer of the Microsoft employee. And here we have a discussion, that Rempl triggers a daily task.

Could REMSH.exe be malware?

The first question to check would be: Is remsh.exe malware or something from Microsoft. Checking several forum entries, I found out, that the file is located within the path:

C:\Program Files\rempl\

as mentioned above. And what the user cited above wrote, was, that he program tries to connect a Microsoft Azure server. So it seems, that the program is legit. But checking some test machines with Windows 10, I wasn’t able to detect this file. This triggers ‘worse fears’ that it could be malware.

REMSH.exe

The best you can do in such a case: Right click the file, select Properties and check the Digital Signatures property page. Here I found a user, who has posted the screen shown above. The file has been digitally signed by Microsoft, so it’s not malware.

What you also should do: Upload the file to Virus Total and let it check for malware.

But what is REMSH.exe?

The remaining question is: Why is REMSH.exe available only on some machine and is there an explanation, what the file is for? Searching the web for the file name brought me to Microsoft’s KB article 4023057 that gives us some clue. At the time this blog post was written, KB4023057 stands for Update to Windows 10 Versions 1507, 1511, and 1607 for update reliability: November 2, 2017. Microsoft says:

This update includes reliability improvements that affect the update components in Windows 10 Versions 1507, 1511, and 1607.

This update includes files and resources that address issues that affect the update processes in Windows 10. These improvements ensure that quality updates are installed seamlessly to improve the reliability and security of Windows 10.

Only certain builds of Windows 10 Versions 1507, 1511, and 1607 require this update. Devices that are running those builds will automatically get the update downloaded and installed through Windows Update.

And there I found a mention of Remsh.exe:

File name File version File size Date Time
Remsh.exe 10.0.14393.1273 707,064 29-Sep-2017 03:28

The file version given in the table above may vary. But we have a firm explanation for our questions. First of all, the file may be found on ‘certain builds of Windows 10 Versions 1507, 1511, and 1607 [that] require this update’. And it address issues that affect the update processes in Windows 10. Hope this has shed some light into this topic.


Advertising


This entry was posted in Windows and tagged , . Bookmark the permalink.

6 Responses to Windows 10: What is REMSH.exe for?

  1. Yuri says:

    That’s very clever of Microsoft to clearly attribute their exe as malware. Strange name, running at startup, folder directly inside Program Files, high CPU and disk usage, files .ETL with unknown data inside.

    F.. them.

    • Houston says:

      .ETL files are mostly “EvenT Log” saved files as Tracelog, which are used numerous times by Microsoft applications. You can do search for *.ETL on Windows computer.
      They can be opened using EventLog, RMB to SavedLogs, click Open it will ask for EVT/EVTX/ETL file or you can use commandline tool TRACERPT.EXE

      So if I see MS digitally signed EXE with ETL files inside ProgramFiles – it is SAFE. It it started by TaskScheduler, like many other MS programs.

  2. Dime says:

    I have this same thing on my 2 PC’s both run currently w10 1607 version(NOT Creators release) and both are *FREE 🙂 upgrade to WIN 10
    1) asus laptop N750 *FREE 🙂 upgrade from W8.1 (64b) to win 10 (Home)
    2) custom Desktop is *FREE 🙂 upgrade from Win 7 Ultimate(64bit) to Win 10 Pro (64b)

    this unintended wakeup was so annoying , i have struggled with this almost 3 months and this thing is still present on both my machines.
    so far haven’t seen any proper answer from M$ either.

  3. UngoogIable says:

    The ETL files in the log folder for REMSH are readable by “Microsoft Message Analyzer” and show information like this

    MessageNumber DiagnosisTypes Timestamp TimeDelta EventRecord.Header.ProcessId EventRecord.Header.ThreadId Module Summary
    114 None 2018-01-16T08:18:55.0392656 0.0000031 7916 21660 Microsoft_Windows_Remediation Information: Message=OneSettings entry key: ETag value: ,PackageVersion=2018.1B
    115 None 2018-01-16T08:18:55.0392686 0.0000030 7916 21660 Microsoft_Windows_Remediation Information: Message=OneSettings entry key: RefreshAfter value: 榔Ⳉ辕Ǔ,PackageVersion=2018.1B
    116 None 2018-01-16T08:18:55.0396012 0.0003326 7916 21660 Microsoft_Windows_Remediation RemediationShellExecutionCloudControlStateEventId: cloudControlState=1,CV=7CL6mE4vmEyrQuW+.0,GlobalEventCounter=1041,PackageVersion=2018.1B
    117 None 2018-01-16T08:18:55.0396905 0.0000893 7916 21660 Microsoft_Windows_Remediation Information: Message=For Shell plugin : (Current Iteration Count: 3 | Maximum Run Count: 100).,PackageVersion=2018.1B
    118 None 2018-01-16T08:18:55.0399460 0.0002555 7916 21660 Microsoft_Windows_Remediation RemediationShellStateEventId: applicabilityCheck=1,CV=7CL6mE4vmEyrQuW+.0,GlobalEventCounter=1042,PackageVersion=2018.1B
    119 None 2018-01-16T08:18:55.0401900 0.0002440 8984 12620 Microsoft_Windows_Remediation WindowsUpdateTelemetryDataEvent: AuOptions=,CV=+NbRN3eMQkqBM0jm.0,DoNotConnectToWindowsUpdate=,GlobalEventCounter=1043,isRegisteredWithDCAT=0,isRegisteredWithMU=1,isRegisteredWithOther=0,isRegisteredWithWS=1,isRegisteredWithWU=0,NoAutoUpdate=0,PackageVersion=2018.1B,SetDisableUXWUAccess=
    120 None 2018-01-16T08:18:55.0402482 0.0000582 8984 12620 Microsoft_Windows_Remediation Information: Message=CheckSystemDiskFreeSpace: Start Function CheckSystemDiskFreeSpace,PackageVersion=2018.1B
    121 None 2018-01-16T08:18:55.0403166 0.0000684 8984 12620 Microsoft_Windows_Remediation Information: Message=CheckSystemDiskFreeSpace: C: is the system drive,PackageVersion=2018.1B
    122 None 2018-01-16T08:18:55.0404204 0.0001038 8984 12620 Microsoft_Windows_Remediation Information: Message=CheckSystemDiskFreeSpace: MB of free space: 149333 is the available disk space,PackageVersion=2018.1B
    123 None 2018-01-16T08:18:55.0409183 0.0004979 7916 21660 Microsoft_Windows_Remediation Information: Message=Start GetRestoreHealthMarker,PackageVersion=2018.1B
    124 None 2018-01-16T08:18:55.0409351 0.0000168 7916 21660 Microsoft_Windows_Remediation Information: Message=End GetRestoreHealthMarker,PackageVersion=2018.1B
    125 None 2018-01-16T08:18:55.0409491 0.0000140 7916 21660 Microsoft_Windows_Remediation Information: Message=AC Power Status: 1,PackageVersion=2018.1B

    Stop the task for it or run SHUTUP O&O free for home use. This will remove garbage like this.

  4. Bert says:

    Because we use Win 10 IoT systems in 24/7 production environments we Disabled Windows Update service and scheduled tasks. We also install alternate timesync server. So we also Disabled Windows Time service.
    Suddenly we had some systems on which these services were set to Manual (Triggered start) again. And again each time we Disabled them. It seems to happen on random times.
    While digging through the registry I found HKLM\SOFTWARE\Microsoft\rempl\remediationresults. Here I found something about Windows Update en Windows Time services and about the scheduled tasks.
    So it seems REMSH.EXE is resposible for resetting the services to Manual start.
    According to Microsoft REMSH.EXE is part of a reliability update. Well, in our case it is definitly NOT!
    To solve this issue I have disabled the 2 scheduled tasks under Microsoft\Windows\rempl.

    • guenni says:

      @Bert: Thanks for your feedback and insights. Or in other Words: Win 10 IoT is a mess (after weighting all things you have done, to keep things alive).

Leave a Reply

Your email address will not be published. Required fields are marked *