Windows 10: What is REMSH.exe for?

[German]Recently I stumbled over a question in a German forum, asking, what the file REMSH.exe is for. Here are a few information I found, after I investigated this question.


Advertising


The first case, I’ve seen

The first time I stumbled within this German forum discussion about the program file REMSH.exe and the question what this file is for. A user wrote:

Firewall reports since a few weeks ago that REMSH. exe wants to connect to MS

Since some time I’m receiving firewall alerts, that the file remsh. exe wants to use the path C: \Program Files\rempl\ to establish a connection to an IP which, according to the IP address of the server query belongs to Microsoft Corporation, or more precisely to Microsoft Azure.

Can someone tell me what this file wants to do and where it comes from? All affected computers are Windows 10 Pro with Commodo Firewall 10.

Browsing the Internet doesn’t seems to help at a first glance. The first MS Answers forum entry I found, claimed (faulty) it was malware.

What is remsh.exe?

remsh.exe (C:\Program Files\rempl\remsh.exe) try to access the Internet these days

remsh.exe is signed by Microsoft. It also has high CPU usage and disk writing sometimes.

What is remsh.exe? What is it for?

Also this Microsoft Answers forum thread seems to walk in the same direction – note the answer of the Microsoft employee. And here we have a discussion, that Rempl triggers a daily task.

Could REMSH.exe be malware?

The first question to check would be: Is remsh.exe malware or something from Microsoft. Checking several forum entries, I found out, that the file is located within the path:

C:\Program Files\rempl\

as mentioned above. And what the user cited above wrote, was, that he program tries to connect a Microsoft Azure server. So it seems, that the program is legit. But checking some test machines with Windows 10, I wasn’t able to detect this file. This triggers ‘worse fears’ that it could be malware.

REMSH.exe

The best you can do in such a case: Right click the file, select Properties and check the Digital Signatures property page. Here I found a user, who has posted the screen shown above. The file has been digitally signed by Microsoft, so it’s not malware.

What you also should do: Upload the file to Virus Total and let it check for malware.

But what is REMSH.exe?

The remaining question is: Why is REMSH.exe available only on some machine and is there an explanation, what the file is for? Searching the web for the file name brought me to Microsoft’s KB article 4023057 that gives us some clue. At the time this blog post was written, KB4023057 stands for Update to Windows 10 Versions 1507, 1511, and 1607 for update reliability: November 2, 2017. Microsoft says:

This update includes reliability improvements that affect the update components in Windows 10 Versions 1507, 1511, and 1607.

This update includes files and resources that address issues that affect the update processes in Windows 10. These improvements ensure that quality updates are installed seamlessly to improve the reliability and security of Windows 10.

Only certain builds of Windows 10 Versions 1507, 1511, and 1607 require this update. Devices that are running those builds will automatically get the update downloaded and installed through Windows Update.

And there I found a mention of Remsh.exe:

File name File version File size Date Time
Remsh.exe 10.0.14393.1273 707,064 29-Sep-2017 03:28

The file version given in the table above may vary. But we have a firm explanation for our questions. First of all, the file may be found on ‘certain builds of Windows 10 Versions 1507, 1511, and 1607 [that] require this update’. And it address issues that affect the update processes in Windows 10. Hope this has shed some light into this topic.


Advertising



This entry was posted in Windows and tagged , . Bookmark the permalink.

2 Responses to Windows 10: What is REMSH.exe for?

  1. Yuri says:

    That’s very clever of Microsoft to clearly attribute their exe as malware. Strange name, running at startup, folder directly inside Program Files, high CPU and disk usage, files .ETL with unknown data inside.

    F.. them.

    • Houston says:

      .ETL files are mostly “EvenT Log” saved files as Tracelog, which are used numerous times by Microsoft applications. You can do search for *.ETL on Windows computer.
      They can be opened using EventLog, RMB to SavedLogs, click Open it will ask for EVT/EVTX/ETL file or you can use commandline tool TRACERPT.EXE

      So if I see MS digitally signed EXE with ETL files inside ProgramFiles – it is SAFE. It it started by TaskScheduler, like many other MS programs.

Leave a Reply

Your email address will not be published. Required fields are marked *