[German]Recently I stumbled over a question in a German forum, asking, what the file REMSH.exe is for. Here are a few information I found, after I investigated this question.
The first case, I’ve seen
The first time I stumbled within this German forum discussion about the program file REMSH.exe and the question what this file is for. A user wrote:
Firewall reports since a few weeks ago that REMSH. exe wants to connect to MS
Since some time I’m receiving firewall alerts, that the file remsh. exe wants to use the path C: \Program Files\rempl\ to establish a connection to an IP which, according to the IP address of the server query belongs to Microsoft Corporation, or more precisely to Microsoft Azure.
Can someone tell me what this file wants to do and where it comes from? All affected computers are Windows 10 Pro with Commodo Firewall 10.
Browsing the Internet doesn’t seems to help at a first glance. The first MS Answers forum entry I found, claimed (faulty) it was malware.
What is remsh.exe?
remsh.exe (C:\Program Files\rempl\remsh.exe) try to access the Internet these days
remsh.exe is signed by Microsoft. It also has high CPU usage and disk writing sometimes.
What is remsh.exe? What is it for?
Could REMSH.exe be malware?
The first question to check would be: Is remsh.exe malware or something from Microsoft. Checking several forum entries, I found out, that the file is located within the path:
as mentioned above. And what the user cited above wrote, was, that he program tries to connect a Microsoft Azure server. So it seems, that the program is legit. But checking some test machines with Windows 10, I wasn’t able to detect this file. This triggers ‘worse fears’ that it could be malware.
The best you can do in such a case: Right click the file, select Properties and check the Digital Signatures property page. Here I found a user, who has posted the screen shown above. The file has been digitally signed by Microsoft, so it’s not malware.
What you also should do: Upload the file to Virus Total and let it check for malware.
But what is REMSH.exe?
The remaining question is: Why is REMSH.exe available only on some machine and is there an explanation, what the file is for? Searching the web for the file name brought me to Microsoft’s KB article 4023057 that gives us some clue. At the time this blog post was written, KB4023057 stands for Update to Windows 10 Versions 1507, 1511, and 1607 for update reliability: November 2, 2017. Microsoft says:
This update includes reliability improvements that affect the update components in Windows 10 Versions 1507, 1511, and 1607.
This update includes files and resources that address issues that affect the update processes in Windows 10. These improvements ensure that quality updates are installed seamlessly to improve the reliability and security of Windows 10.
Only certain builds of Windows 10 Versions 1507, 1511, and 1607 require this update. Devices that are running those builds will automatically get the update downloaded and installed through Windows Update.
And there I found a mention of Remsh.exe:
|File name||File version||File size||Date||Time|
The file version given in the table above may vary. But we have a firm explanation for our questions. First of all, the file may be found on ‘certain builds of Windows 10 Versions 1507, 1511, and 1607 [that] require this update’. And it address issues that affect the update processes in Windows 10. Hope this has shed some light into this topic.
Addendum: Parts of the remsh.exe has been replanced, see also my remarks within the blog post Windows 10: update KB4023057 released (Sept. 6, 2018).