{"id":4184,"date":"2017-11-05T01:16:00","date_gmt":"2017-11-05T00:16:00","guid":{"rendered":"http:\/\/borncity.com\/win\/?p=4184"},"modified":"2021-06-17T23:03:27","modified_gmt":"2021-06-17T21:03:27","slug":"windows-what-is-remsh-exe-for","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2017\/11\/05\/windows-what-is-remsh-exe-for\/","title":{"rendered":"Windows 10: What is REMSH.exe for?"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2013\/03\/winb.jpg\" width=\"58\" height=\"58\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2017\/11\/05\/windows-10-was-ist-die-remsh-exe\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]Recently I stumbled over a question in a German forum, asking, what the file <em>REMSH.exe<\/em> is for. Here are a few information I found, after I investigated this question.<\/p>\n<p><!--more--><\/p>\n<h2>The first case, I've seen<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/ssl-vg03.met.vgwort.de\/na\/594844cf7ee940c9998769e94cd31d1e\" alt=\"\" width=\"1\" height=\"1\" \/>The first time I stumbled within this German forum discussion about the program file <em>REMSH.exe<\/em> and the question what this file is for. A user wrote:<\/p>\n<blockquote><p>Firewall reports since a few weeks ago that REMSH. exe wants to connect to MS<\/p>\n<p>Since some time I'm receiving firewall alerts, that the file remsh. exe wants to use the path C: \\Program Files\\rempl\\ to establish a connection to an IP which, according to the IP address of the server query belongs to Microsoft Corporation, or more precisely to Microsoft Azure.<\/p>\n<p>Can someone tell me what this file wants to do and where it comes from? All affected computers are Windows 10 Pro with Commodo Firewall 10.<\/p><\/blockquote>\n<p>Browsing the Internet doesn't seems to help at a first glance. The first <a href=\"https:\/\/answers.microsoft.com\/en-us\/windows\/forum\/windows_10-security-winpc\/what-is-remshexe\/6c7143ea-634d-4758-85b7-32e0fb7e59c2\" target=\"_blank\" rel=\"noopener\">MS Answers forum entry<\/a> I found, claimed (faulty) it was malware.<\/p>\n<blockquote><p>What is remsh.exe?<\/p>\n<p>remsh.exe (C:\\Program Files\\rempl\\remsh.exe) try to access the Internet these days<\/p>\n<p>remsh.exe is signed by Microsoft. It also has high CPU usage and disk writing sometimes.<\/p>\n<p>What is remsh.exe? What is it for?<\/p><\/blockquote>\n<p>Also <a href=\"https:\/\/answers.microsoft.com\/en-us\/windows\/forum\/windows_10-files-winpc\/update-with-remshexe-seems-suspicious\/1fc2f5b5-2568-4d73-9387-28e0ce81b82e\" target=\"_blank\" rel=\"noopener\">this Microsoft Answers forum thread<\/a> seems to walk in the same direction \u2013 note the answer of the Microsoft employee. And <a href=\"https:\/\/answers.microsoft.com\/en-us\/windows\/forum\/windows_10-performance\/windows-task-wakes-up-computer\/c11c1c0c-6d4d-4f96-bfc1-78324d8c19bf\" target=\"_blank\" rel=\"noopener\">here<\/a> we have a discussion, that <em>Rempl <\/em>triggers a daily task.<\/p>\n<h2>Could REMSH.exe be malware?<\/h2>\n<p>The first question to check would be: Is <em>remsh.exe<\/em> malware or something from Microsoft. Checking several forum entries, I found out, that the file is located within the path:<\/p>\n<p><em>C:\\Program Files\\rempl\\<\/em><\/p>\n<p>as mentioned above. And what the user cited above wrote, was, that he program tries to connect a Microsoft Azure server. So it seems, that the program is legit. But checking some test machines with Windows 10, I wasn't able to detect this file. This triggers 'worse fears' that it could be malware.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/i.imgur.com\/ncILmnG.jpg\" alt=\"REMSH.exe\" width=\"388\" height=\"276\" \/><\/p>\n<p>The best you can do in such a case: Right click the file, select <em>Properties <\/em>and check the <em>Digital Signatures<\/em> property page. <a href=\"https:\/\/answers.microsoft.com\/en-us\/windows\/forum\/windows_10-security-winpc\/what-is-remshexe\/6c7143ea-634d-4758-85b7-32e0fb7e59c2\" target=\"_blank\" rel=\"noopener\">Here<\/a> I found a user, who has posted the screen shown above. The file has been digitally signed by Microsoft, so it's not malware.<\/p>\n<blockquote><p>What you also should do: Upload the file to <a href=\"https:\/\/www.virustotal.com\/#\/home\/upload\" target=\"_blank\" rel=\"noopener\">Virus Total<\/a> and let it check for malware.<\/p><\/blockquote>\n<h2>But what is REMSH.exe?<\/h2>\n<p>The remaining question is: Why is <em>REMSH.exe<\/em> available only on some machine and is there an explanation, what the file is for? Searching the web for the file name brought me to Microsoft's KB article <a href=\"https:\/\/support.microsoft.com\/en-us\/help\/4023057\/windows-10-versions-1507-1511-1607-update-reliability-october-26-2017\" target=\"_blank\" rel=\"noopener\">4023057<\/a> that gives us some clue. At the time this blog post was written, KB4023057 stands for <em>Update to Windows 10 Versions 1507, 1511, and 1607 for update reliability: November 2, 2017<\/em>. Microsoft says:<\/p>\n<blockquote><p>This update includes reliability improvements that affect the update components in Windows 10 Versions 1507, 1511, and 1607.<\/p>\n<p>This update includes files and resources that address issues that affect the update processes in Windows 10. These improvements ensure that quality updates are installed seamlessly to improve the reliability and security of Windows 10.<\/p>\n<p>Only certain builds of Windows 10 Versions 1507, 1511, and 1607 require this update. Devices that are running those builds will automatically get the update downloaded and installed through Windows Update.<\/p><\/blockquote>\n<p>And there I found a mention of <em>Remsh.exe<\/em>:<\/p>\n<table border=\"1\" width=\"628\" cellspacing=\"0\" cellpadding=\"1\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"127\"><strong>File name<\/strong><\/td>\n<td valign=\"top\" width=\"171\"><strong>File version<\/strong><\/td>\n<td valign=\"top\" width=\"117\"><strong>File size<\/strong><\/td>\n<td valign=\"top\" width=\"114\"><strong>Date<\/strong><\/td>\n<td valign=\"top\" width=\"97\"><strong>Time<\/strong><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"134\">Remsh.exe<\/td>\n<td valign=\"top\" width=\"175\">10.0.14393.1273<\/td>\n<td valign=\"top\" width=\"116\">707,064<\/td>\n<td valign=\"top\" width=\"112\">29-Sep-2017<\/td>\n<td valign=\"top\" width=\"102\">03:28<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The file version given in the table above may vary. But we have a firm explanation for our questions. First of all, the file may be found on 'certain builds of Windows 10 Versions 1507, 1511, and 1607 [that] require this update'. And it address issues that affect the update processes in Windows 10. Hope this has shed some light into this topic.<\/p>\n<p>Addendum: Parts of the <em>remsh.exe<\/em> has been replanced, see also my remarks within the blog post\u00a0<a href=\"https:\/\/borncity.com\/win\/2018\/09\/09\/windows-10-update-kb4023057-released-sept-6-2018\/\" rel=\"bookmark\">Windows 10: update KB4023057 released (Sept. 6, 2018)<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Recently I stumbled over a question in a German forum, asking, what the file REMSH.exe is for. Here are a few information I found, after I investigated this question.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[1130,194],"class_list":["post-4184","post","type-post","status-publish","format-standard","hentry","category-windows","tag-remsh-exe","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/4184","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=4184"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/4184\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=4184"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=4184"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=4184"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}