svchost.exe -> explorer.exe on win10

Posted on by

When Windows Explorer is killed on Win 10, and then manually relaunched with an elevated account, it is actually re-launched by svchost.exe 5 seconds later via a temporary task C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job – see below; so, if you see explorer.exe under svchost.exe it doesn’t necessary mean malware.

There is additional information in this thread that mentions this is a mechanism to prevent spawning an elevated Explorer process.

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Author>ExplorerShellUnelevated</Author>
    <URI>\CreateExplorerShellUnelevatedTask</URI>
  </RegistrationInfo>
  <Triggers>
    <RegistrationTrigger id="CreateExplorerShell_Trigger">
      <Enabled>true</Enabled>
      <Delay>PT0S</Delay>
    </RegistrationTrigger>
  </Triggers>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <Duration>PT10M</Duration>
      <WaitTimeout>PT1H</WaitTimeout>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
    <Priority>6</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>C:\Windows\explorer.exe</Command>
      <Arguments>/NOUACCHECK</Arguments>
    </Exec>
  </Actions>
  <Principals>
    <Principal id="Author">
      <UserId>xxxxxxxxxx\user</UserId>
      <LogonType>InteractiveToken</LogonType>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
</Task>

A couple of interesting MD5 hashes

Posted on by

d41d8cd98f00b204e9800998ecf8427e

  • an empty file

4a587187d760161311010b03417b3c3f

  • scs[digits].tmp 2,686 bytes – created by ntvdm.exe; omnipresent on some older images

71f4b39c5eb73df738ad3e0dacd89057

  • scs[digits].tmp 1,670 bytes – created by ntvdm.exe; omnipresent on some older images

754037e7be8f61cbb1b85ab46c7da77d

  • RC4 key used by Andromeda; it’s an MD5 of a text ‘go fuck yourself’

cdc47d670159eef60916ca03a9d4a007

  • Md5 of 2 files demonstrating Md5 collision: hello.exe and erase.exe

da5c61e1edc0f18337e46418e48c1290

  • Similar collision applied to Linux files

a25f7f0b29ee0b3968c860738533a4b9

  • Another md5 collision: letter_of_rec.ps and order.ps

If you know any other interesting hashes please let me know.