S4n1mani 0 Posted December 13, 2020 Share Posted December 13, 2020 (edited) Hello, Today i checked my task manager and I found some WmiPrvSE.exe processes. All of them were processes with localisation path "C:\Windows\System32\wbem" except one. One of them had localization path: "C:\Windows\SysWOW64\wbem". I had read that if this is other location than "C:\Windows\System32\wbem" it is very possible that it is a virus or worm etc. Should I be worried or it is normal. Thanks for responses. Edit: I also have more files in this folder that were created one year ago. I think it can be helpful. Edited December 13, 2020 by S4n1mani Link to comment Share on other sites More sharing options...
itman 1,720 Posted December 13, 2020 Share Posted December 13, 2020 Since WmiPrvSE.exe is located in its legit SysWOW64\wbem Windows sub-directory, I would say this is a legit process. You probably have some 32 bit app running that requires it. If you are still concerned, you can always upload WmiPrvSE.exe to VirusTotal for a scan to determine if any of the AV scanners hosted there detect anything. Link to comment Share on other sites More sharing options...
S4n1mani 0 Posted December 13, 2020 Author Share Posted December 13, 2020 To be honest, I heard about this website but I have never read about it. What is this site and how does it work? Thanks for help. Link to comment Share on other sites More sharing options...
itman 1,720 Posted December 13, 2020 Share Posted December 13, 2020 (edited) 26 minutes ago, S4n1mani said: What is this site and how does it work? Here's the link: https://www.virustotal.com/gui/ Click on Chose file tab and navigate to C:\Windows\SysWOW64\wbem directory. Then select WmiPrvSE.exe. Edited December 13, 2020 by itman Link to comment Share on other sites More sharing options...
S4n1mani 0 Posted December 13, 2020 Author Share Posted December 13, 2020 Thanks a lot for help. I went to virustotal and there were 0/70, so I am calm now. I have got one more question if I can ask You, I also found some strange files (for me, I am a little bit paranoic to be honest), the files path:"C:\ProgramData\regid.1991-06.com.microsoft" the files name:"regid.1991-06.com.microsoft.7ee692e9.swidtag" and the second "regid.1991-06.com.microsoft_Windows-10-Home.swidtag". Link to comment Share on other sites More sharing options...
itman 1,720 Posted December 13, 2020 Share Posted December 13, 2020 (edited) 45 minutes ago, S4n1mani said: I have got one more question if I can ask You, I also found some strange files (for me, I am a little bit paranoic to be honest), the files path:"C:\ProgramData\regid.1991-06.com.microsoft" the files name:"regid.1991-06.com.microsoft.7ee692e9.swidtag" and the second "regid.1991-06.com.microsoft_Windows-10-Home.swidtag". Those are related to your MS Office installation: And ..................................................... Quote That folder contains the ISO 19770-2 software tag for Windows, in a swidtag file. Basically, in large organisations (governments, large corporations, etc) it is desirable to use automated tools to take an inventory of all software installed. These swidtag files are XML documents describing some software which is installed. That directory contains the swidtag file for Windows 10 itself. As far as the "regid.1991-06.com.microsoft" goes, that is actually Microsoft's vendor ID under ISO 19770-2. The basic idea was to use reversed DNS domain names, as is commonly used in many other areas (e.g. Java packages). However, the problem is that DNS domains can change ownership over time. So 19770-2 says you should use the year and month in which you registered the domain – microsoft.com was registered in June 1991, so Microsoft's vendor ID is "regid.1991-06.com.microsoft". In the unbelievably unlikely event that Microsoft goes out of business and some new vendor takes over microsoft.com, they'd use a new regid date. (While this is inconceivable for a company with the size and fame of Microsoft, with small vendors it is something which actually can happen.) (Also, according to WHOIS records, microsoft.com was registered in May 1991 not June 1991, so it looks like Microsoft has the wrong date in their regid. Not that it really matters...) https://www.majorgeeks.com/content/page/what_is_regid_1991_06_com_microsoft_and_can_you_delete_it.html BTW - for questions like this, Google search "is your friend." Edited December 13, 2020 by itman Link to comment Share on other sites More sharing options...
S4n1mani 0 Posted December 13, 2020 Author Share Posted December 13, 2020 I found that info about Ms office but I had never installed MS Office on my pc and I found it strange, as you can see, there isn't any regid.***.Microsoft Office files but if You tell it is safe and I have nothing to worry about, It makes me to feel safer. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted January 4, 2021 Most Valued Members Share Posted January 4, 2021 On 12/14/2020 at 1:14 AM, S4n1mani said: I found that info about Ms office but I had never installed MS Office on my pc and I found it strange, as you can see, there isn't any regid.***.Microsoft Office files but if You tell it is safe and I have nothing to worry about, It makes me to feel safer. Windows will try to download Office files automatically , once you click it I think it will continue downloading , or they will give you a very basic version of it so you will pay for it later. If you are suspicious about specific files you can always upload them to VT or something like this. Link to comment Share on other sites More sharing options...
Recommended Posts