AtlBo

Level 27
Verified
Content Creator
Should i whitehelist dismhost.exe?
I've been trying to get answers to this for years. I think one of the primary uses is for preparing and deploying images. However, I found a video that shows how it is used to move images across a network also. This sounds dangerous to me, so I wanted to shut it down. Then I realized that the reason it activates on this system is that Comodo Programs Manager is invoking it for some reason. Think it has something to do with a feature that doesn't work any more in CPM.

If you can determine what invokes dismhost.exe, you can get to the bottom of why. Apart from image deployment, I believe it is also associated with various repair tasks in newer versions of Windows. It worries me having it blocked, so I have set it in Private Firewall to ask, and the I choose not to remember when I allow it to run. So far so good as it only runs when CPM opens.

Here you can see the video on YT about this process if you have an opportunity:


Seems to me something a hacker could use, but I would like to hear from someone who knows more about the process.
 

Av Gurus

Level 29
Verified
Trusted
Malware Hunter
This is on Windows 10 x64 OS.
It happens when my system is idle (i was not near pc for 10-15min).
Probably is something with os trigger that (Maintance or similar).
 

shmu26

Level 83
Verified
Trusted
Content Creator
This is on Windows 10 x64 OS.
It happens when my system is idle (i was not near pc for 10-15min).
Probably is something with os trigger that (Maintance or similar).
correct, Windows uses it for certain maintenance tasks.
you can manually create a whitelisted command line, just go to that tab and right-click and choose create command line. Take the details from the blocked list, and replace the random characters with an asterisk.
 
5

509322

dismhost.exe is used by cleanmgr and Windows automatic maintenance to remove temporary data from they system.

It is a legitimate, safe part of Windows 7, 8, and 10.

On all three it executes from AppData.

dismhost.exe executes as a process with the local user's privileges typically within the context of its parent cleanmgr.exe (Disk Space Cleanup Manager for Windows by Microsoft). The assembly utilizes the .NET run-time framework (which is required to be installed on the PC).

In a nutshell, it is Windows' own way of cleaning itself.

* * * * *

dism.exe is not dismhost.exe; two completely different processes.
 

AtlBo

Level 27
Verified
Content Creator
This is on Windows 10 x64 OS.
It happens when my system is idle (i was not near pc for 10-15min).
Probably is something with os trigger that (Maintance or similar).
Sounds correct.

In a nutshell, it is Windows' own way of cleaning itself.
Just remembered that I also get a dismhost.exe Private Firewall pop up when cleanmgr runs. I set it up to on a schedule to clean temp files. Thanks for the information.

Looking at the video, activity from dismhost appears to be mostly done via command line, so NVT should catch any potentially malicious instances in a recognizable way. At least in W7, it does seem to me that dismhost could potentially be used maliciously without proper monitoring of command line operations.

Just installed NVT. Seems the devs have managed to incorporate configurability that VoodooShield devs haven't yet. Running batch files on a schedule that reference other batch files to create a command line event leads to a block for each instance of the event with VS (in the free version). This is with all instances of each specific command line whitelisted. The same scenario with NVT does not produce blocks/pop ups. Thanks to the devs of NVT.
 
Last edited:
  • Like
Reactions: XhenEd and venustus

blueblackwow65

Level 17
Verified
Hi how much does this differ from Secure?
Is this also like Voodooshield .
Out od three which is more reliable?
 
Last edited:
  • Like
Reactions: AtlBo
5

509322

A Windows task named "SilentCleanUp" can be used to bypass UAC and use Dismhost.exe to perform dll hijacking.

It is unlikely. Microsoft has been aware of it and does not even classify it as a security vulnerability.

The solution is to un-tick the run with highest privileges of "SilentCleanUp" in Task Scheduler.
 

Av Gurus

Level 29
Verified
Trusted
Malware Hunter
correct, Windows uses it for certain maintenance tasks.
you can manually create a whitelisted command line, just go to that tab and right-click and choose create command line. Take the details from the blocked list, and replace the random characters with an asterisk.
Will try something when come back home from work...after 23h
Tnx
 
  • Like
Reactions: AtlBo and shmu26

Av Gurus

Level 29
Verified
Trusted
Malware Hunter
correct, Windows uses it for certain maintenance tasks.
you can manually create a whitelisted command line, just go to that tab and right-click and choose create command line. Take the details from the blocked list, and replace the random characters with an asterisk.
You mean like this?
Clipboard01.jpg Clipboard02.jpg
 
  • Like
Reactions: AtlBo

AtlBo

Level 27
Verified
Content Creator
You mean like this?
I think you can use a single * for wildcarding, but I am sure someone can verify. I think it would work that way, anyway.

I get how this works a little bit. Going from what I have seen with PF, I believe Dismhost.exe creates a new instance in a new folder of itself every time it runs. The wild card will guarantee that it will run from any folder in temp, no matter the name.

I have this problem with Private Firewall. Every time Dismhost runs, PF thinks it is a different process by the same name, because it's always in a different location (folder name is different). I end up with a dozen versions listed in the PF processes rules dialog and then have to delete them all. No matter what, Dismhost will start a new dialog next time, anyway.

Think I will create a rule and try wild carding with PF and NVT, but I don't really want to allow Dismhost.exe, actually. It's a process I want to keep an eye on. Because I want to keep an eye on it, I have in the past gone to just allowing it for cleanmgr and Comodo Programs Manager each time they run and then declining the option to save the choice in the rules settings. :rolleyes: What I would really like is a pop up every time from NVT and then to just blanket allow with PF. No idea if PF supports wildcarding with created rules, so this should be fun. :)

Question about pop ups and timers. I would really like to make every decision (using the default settings), so I would like a pop up for each process that is not default allowed. I think I am correct that Alert Mode will perform this way. However, I am not certain of the timer. First, is the balloon tip timer referring to the amount of time a "choice" pop up will stay visible? I'm not sure what NVT means by "Balloon tip" as mentioned in the settings. Anyway, what I want is for the large "choice" pop ups to be present until a choice is made, regardless of how much time passes.
 

shmu26

Level 83
Verified
Trusted
Content Creator
I think you can use a single * for wildcarding, but I am sure someone can verify. I think it would work that way, anyway.

I get how this works a little bit. Going from what I have seen with PF, I believe Dismhost.exe creates a new instance in a new folder of itself every time it runs. The wild card will guarantee that it will run from any folder in temp, no matter the name.

I have this problem with Private Firewall. Every time Dismhost runs, PF thinks it is a different process by the same name, because it's always in a different location (folder name is different). I end up with a dozen versions listed in the PF processes rules dialog and then have to delete them all. No matter what, Dismhost will start a new dialog next time, anyway.

Think I will create a rule and try wild carding with PF and NVT, but I don't really want to allow Dismhost.exe, actually. It's a process I want to keep an eye on. Because I want to keep an eye on it, I have in the past gone to just allowing it for cleanmgr and Comodo Programs Manager each time they run and then declining the option to save the choice in the rules settings. :rolleyes: What I would really like is a pop up every time from NVT and then to just blanket allow with PF. No idea if PF supports wildcarding with created rules, so this should be fun. :)

Question about pop ups and timers. I would really like to make every decision (using the default settings), so I would like a pop up for each process that is not default allowed. I think I am correct that Alert Mode will perform this way. However, I am not certain of the timer. First, is the balloon tip timer referring to the amount of time a "choice" pop up will stay visible? I'm not sure what NVT means by "Balloon tip" as mentioned in the settings. Anyway, what I want is for the large "choice" pop ups to be present until a choice is made, regardless of how much time passes.
in alert mode, you will get a pop-up for everything there is no rule for. This is my favorite mode, because I am aware what is going in and have control over it. Other people like lockdown mode, which is the "shoot now, ask questions later" approach.

in alert mode you can allow a process on a one-time basis, and this way you will get the same pop-up next time. If you accidentally made a permanent rule, and you regret it, you can just delete that rule.

I do remember a setting you can untick, so that the pop-up won't time out, it will stay there on your screen until you make a decision. I don't remember exactly where it is, but look and you will find it.

another way to get a pop-up every time is to add that process to the vulnerable processes list.
This overrides the whitelist, and you will get a pop up every time, unless you have whitelisted that particular command-line string.
 

Av Gurus

Level 29
Verified
Trusted
Malware Hunter
Think that NVTERP is removing my desktop picture every time I start PC (have to put it manualy every time).
I have set Picture folder for slideshow desktop picture every hour but is not working.
Clipboard01.jpg
Any idea about that?
 
  • Like
Reactions: AtlBo

shmu26

Level 83
Verified
Trusted
Content Creator
Think that NVTERP is removing my desktop picture every time I start PC (have to put it manualy every time).
I have set Picture folder for slideshow desktop picture every hour but is not working.
View attachment 126543
Any idea about that?
well, if it was me, and I was confident that my PC is clean, I would put NVT ERP in learning mode, and do a reboot. That should solve the problem without having to dig too deep.

If it doesn't solve it, you can set NVT ERP mode to disabled/permanently, and reboot, see if the problem goes away. If it does, then NVT ERP is not the cause. It's a way to troubleshoot.
 

Av Gurus

Level 29
Verified
Trusted
Malware Hunter
Not on my system.

Releated to my problem (post above).
I disable NVT, restart pc and desktop picture (slideshow every hour) also not working.
Beafore NVT install it was working fine.
Another strange isue is when changing from one mode to another (Alert mode>Lockdown) pc act like is freezed for 1min then got pop-up of changed mode (win pop-up right down at bottom of screen).
 
  • Like
Reactions: AtlBo and shmu26

Mr.X

Level 7
Verified
I guess ERP needs an update to work properly on Windows 10, but since Andreas (developer) dropped the project, I don't see that coming.

I believe the time has come where Windows 10 changes are being incompatible with ERP.
 
  • Like
Reactions: AtlBo and Av Gurus

shmu26

Level 83
Verified
Trusted
Content Creator
Anyone having issues where it doesnt start when logging on?
there is a little bug, that the system tray icon sometimes "disappears". But actually, it doesn't disappear all the way, it just joins the hidden icons that you access by clicking on the little upwards pointing arrow. You can drag it back to where you want it, when this happens. This is a known bug.
This is probably your problem. NVT ERP is starting up, but you don't see the system tray icon.

As regards Windows 10, users have not reported compatibility problems so far.
 
  • Like
Reactions: AtlBo and Andytay70

shmu26

Level 83
Verified
Trusted
Content Creator
Not on my system.

Releated to my problem (post above).
I disable NVT, restart pc and desktop picture (slideshow every hour) also not working.
Beafore NVT install it was working fine.
Another strange isue is when changing from one mode to another (Alert mode>Lockdown) pc act like is freezed for 1min then got pop-up of changed mode (win pop-up right down at bottom of screen).
You can uninstall NVT, and choose to save settings. Better yet, before you uninstall, export your settings, just to be safe. Then uninstall, reboot, and see if your issue goes away.

Another thing you could try: put a tick by "allow protected system processes".

Is your picture collection in an unusual location? If so, try moving it to a standard location, like my documents or my pictures, and setting up the slideshow again. There might be some kind of a permissions problem, or maybe another security soft you have installed is treating it as suspicious behavior.
 
  • Like
Reactions: AtlBo and Av Gurus

Av Gurus

Level 29
Verified
Trusted
Malware Hunter
Protected system process are by default check (didn't change anythitng).
My pictures are on D: drive.
I also have Secure Folders set on that folder to "Read only".

I'm not at home now, will try something tomorrow.
It's not so big deal and it not mater so much.
 
  • Like
Reactions: AtlBo and shmu26