Advice Request taskhostw.exe trying to connect through Windows Firewall - Is it Malware?

Please provide comments and solutions that are helpful to the author of this topic.

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
hi guys when i installed WFC the early of this week
there were notification pop up for the process Taskhostw.exe trying to connect the internet
i found the process is digitally signed by Microsoft Coorporation however i read on the internet it may be a Trojan and legit process is without letter "W" so my be may malware injection occur and use svchost.exe to try to connect to the internet
as you could see from process explorer screenshot below"
1582894783814.png

i submitted the process executable to virustotal but no engine detected it so i wander if anyone has knowledge about this issue
here is the article i found
 
  • Like
Reactions: stefanos

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
It's probably not malware in your case.

The processes in the link above show no information under the Description column, although this does not determine if a process is malware or not, it's something to observe.

Small differences make a big difference.
 

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
It's probably not malware in your case.

The processes in the link above show no information under the Description column, although this does not determine if a process is malware or not, it's something to observe.

Small differences make a big difference.
there was a talk on one of the microsoft threads that it may differe in the footprint of registry enteries created
here is the Quote:
I have now looked around more, and I do see many saying that malware does use the very same name, with the w. But it also gave sized of the correct file and the malware one, and the malware is much larger than the correct file.







It listed three varying sizes for the correct file:



•71,792 bytes

•71,280 bytes

•71,848 bytes.



And it said the malware by the same name in a subfolder in Program Files is 1,113,088 bytes. And the malware file by the same name in a subfolder in the user profile folder is 1,3792,328 bytes.



Mine doesn't match any of those numbers! Mine comes in at:



•Size: 87,904 bytes

•Size on disk: 90,112 bytes



So, since there are so many subfolders on my computer in the specified locations for the malware, I decided to just take the advice and run Malwarebytes -- I got the free, 14-day trial and ran it.



Malwarbytes did not produce any notice about taskhostw.exe. So, I guess mine cleared that hurdle and is probably the correct one.



So, I now have what I think is a better approach to stop this notice than fully turning off that function, which is supposed to be designed to avoid ransomware. You do not have to turn it off, you can selectively protect a folder or file, in this case a file. I have done that on my computer now. To do that:



•Open Windows Defender

•Go to the "Virus & threat protection" page

•At bottom of that page, click into "Ransomware protection"



•On the "Ransomware protection" page, toward the bottom, under "Controlled folder access," select the second option: "Allow an app through controlled folder access"

•Now navigate to and select the correct taskhostw.exe file at:



C:\Windows\System32\taskhostw.exe



Once selected, it will be added to a list of protected files and you should not get that message any more -- and I presume if you do start getting it again, that would be because you then have gotten the real malware file, so good thing you stopped this selectively instead of turning the entire function off!



(Malwarebytes did find a number of things it questioned and left it to me to decide -- I hate that, how am I supposed to know! Anyway, I did know one was fine, but the others I could not tell, but the names left me wondering if yes, they are a problem, even though Windows Defender has not identified them as a problem. So, I quarantined them. I restarted, tested a couple applications to see if they would still open after that, but I will just have to await the test of time, I suppose -- but better delete them or restore them before the 14-day trial end.)

The link: taskhostw.exe on windows 10
@security123 from where you inserted this quote
 
Last edited:

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
the "S' is missing in the last word ;)
It's probably not malware in your case.

The processes in the link above show no information under the Description column, although this does not determine if a process is malware or not, it's something to observe.

Small differences make a big difference.
 

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
taskhostw.exe runs tasks, any task, it could be a fileless malware for all I know.
When you point at it, it should show, what tasks it is running at the moment.
yes it has a task assigned for it:
i am notice now it became 2 process for TaskhostW:
one is Wini cash task object and the other one is Diagnostic infrastructure handler
:unsure: :unsure: maybe @Umbra or @Andy Ful has any idea ?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The services started via scheduled tasks by EXE files can be seen in Task Manager under their own names. Some applications can use services loaded from DLLs and they are hosted by a special executable taskhostw.exe. For example, on my computer, there is one instance of taskhostw.exe that hosts two DLLs: Microsoft PlaySound and Wininet Cache. They were started by the command-line:
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

If the service loaded from DLL requires the Internet connection, then this will be seen as a taskhostw.exe entry. So, normally there will be nothing malicious.
Simply check on VirusTotal if the taskhostw.exe that tries to connect is safe (if not then it will usually have non-system path). Next, the DLLs related to services hidden under the taskhostw.exe should be examined.(y)
 
Last edited:

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
The services started via scheduled tasks by EXE files can be seen in Task Manager under their own names. Some applications can use services loaded from DLLs and they are hosted by a special executable taskhostw.exe. For example, on my computer, there is one instance of taskhostw.exe that hosts two DLLs: Microsoft PlaySound and Wininet Cache. They were started by the command-line:
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

If the service loaded from DLL requires Internet connection, then this will be seen as a taskhostw.exe entry. So, normally there will be nothing malicious.
Simply check on VirusTotal if the taskhostw.exe that tries to connect is safe. Next the DLLs related to services hidden under the taskhostw.exe should be examined.(y)
i checked the process lie you said and it is safe also the tasks related to it is the same as yours but there is no any DLL related to it listed in process explorer so it is somehow hidden or protected :unsure::unsure: may i try to elevate running Process Explorer as an administrator and see again
Thank Andy for your reply :)
Edit : i have an additional one related to task called : Diagnostic infrastructure handler
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top