Troubleshoot Why is Dism.exe running? Security Quirks

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Been going through a weird series of small probably meaningless events on this Windows 7 64 PC. Not sure what started it all, and I'm not sure if the events are in any way corrected, but I would like to see if I can resolve what's going on.

First I was looking over Private Firewall, and I noticed that I had blanket allowed some programs. It's not a big deal, because they are programs I trust. Well, I had started looking things over, because I ran the malwarebytes exploit test, and Private Firewall did not stop the exploit in the test from starting calc.exe. I saw that calc.exe wasn't listed in Private Firewall, which means there haven't been any alerts, so I assume Private Firewall has whitelisted it and automatically allows the program. That doesn't explain, though, why the exploit got by PF.

Since calc.exe was started by another process during the test, PF should have alerted when I ran the test. OK, I've been through this before, but before I didn't have Private Firewall. Well, I went into PF and that's when I started clamping down on things. I shut down all the blanket allows and set them to "Filter". Eventually, I reran the test, and, somehow PF blocked it. I have no idea how. The test was set to allow, and calc.exe doesn't even exist to PF.

So, anyway, after this I started getting notifications that the a-v (360 TS) wants to simulate keystrokes or mouse inputs ("Simulate Inputs" permission). It also wants to monitor keystrokes. 360 has anti-keylogging, so maybe that's what triggered the alerts from PF or at least the second one.

That doesn't make sense, though, on the first one ("Simulate Inputs"). If this was what was happening, then it would have been only the "Read Keyboard State" permission being requested. Anyway, then I get an alert about fraps. It wants to record keystrokes too. This one can be turned on/off with keystrokes so I guess that's it in that case.

Well, I am now trying to determine what to do about this issue. Whenever I open up the 360 TS menu, I get the alerts. So far I have just unchecked "Remember" and then blocked the behavior each time. What could 360 TS possibly be trying to do by simulating keystrokes or mouse inputs? I'm confused about this.

All this stuff coincides with the sudden appearance of Dism.exe and Dismhost.exe in Task Manager. I hadn't noticed these programs until now, and there hadn't been any alerts about them in PF until tonight. Well, I have been over 4 months on this installation, so I don't understand what this could be. I Googled and learned that these processes have something to do with managing system images. The thing is, I don't even use the Windows back up system and haven't once ever done so. What's going on here?

The final thing that got me to post here was when I noticed that Comodo Programs Manager is being blocked by Private Firewall. I can open CPM just fine, and it will run. But then, if I open the log in PF, I can see PF start to go crazy with spam attempts from CPM to connect. During this time if I close and try to reopen CPM, it will not open, and there is no response from PF. The log spam is to Comodo servers, and I think I know what the rest of it is too. It's CPM trying to add certain live links to Facebook and so on into the program. The part I don't get is that there isn't a single rule for any of this in PF, and I haven't been prompted to block CPM from the internet even once. It's OK, but all of this is just adding up with me.

I think I've just hit some areas of quirkyness in PF and 360 TS, and I don't think there is anything strange going on, but it IS strange that 360 TS wants to simulate keystrokes or mouse inputs. Also, something else testing my patience is that if I block a behavior with PF but do not choose "Remember", then I don't get an alert after a few times of blocking or allowing in this manner. I guess this is something normal in PF, so that a choice without "Remember" checked will last a user session (or a certain amount of time), I don't know. It just has me wanting to get to the bottom of the little things in these programs.

Anybody got any input on the quirks of 360 TS or Private Firewall? Throw dirt please if you have any...

BTW, just started tonight using Malwarebytes Anti-Exploit. In theory, I can't think of a single reason not to use this. Looking forward to seeing how it performs.

Thanks for any input...
 

jim lin

Level 8
Aug 6, 2012
505
Dism.exe and Dismhost.exe

What Is Deployment Image Servicing and Management? <----- (Win 7)

http://technet.microsoft.com/en-us/library/dd744566(v=ws.10).aspx

Deployment Image Servicing and Management (DISM.exe) is a command-line tool that can be used to service a Windows® image or to prepare a Windows Preinstallation Environment (Windows PE) image. It replaces Package Manager (Pkgmgr.exe), PEimg, and Intlcfg that were included in Windows Vista®. The functionality that was included in these tools is now consolidated in one tool (DISM.exe), and new functionality has been added to improve the experience for offline servicing.

Benefits

DISM can be used to service Windows Vista with Service Pack 2 (SP2), Windows Vista with SP1 and Windows Server® 2008. It provides the same functionality that Package Manager provided. DISM provides additional functionality when used with Windows® 7 and Windows Server® 2008 R2.

You can use DISM to:
Add, remove, and enumerate packages.
Add, remove, and enumerate drivers.
Enable or disable Windows features.
Apply changes based on the offlineServicing section of an Unattend.xml answer file.
Configure international settings.
Upgrade a Windows image to a different edition.
Prepare a Windows PE 3.0 image.
Take advantage of better logging.
Service earlier versions of Windows such as Windows Vista with SP2, Windows Vista with SP1 and Windows Server 2008.
Service all platforms (32-bit, 64-bit, and Itanium).
Service a 32-bit image from a 64-bit host, and service a 64-bit image from a 32-bit host. For more information, see the "Limitations" section later this topic.
Make use of old Package Manager scripts.

How Deployment Image Servicing and Management Works
http://technet.microsoft.com/en-us/library/dd799309(v=ws.10).aspx

i would not know why thay would be running on a Windows 7 pc but on Windows 8/8.1 DISM (Deployment Image Servicing) is used after running sfc /scannow and if sfc found something wrong you would run the DISM commands from a Admin. Command Prompt

but i do not think that Deployment Image Servicing work's the same way on Win 7 and can not think of why it would be running

DISM - Fixing Component Store Corruption in Windows 8 <-----(Win 8/8.1)
http://www.eightforums.com/tutorials/26512-dism-fixing-component-store-corruption-windows-8-a.html

:)

James
 
  • Like
Reactions: AtlBo
Upvote 0

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
James...any idea why these might be running full-time on this PC? Are there programs that activate them? I don't have any scheduled backups...I just occasionally image, which meets my needs for now, but I use a different program than the Windows backup utility...

I looked over all of that information before I posted. I guess I should have mentioned that. During the search across Google, I found very little information on ways Dism is used by developers if there are any...
 
Upvote 0

jim lin

Level 8
Aug 6, 2012
505
i'm not sure i hope others can help out also as i did not get to use Windows 7 very much as i went to Win 8 instead

i would look in c:\windows\logs\dism\dism.log and see if you can tell what it is doing or if there is any new error's there

i know on Windows 8/8.1 DISM use's Windows Powershell to run not sure about Windows 7

Windows PowerShell
http://en.wikipedia.org/wiki/Windows_PowerShell

What Can I Do With Windows PowerShell?
http://technet.microsoft.com/en-us/library/ee332526.aspx

just a guess but have you installed the Microsoft Assesment and Deployment Kit to make a Winpe boot cd

some imaging software use it to make a boot cd for there software to work from in case you need to
boot from it for a reinstall

:)

James
 
  • Like
Reactions: AtlBo
Upvote 0

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
OK, thanks for the info.

I haven't installed MADK. No idea what's going on. Apparently, it has run much more than I thought, going all the way back to 11-14-14.

Looking over the log, I noticed a strange entry. Something about connecting to a host and it even mentions an amd processor with 4 cores. I have no such PC, and none of the PCs here have remote connections turned on. This log is huge on this PC, but I would love to hear an expert's view of what's in it.

Makes me wonder if someone could be using DISM to try to sneak data off the PC. I wouldn't have known if they did. I mean, if it uses svchost to connect or something, I have that set to allow internet connections, because of the system ones.
 
Upvote 0

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
DISM.exe is design if you are trying to repair any corrupted files from Windows Store, Windows update, and especially related Windows system files that needs to restore from imaging or mount.

You can go to msconfig and check if its running from startup or services running at automatic which can be put on manual.
 
  • Like
Reactions: frogboy and AtlBo
Upvote 0

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Checked msconfig, but it's not set to run or even present. I will take a look at services. I found a reference in DISM log to the CBS log, which I thought was only created on demand with an SFC /Scannow. I guess in Windows 7 these things happen behind the scenes (I was using XP up until last year around October). Anyway, there is a reference to a 4 core amd pc in the CBS log, too. This PC has 2 cores and 2 logical cores, but it's an Intel i3 PC. I am thinking Windows 7 sees the PC as an amd for some reason.

Thanks for your help. I am going to see if I can learn about DISM and SFC in Windows 7...
 
Upvote 0

jim lin

Level 8
Aug 6, 2012
505
do you get any errors with trying to install updates from Windows update or have Windows update turned
to Auto update

(as a example)

Fix Windows corruption errors by using the DISM or System Update Readiness tool
http://support.microsoft.com/kb/947821#manual fix

if you have Win updates set to Auto update check and make sure that the Microsoft updates are not getting no errors
and that thay are not getting a error and trying to be reinstalled

Windows 8/8.1 uses Tiworker.exe to install updates in the background when getting updates not sure what Win 7 uses

:)

James
 
Upvote 0

AtlBo

Level 28
Thread author
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
There are pending updates from last month. I tend to wait a month or so and let big business run with the updates before installing them at home. Could this be the reason they are running?

Oh, by the way, there is not a Deployment Imaging and Service Management service listed in the W7 Pro 64 services here. It is a service in one sense, but really only a tool, I believe.

I was just watching this video, and it seems to me this could be very dangerous:



The reason I say so is that if someone could access a PC, they could easily lift an image of the installation on the PC and mount it on their own PC. From there, they could easily view the contents of the drive, and even make changes and redeploy it.

I received the first alerts of dism.exe and dismhost.exe running on this PC from PF yesterday. Today, I have blanket disallowed the tool from functioning. However, it does run from command line. I think PF should still block this.

As I type, the processes are still running. I am waiting to see if it activates at which time I should get an alert from PF I think.
 
Last edited:
Upvote 0

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top