IanG on Tap

Intel, that's who - it's part of an old version of their PROSet software. But I had a frightening time drawing that conclusion.

I was recently trying to make sure I knew what all the processes running on my laptop were doing to check that I hadn't picked up any malware. I didn't have any reason to suppose that anything evil was lurking on my system, but it doesn't hurt to check.

I found a program called RegSrvc.exe running as SYSTEM whose purpose was unclear to me. According to netstat it wasn't listening for incoming connections on any network ports. Sysinternals' excellent Process Explorer utility concurred. It also indicated that seemed to be using a bizarre and cryptic set of resources, events, handles and so on. It wasn't obvious what it was doing, and running it through depends to work out what kinds of things it did wasn't very illuminating either. The file version information claimed that the code was written by Intel, but gave no clues as to what it did, or why it might be in the c:\WINDOWS\SYSTEM32 directory.

Then I googled for info on RegSrvc.exe. The results were initially rather alarming - almost every hit was for discussions of hijacked computers. So I thought that perhaps I had been compromised. However, on closer inspection, none of these threads seemed to be discussing RegSrvc.exe itself. The threads all simply contained a list of what processes were running on the machine, usually because someone had asked to see that in order to help diagnose a problem. (This is a problem when googling for exe-specific problems these days - you tend to get an awful lot of false positives caused by these diagnostic lists.)

I did find one thread on Usenet discussing RegSrvc.exe. But it simply consisted of a lone voice asking what the program did, followed up by the same person asking why nobody seemed to know what it did... (And a couple of people offering non-helpful replies.)

So I asked around to see if any of my acquaintances knew what it did - no joy. I also asked around to see if anyone else had it on their machines. Again, nothing - and that made me a bit suspicious... (Particularly since one of the people I asked had a laptop that is nearly identical to mine.)

Then I had a look through the strings embedded in the executable, and noticed that it had a load of COM registration stuff in there - it looks like it's an ATL COM server that has been installed to run as a service. So I tried firing up OLEVIEW to see if it had a type library, and indeed it did.

What I saw terrified me. This program exposes a COM class that provides various methods to read and modify the registry, and also to perform a couple of driver installation tasks, if the names of the methods are anything to go by. And this thing is set up to run as the local SYSTEM account! I was pretty worried at this point - what business would any legitimate application have in installing a scriptable COM component that enables highly-privileged access to the registry and the ability to install device drivers? And why would it put it in the SYSTEM32 directory, giving it a name that looks kind of reminiscent of some of the system programs that live in there, and with no indication of where it came from?

It was around this time that I disabled the service...

I dug around some more in the registry to see if anything else pointed to the program. And it did - there was the usual trail left by a Windows Installer msi-based installation. And it was in this trail that it became clear that Intel PROSet was claiming ownership of RegSrvc.exe.

So I tried uninstalling PROSet. Lo and behold, it removed the RegSrvc service, and scheduled the exe for deletion on the next reboot. I heaved a sigh of relief at this point. Apparently it's not malware - it's just legitimate code from Intel that's doing a remarkably good job of looking like malware. (And it turns out that the reason the friend with the near-identical laptop didn't have this service is that his laptop doesn't have the Intel wireless - he has the alternative non-Centrino wifi.)

I'm not sure what PROSet was actually doing for me. My wireless networking seems to be working just fine without the service so far. (And my ethernet card isn't an Intel one in this laptop.) So unless I find a good reason to, I won't be rushing to install the latest version...

Many thanks to Dominick Baier for his helpful suggestions, and to Richard Blewett for his invaluable advice on BlueTooth mouse battery management.