Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: I have a process called cwershnsvc.exe on my computer. What is it?

13 Nov 2017   #1
roma1625

Windows 7 Ultimate N 64-bit
 
 
I have a process called cwershnsvc.exe on my computer. What is it?

It's located in the System32 folder. I Googled it and I got no results. The thing is, something keeps creating items that my virus program and malwarebytes both identify as malware.

Anyway, something keeps creating a folder in Program Files called wddnthu with a couple of executable files in it (wddnthu.exe and sckdllbu.exe), then those exe's start running and try to connect to an internet site, but my virus program stops it from happening. Anyway, I started investigating and saw this process running and thought maybe this is what's causing the problem. Task Manager won't let me stop it.


My System SpecsSystem Spec
.
13 Nov 2017   #2
Ranger4

Windows 7 Home Premium 64 bit sp1
 
 

Will your AV & Malwarebytes isolate & quarantine this item. If they do you should be able to remove it.
My System SpecsSystem Spec
13 Nov 2017   #3
roma1625

Windows 7 Ultimate N 64-bit
 
 

They remove the items that they identify as malware, which are in the wddnthu folder, but then they comes back within a few minutes. So I'm trying to figure out what is making it come back.

So then I started looking at the processes running on my computer and found that cwershnsvc.exe, which I had never seen before. Out of curiosity I tried to stop it and Task Manager wouldn't let me. So then I Googled it and there were no results, so i became suspicious. That's why I'm asking if anybody here knows what it is. My AV and Malwarebytes do not identify it as malware, so maybe it's legit. But I mean, why is there something running on my computer that has no results on Google? Just seems odd to me.
My System SpecsSystem Spec
.

13 Nov 2017   #4
Ranger4

Windows 7 Home Premium 64 bit sp1
 
 

Have you tried Right Clicking on that item in Task Manager & select Open File Location to see where it's located. That might help give you an idea of what it could be.
My System SpecsSystem Spec
14 Nov 2017   #5
roma1625

Windows 7 Ultimate N 64-bit
 
 

It's in C:/Windows/System32

When I try to stop it in Task Manager, it says "Unable to terminate process. Operation could not be completed, Access is denied" with a red x.

I've fooled around with stuff enough to know that you can stop just about any process through Task Manager, so why not this one?
My System SpecsSystem Spec
14 Nov 2017   #6
Layback Bear

Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
 
 

Check in 'msconfig' and see if their is anything that looks like ' cwershnsvc.exe' under Startup or non Microsoft Services and Microsoft Services.

It would also be a good time to run Microsoft Malicious Software Removal. (MRT)
You can get 'MRT' through Windows Updates or from below.

Download Malicious Software Removal Tool from Official Microsoft Download Center

Jack
My System SpecsSystem Spec
14 Nov 2017   #7
Barman58

Windows 10 Pro x64 x3, Ubuntu
 
 

I Agree with Jack's post above but would suggest you try Autoruns for Windows - Windows Sysinternals | Microsoft Docs as this will show a lot more than MSconfig and will allow you to better tie down the issue.

The main Tab will show everything that is set to start with windows and this can get a little confusing so I also suggest that you go through each of the specific tabs in turn, paying particular attention to the Known Hijacks Tab

It's also a good idea to initially set the option in the menus to hide all microsoft processes, as they are unlikely to be the cause unless malware is pretending to be an MS item
My System SpecsSystem Spec
14 Nov 2017   #8
Megahertz07

Windows 7 HP 64
 
 

Some executable files protect themselves from being turned off or deleted.
Start windows in Safe mode than delete the files.
My System SpecsSystem Spec
14 Nov 2017   #9
roma1625

Windows 7 Ultimate N 64-bit
 
 

"Start windows in Safe mode than delete the files."

I've done that a couple of times that and it come back whenever I reboot. In fact, I noticed that the "Date Modified" on the file changes every time I reboot (to the date/time of reboot). So, in theory at least, it's modifying itself every time the computer boots up. And it regenerates itself if one deletes it.
My System SpecsSystem Spec
14 Nov 2017   #10
Barman58

Windows 10 Pro x64 x3, Ubuntu
 
 

Sounds like it's using some form of Scheduled Task to restart the process. There is a Scheduled Task tab in Autoruns but this type of setup may require specialist assistance as It is often used by Malware, I'm not saying that this is the case here but it's possible.

you could try opening Task Scheduler and dong a search for the cwershnsvc.EXE file and see if you can discover more information.

I'd also try scanning the file at Online Malware Detection ESET as it could be a new camouflage file for an existing malware infection

I would not normally advise deleting the file until it is actually identified as something you do not need - you could somehow delete the file and then find that it causes worse problems and as you do not know what put it there you will then still need to Identify it

EDIT

upload the file to here ...https://www.virustotal.com/#/home/upload for an in depth check for malware
My System SpecsSystem Spec
Reply

 I have a process called cwershnsvc.exe on my computer. What is it?




Thread Tools




Similar help and support threads
Thread Forum
operations process in a computer
Is it true that all high-level operations in a computer (say, copying, pasting, web surfing, running apps etc) are all finally converted to micro-operations (say, arithmetic, logical and shift) and then done?
General Discussion
open explorer, starts new process, close it, process remains active
Hi, I've got a quicklaunch shortcut to: %windir%\explorer.exe shell:::{323CA680-C24D-4099-B94D-446DD2D7249E} That takes me straight to my explorer favourites. What I notice is that when I launch that, I get a new explorer.exe thread appear in the task manager. When I close it though, that...
General Discussion
Windows 7 + Process Explorer + Patch: [Opening error process]
Hi fooks, I hope you all can read this, i'm from Belgium so my Englsich is not as good as it might be. I have bought last year a little notebook with Windows 7 Home Premium on it. On this machine i am the Administrator, and there are no other people on that, or guestaccounts made. On...
Installation & Setup
New Computer: First Boot Interactive Login process initalization fail
i just went out buy a brand new gaming computer. Take about 2 hours to hook the thing up and press the power button and expect the greatest, but to my dismay I receive the error "Interactive Login Process Initialization failed". I clicked OK and the box closed, the display (1920x1080) flashes and...
Installation & Setup
Computer can't process updates
When I shut down my laptop, it says 5 updates are loading which takes a few minutes. Then when I start up, it takes 10-12 minutes to start because I think it is trying to process those same 5 updates. And all this has been happening for weeks. So I know it must be the same 5 updates, that are not...
Windows Updates & Activation


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 18:45.
Twitter Facebook Google+