Malware or strange Windows services behaviour?

7

2

Intro

I recently noticed some services that had odd values appended to the service name when tidying up my PC. In the output from sc query they look like this:

SERVICE_NAME: CDPUserSvc_40b5c
DISPLAY_NAME: CDPUserSvc_40b5c
        TYPE               : e0  USER_SHARE_PROCESS INSTANCE
        STATE              : 4  RUNNING 
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

[snip]...

SERVICE_NAME: UserDataSvc_40b5c
DISPLAY_NAME: User Data Access_40b5c
        TYPE               : e0  USER_SHARE_PROCESS INSTANCE
        STATE              : 4  RUNNING 
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

Regedit Output as images:

Ideas/Actions

My first thought was that I possibly had a virus/malware infection and there was something trying to impersonate a legitimate service with bad tradecraft. I believe I have ruled this out as the services are almost exactly the same as their legitimate non-hex appended counterparts. (see regedit output)

Some of the services have an invalid description, but identical code for creating the description in regedit. Additionally, I have issued sc delete <svcname> successfully. However, they are recreated upon reboot.

Questions

What are these services and why are they named like this?
How do I remove them?

Deney Fletcher

Posted 2017-02-26T01:06:40.820

Reputation: 71

They appear to be quite new to Windows and used for Connected Devices Platform https://msdn.microsoft.com/en-us/library/mt766144.aspx. See: http://superuser.com/questions/1115769/what-is-the-cdpusersvc-service/1118109

– HelpingHand – 2017-02-26T01:37:01.613

Answers

7

The CDPUserSvc is a legitimate MS Windows Service.

As for the random code appended, e.g. _405bc, this is a copy of the same Windows Service without the suffix. MS has added these "shadow" copies as a "security" measure (and incidentally to make user management of these services more difficult). An example, the shadow of Windows OneSyncSvc, is shown below. Since the suffix may change on reboot, to permanently disable the service (e.g. if you never use Windows OneSync), set Start in HKLM\SYSTEM\CurrentControlSet\Services... for both the service and its shadow to 4.

OneSncSvc shadow

DrMoishe Pippik

Posted 2017-02-26T01:06:40.820

Reputation: 13 291

-1

This is not a malware.. but in my humble opinion, a pretty bad name for a process or service. Viral processes also use such names.. and it would be easy to fool users after readinng the above post that the viral process is actually a legit process.

There are other similar processes as well: How to disable OneSyncSvc_c523d on Win10?

alpha_989

Posted 2017-02-26T01:06:40.820

Reputation: 623