TechRepublic|Forums|Windows

Windows

General discussion

  • Creator
    Topic
  • August 9, 2023 at 3:21 pm #4147083

    Why is regsvr32.exe being used by spoolsv.exe?

    by vandenburg777 · about 1 month, 1 week ago

    Tags: , ,

    We have security software that stopped c:\windows\system32\spoolsv.exe from using c:\windows\syswow64\regsvr32.exe. I am trying to determine of this activity is legitimate and am suspicious because before July 12 there was no incidents of this happening in our environment at all and is only happening on 22 of our 250 workstations, but those are scattered among all offices. Usually the user is associated to NT AUTHORITY\SYSTEM but sometimes it is the actual user. All workstations are for the most part the same setup.

    • This topic was modified 1 month, 1 week ago by Avatar photorproffitt.
  • Creator
    Topic

You are posting a reply to: Why is regsvr32.exe being used by spoolsv.exe?

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our Community FAQs for details. All submitted content is subject to our Terms of Use.

All Comments

  • Author
    Replies
    • August 9, 2023 at 5:44 pm #4147132
      Avatar photo

      Re: regsvr32.exe

      by kees_b · about 1 month, 1 week ago

      In reply to Why is regsvr32.exe being used by spoolsv.exe?

      I have no doubt that it’s legitimate that a Microsoft program calls another Microsoft program. Ask your account manager why it does.

      • August 9, 2023 at 5:52 pm #4147144

        Reply To: Why is regsvr32.exe being used by spoolsv.exe?

        by vandenburg777 · about 1 month, 1 week ago

        In reply to Re: regsvr32.exe

        Hopefully someone technical can explain the behavior so I’m confident that whitelisting this is okay. We use ThreatLocker and if it was very common activity I’m sure they would have already defined it as part of the built in rules.

    • August 9, 2023 at 5:59 pm #4147147
      Avatar photo

      Are your systems patched up for PrintNightmare ?

      by rproffitt · about 1 month, 1 week ago

      In reply to Why is regsvr32.exe being used by spoolsv.exe?

      I’d check that out fast.

      • August 9, 2023 at 6:04 pm #4147154

        Reply To: Why is regsvr32.exe being used by spoolsv.exe?

        by vandenburg777 · about 1 month, 1 week ago

        In reply to Are your systems patched up for PrintNightmare ?

        That is a very good thought. I did look into PrintNightmare earlier today and I noticed that MS finished patching for that in 2021. We are religious about patching so I believe we’re good on that one.

    • September 2, 2023 at 3:07 pm #4157093

      Information about regsvr32.exe

      by Harisamer214 · about 2 weeks, 4 days ago

      In reply to Why is regsvr32.exe being used by spoolsv.exe?

      To determine if the activity is legitimate, you can try the following:

      1. Check the event logs for any errors or warnings related to spoolsv.exe or regsvr32.exe.
      2. Look for any suspicious files or processes on the affected computers.
      3. Use a malware scanner to scan the affected computers for malware.
      4. If you are still unsure whether the activity is legitimate, you can contact your security vendor for assistance.

      I hope this helps!

  • Author
    Replies
Viewing 2 reply threads