Have you ever notice a filename that is so bizarre you think it must be some kind of malware? Microsoft Windows has supported long filenames for years but most folks still haven’t caught on. Microsoft is especially guilty of using short useless filenames like lsass.exe, mdm.exe and the most infamous ctfmon.exe.
One of the features of WinPatrol PLUS is the ability to click on a filename and receive a human readable explanation. We try our best to let you know what a file does, if it’s safe and why you might need it. I keep track of all the requests to make sure I’ll can catch any new mystery files, good or bad.
I’ve taken a snapshot of all our PLUS Info from last month and thought I’d share some of the top requests with all my readers.
The number one mystery file that people want to know about continues to be “CTFMON.exe”. Here’s a little of what you’ll read in our PLUS databae.
Ctfmon.exe activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office Language Bar. It monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies. Initially it only installed with Microsoft Office 2002 and XP. Now it may be used by a number of Microsoft programs that supports alternative user input. When you run such a program, the file Ctfmon.exe runs in the background. It remains in memory even after you quit the program. More detail on what the program does can be found at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q282599 and at http://support.microsoft.com/?kbid=823586.
While Microsoft typically holds the number one spot they aren’t the only one with startup programs with mystery filename.
Adobe Acrobat Speed Launch – READER_SL.EXE
Reader_sl.exe installs with Adobe Acrobat reader 7 or later as its "speed launch" utility. This file runs on system setup and pre-loads the acrobat reader so that it will launch more quickly when needed.
There are multiple versions of the speed launch feature available. Typically they install with different versions of Acrobat but they all do the same thing. You shouldn't need more than one of these files running on system startup in order to get the benefit of the faster launch: reader_sl.exe, sc_acrobat.exe, _sc_acrobat.exe, sc_reader.exe, and acrobat_sl.exe. You'll find more information on Speed Launch for Adobe Acrobat, Adobe Reader, and Acrobat 3D at http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=331131.
Sun's Java BHO – SSV.DLL
Ssv.dll is a browser helper object that installs with the Sun Java Runtime Environment and Java 2 Platform Standard Edition 5.0 Update 6 or later. It will appear in your c:\Program Files\Java\jre_1.5.0 folder (name varies with version number). SSV stands for Secure Static Version. It is a feature that allows an HTML file to specify which JRE family to run.
For more information about this feature, please see the documents Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer: http://java.sun.com/javase/6/webnotes/family-clsid.html and the alert Java Plug-in and Java Web Start May Allow Applets and Applications to Run With Unpatched JRE: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1.
Other popular file searches this past month include many programs which aren’t necessary. Programs that run in the background just to see if you need an updated version are far too popular. As you can see, the filenames rarely give you a clue what these files do.
OSA.EXE, OSA9.EXE - Office Startup Assistant
MDNSRESPONDER.EXE - part of Apple Bonjour
JUSCHED.EXE - Sun's Java Plug-in Updater
NVSTARTUP, NVCPL.DLL - NVidia Graphics system tray applet
MSASCUI.EXE - Obviously is Windows Defender
QTTASK.EXE - Apple Quicktime Player always come back unless disabled with WinPatrol.
SMSS.EXE - Session Manager Subsystem of course
Google, Adobe and Apple are actually the ones using long filenames most often even though we don’t normally need their programs running in the background.
GOOGLEUPDATERSERVICE.exe - Not required programs but at least you get a clue to what they do.
ADOBEUPDATER.exe – Given how many vulnerabilities Adobe has been running into lately it might be worth running this one.
APPLEMOBILEDEVICESERVICE.exe - Apple iTunes Mobile Connection doesn’t need to be running all the time and will be installed with iTunes even if you have a regular iPod that doesn’t use mobile services of the iPhone or iTouch.
Labels: adobe, ctfmon, java, Startup