How can I find what SC.exe is doing?

kelper · Nov 30, 2023

If I power down my laptop, the next time I log in, after all the startup programs are running, I see three sc.exe windows open and close in quick succession.
I'm pretty sure these started after the following Acer updates.

I wonder what they do and why they need to run over and over again. I have asked on the Acer forum.

pseymour · Nov 30, 2023

Depending on how it's being started, you might find it with AutoRuns (sysinternals.com, then click Process Utilities on the left). There is a search, so you could find sc.exe.

Berton · Nov 30, 2023

Did you see these pages about what it is?

sc.exe at DuckDuckGo

DuckDuckGo. Privacy, Simplified.

duckduckgo.com

kelper · Nov 30, 2023

Berton said:
Did you see these pages about what it is?

sc.exe at DuckDuckGo

DuckDuckGo. Privacy, Simplified.

duckduckgo.com

Yes

glasskuter · Nov 30, 2023

Do you have any Acer software on your machine like Acer Care Center? It looks to me like WU may have updated the software without uninstalling the old version first.
WU may even have installed an older version on top of the newer one.
You might try uninstalling both Acer Care and Acer Quick Access app. I would use Revo. Then reinstall from Acer Support.
Latest Acer Care Center is dated 11/7/23
Latest Acer Quick Access is 9/20/22
It's worth a shot.

kelper · Nov 30, 2023

Great advice, and I'm honoured to share a birthday with you!

glasskuter · Nov 30, 2023

kelper said:
I'm honoured to share a birthday with you!

Well, right back at 'cha. If both of us were born on 11/28 it must be a special day. This was the BIG ONE for me but at least now I have a bona fide excuse if I come across as a blathering idiot.

garioch7 · Nov 30, 2023

@kelper ,

I am just wondering whether SC is issuing Stop commands and then Start commands because the old version of the software was running, so it had to be stopped to initiate the update, and then once updated, SC issued a Start command to activate the updated service.

In dealing with active malware services, we do have to stop the malware service before we can delete it.

Just a thought . . .

Have a great day.

Regards,
Phil

zebal · Nov 30, 2023

sc.exe should only be used to uninstall service, install service and manage service states, it shouldn't run every time.

garioch7 · Dec 1, 2023

@zebal ,

zebal said:
sc.exe should only be used to uninstall service, install service and manage service states, it shouldn't run every time.

I agree, in general, BUT we do not know how the Acer updater is programmed. You cannot alter a running service without stopping it. My guess is that the programmer is using SC in the background to stop the target service, then updating that service, and then restarting the updated service. That would explain why @kelper reports:

kelper said:
If I power down my laptop, the next time I log in, after all the startup programs are running, I see three sc.exe windows open and close in quick succession.

What I can't figure out is why it is updating every time he restarts his computer . . . Perhaps it is an Acer Updater glitch . . .

It will be interesting to learn what information he gets from his Acer Forum post . . .

If it were my computer, I would run an SFC /scannow and a DISM /Online /Cleanup-Image /ScanHealth just to be sure that there is not any OS corruption.

Just my two cents. Have a great day.

Regards,
Phil

zebal · Dec 1, 2023

garioch7 said:
My guess is that the programmer is using SC in the background to stop the target service, then updating that service, and then restarting the updated service. That would explain why @kelper reports:

Agree with you, and if that's the case then Acer coders do a bad job for sure since there are API's to manage services, sc.exe is for use by admins not programmers.

I think the OP might get best help by contacting Acer, at least to confirm that's the case.

kelper · Dec 1, 2023

I managed to catch it on video and export one frame. As I said in post #1 I have already contacted ACER.

Whatever ACER have done, it should have run once, not on every boot or log in.

kelper · Dec 1, 2023

I ran sysinternals Autoruns; could this be the culprit?

zebal · Dec 1, 2023

kelper said:
As I said in post #1 I have already contacted ACER.

Forums are ruled by users, I would look to see if there is a contact form for users or something where you could contact support, Acer itself.

kelper said:
I ran sysinternals Autoruns; could this be the culprit?

Very likely no because the error say service is already running and can't started for second time, and the Acer program which is using the sc.exe doesn't need cmd, it would instead use shell functions to run external executable.

I suggest you listen to what @glasskuter said, get rid of Acer manufacturer bloatware, any acer programs which are not essential or those which are not drivers but utilities.

garioch7 · Dec 1, 2023

@kelper ,

Could be . . . SC will not run in PowerShell. It needs CMD.

I don't see it in my Autoruns.

Have a great day.

Regards,
Phil

pseymour · Dec 1, 2023

The "SafeBoot\AlternateShell" registry entry is totally normal. It is the name of the shell used when booting to "Safe mode with Command Prompt." It's not the culprit. I agree with zebal/glasskuter. Uninstall the Acer stuff and see if it goes away. If not, we can dig deeper.

garioch7 · Dec 1, 2023

@pseymour ,

I don't have that entry in my Registry. That said, I am not contesting that the registry entry is "totally normal." What I am curious about is why Autoruns is showing that CMD is running . . .

I don't think that @kelper is booted into Safe Mode. This must be some kind of special Acer thing!

I am not convinced that it is normal, but I am eager to learn from my mistakes!

I do agree that it would be wise to uninstall any Acer "bloatware," but only if you have backed up your computer first. You never know when you'll have to roll back. I would also create a System Restore Point. You can't have "too much backup," as someone here reminds us!

Just my two cents. Have a great day.

Regards,
Phil

pseymour · Dec 1, 2023

MSFT article for AlternateShell I don't take what you said as argument; just posting that for completeness.

AutoRuns isn't showing that cmd is running. It's just showing that cmd.exe is the shell that would be loaded if one were to boot to Safe Mode with Command Prompt on that system.

Anyway, I came back to post a Sysmon config file for tracking sc.exe process creation, in case this thread comes to that.

garioch7 · Dec 1, 2023

@pseymour ,

Thank you for your reply. I am still confused. I must be getting too old!

@kelper is showing the Autoruns printout for his Logon tab. Why would that entry be listed?

Here is my Logon tab:

I have no such entry. Obviously, I am starting up a lot more junk than he is, but I think that entry is being loaded on startup on his computer, based on what little I know, . . . and I do concede to not being a Windows expert.

I have to be away now for a few hours. This is my afternoon every week to update, backup, and scan my computers. I will check back. I am always eager to learn new tricks and understand the internal workings of Windows. Thank you for sharing your expertise.

Have a great day.

Regards,
Phil

pseymour · Dec 1, 2023

I'm wary of hijacking OP's thread with this AlternateShell thing. You also don't show an entry for

Code:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

whereas I have entries for both on all of my Win11 computers. I also checked several Win11 machines where I work. Why those don't show in AutoRuns for your machine, I do not know.

Regardless, the executable in the AlternateShell entry does not load during a normal startup. That's not what that registry value is for (see the MSFT article I linked earlier).

Again, AutoRuns isn't showing that cmd is running. In fact, neither is OP's screenshot. The screenshot shows sc.exe is running. It can be started by a cmd.exe process, but it doesn't have to be. You can run "sc.exe query" from the Run dialog box just fine, although it'll scroll by very quickly and you won't be able to read it.

In that instance, the parent process will be explorer.exe, not cmd.exe. You can run sc.exe from PowerShell also, although that's a little silly, because PowerShell has cmdlets for most of what sc.exe does.

How can I find what SC.exe is doing?

Well-known member

My Computers

Windows developer and admіn

My Computers

Ret. ATC

My Computers

Well-known member

My Computers

aka Mama Glass

My Computers

Well-known member

My Computers

aka Mama Glass

My Computers

Retired R.C.M.P. Veteran

My Computers

Well-known member

My Computer

Retired R.C.M.P. Veteran

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Retired R.C.M.P. Veteran

My Computers

Windows developer and admіn

My Computers

Retired R.C.M.P. Veteran

My Computers

Windows developer and admіn

Attachments

My Computers

Retired R.C.M.P. Veteran

My Computers

Windows developer and admіn

My Computers

Similar threads