agshelper.exe oddity

New Here ,
Apr 12, 2022 Apr 12, 2022

Copy link to clipboard

Copied

recently when reviewing logs, i see agsservice.exe execute from the expected path (c:\program files (x86)\common files\adobe\adobegcclient\agsservice.exe

 

a short time later, i see the scheduled task adobegcinvoker get deleted

 

then a log file that states that agsservice.exe is "agsservice in onstop"

 

then agshelper.exe executes several times from c:\windows\temp instead of it's expected program files path

then cmd.exe is called and rand this command:

cmd.exe /c ping 1.1.1.1 -n 1 -w 3000 > nul & del /f /q "c:\windows\temp\agshelper.exe"

 

there's no technical information on how agsservice.exe or agshelper.exe actually work in order for me to analyze / evaluate if this is expected behavior or not

 

any help would be appreciated

 

thank you 

TOPICS
Windows

Views

199

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Community Professional ,
Apr 23, 2022 Apr 23, 2022

Copy link to clipboard

Copied

Based on some readings that I've done, the  agsservice.exe or agshelper.exe check for software integrity and compliance.


If it appears aggressive you may need to check that some other Adobe apps that interact with Acrobat in that computer are actually legitimate or properly licensed.

 

See if this link is useful for troubleshooting:

 

https://helpx.adobe.com/genuine/faq.html

 

Does the same problem occurs if your internet adapters are disabled or in  Airplane mode?

 

In which version of MS Windows is this happening?

 

What is even stranger to me is, that, for  a legitimate Adobe process, it is actually invoking a script to ping a specific Domain Name Service address and check for latency.

 

It pings itself one time, then the scripts sets itself to wait for 3,000 milliseconds  for a response from the pinged device, and times out if no response occurs if the wait time per response  is greater than 3,000 milliseconds during that loop.

 

Then it also invokes "nul and del" commands to clear and delete the AGS process log that is cached in the Windows temporary files folder. 

 

Unless this is not related to a VPN/firewall configuration that you have at work or at home, the fact that it pings itself to a specific DNS address caught my attention.

 

So it may be that the AGS service can't find it's way through secured and encrypted DNS service.

 

However, if you open cmd.exe and execute the following command:

 

ipconfig /all 

 

Can you spot the DNS address that your Gateway IP address (your PC or router)  is currently communicating with?

 

Does it says "1.1.1.1" like the script that is  associated with the Adobe Genuine Service reveals?

 

Or does it reveals an DNS address different than 1.1.1.1?

 

 

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Apr 24, 2022 Apr 24, 2022

Copy link to clipboard

Copied

LATEST

My first action would be to check the digital signature on the file in c:\windows\temp. This is the first step in seeing whether software is legitimate.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines