The RPCHD Service

Mark Berry March 5, 2013

I’ve been testing IDrive as an online backup option. Yesterday a chat support rep asked needed to look at my system, and at his request I downloaded and installed “RemoteSupportHost_317082.exe”, apparently provided by remotepc.net. I was not particularly surprised to find that this started a UNC server. I was a little surprised to find that it allowed the rep to control BOTH of my screens, and that I did not have to grant permission for control (as opposed to viewing). But now I see that it installed an “RPCHD service” and did not remove it upon completion.

RPCHD service

I noticed this from event log monitoring today. I see the following events in the System event log:

Log Name:      System
Source:        Service Control Manager
Date:          3/4/2013 1:32:43 PM
Event ID:      7045
Level:         Information
Description:
A service was installed in the system.
Service Name:  RPCHD
Service File Name:  Ú\Dummy.exe
Service Type:  user mode service
Service Start Type:  demand start
Service Account:  LocalSystem

Log Name:      System
Source:        Service Control Manager
Date:          3/4/2013 1:32:43 PM
Event ID:      7030
Description:
The RPCHD service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Log Name:      System
Source:        Service Control Manager
Date:          3/4/2013 1:32:43 PM
Event ID:      7040
Description:
The start type of the RPCHD service was changed from demand start to auto start.

Log Name:      System
Source:        Service Control Manager
Date:          3/4/2013 1:32:43 PM
Event ID:      7000
Description:
The RPCHD service failed to start due to the following error:
The system cannot find the file specified.

Note that this system does not have a U: drive, much less a Ú drive. I do wonder what the service would do if it was configured correctly. RPCHD might be Remote Procedure Call Hard Drive, perhaps a remote disk access program.

I did a full system scan with Malwarebytes and no infection was found. I don’t think this is malicious. However, I don’t want it on my system. I’m going to do a System Restore to before the support call, which should remove the service.



1 Comment

  1. Ben   |  September 01, 2016 at 11:19 am

    I too have found this service on a random server for a client with the same registry entry. As the IT provider I know that we did not install this service. It seems very fishy to me, even though ESET and MBAM both come back clean. It does remove just fine with the SC delete command, but it is somewhat concerning.

Leave a Reply





*