Lenovo System Update UNCServer.exe

Mark Berry June 11, 2013

I had a moment of panic this morning when I discovered UNCServer.exe running on my Windows 7 workstation. I thought it was a VNC server, which could allow external control of my PC. Do I have a virus? I immediately unplugged my network cable and started researching.

I first noticed this when using Alt+Tab to flip through applications. UNCServer is listed as an application, although selecting it does not open a window:

Lenovo UNCServer 1

Task Manager shows the program and path:

C:\Program Files (x86)\Lenovo\System Update\UNCServer.exe

Lenovo UNCServer 2

Probably Not a Virus

So apparently it’s part of Lenovo System Update, as this article and this post confirm. The file is also digitally signed by Lenovo.

The article and post also point out that the program opens firewall ports. The program grants itself access on all TCP and UDP ports for both the Domain and Public profiles:

Lenovo UNCServer 4

So it’s from Lenovo, and others see the same thing, so it’s probably not a virus. I still wondered what it does.

Probably Not VNC

Task Manager says it’s running as PID 9996. Checking for listening ports, we see that PID 9996 is listening on port 20050:

Lenovo UNCServer 3

In case this was a just a renamed VNC server, I installed the viewer portion of RealVNC and UltraVNC on another computer. Neither one was able to connect to my workstation on port 20050. Good.

Next I tried a Raw connection from Putty to port 20050. I had to turn on logging to capture the message that flashed across the screen:  “Server encountered an internal error. To get more info turn on customErrors in the server’s config file.” That would seem to refer to the UNCServer.exe.config file in C:\Program Files (x86)\Lenovo\System Update. That looks like a .NET config file, and in fact it contains references to what appear to be .NET versions. I did not try adding a customErrors line.

.NET Analysis

I opened UNCServer.exe in IL DASM, part of the .NET framework SDK. Sure enough, it’s a .NET executable:

Lenovo UNCServer 5

At first glance at the procedure names, UNCServer.exe seems to be mostly about transferring files, not about remote control. So why does it need open ports on the inbound firewall? Is it supposed to allow an external program to connect to my computer to transfer files? My edge firewall should prevent connections from outside the network, but I still don’t like it.

When Does It Start

After a reboot, I noticed that UNCServer.exe did not start as soon as I logged on. However, it did start when I started Lenovo System Update, and it closed when I exited System Update. With System Update closed, nothing is listening on port 20050, although the firewall exceptions are still there.

So apparently System Update was running when I happened to see UNCServer this morning. Why? In Task Scheduler, TVT > TVSUUpdateTask is scheduled to run monthly on the 4th of the month. That’s a week ago. When I ran it manually, it finished in one second, but it left UNCServer.exe running. Then after a few minutes, I got a balloon notification from Lenovo that updates are available. Sure enough, there’s System Update in the system tray:

Lenovo UNCServer 6

At this point, UNCServer.exe is still running. If I right-click on the red Lenovo icon in the system tray and choose Exit, UNCServer.exe closes.

So if you don’t want UNCServer.exe to start, the (so far untested) options are:

  • Uninstall Lenovo System Update.
  • Disable the task TVT > TVSUUpdateTask. That should prevent Lenovo System Update from running on a schedule and leaving UNCServer.exe running in the background. However you would still be able to run Lenovo System Update manually.


14 Comments

  1. David   |  August 13, 2013 at 10:55 pm

    Thanks for thorough analysis and explanation!

  2. Chris   |  February 02, 2014 at 10:54 am

    Yeah, well done!

  3. Bonnie   |  September 13, 2014 at 8:49 am

    Thank you for this! I really appreciate it!!!

  4. Diego   |  November 08, 2014 at 2:21 am

    Beautiful explanation mate. Saved me a lot of hassle.

  5. Brad   |  November 20, 2014 at 8:36 am

    Thank You for this. Like all others have said, I appreciate you taking the time to investigate this and letting the rest of us know.

    Thanks again!

  6. Craig   |  March 23, 2015 at 5:10 am

    Thanks for doing the research. I was alarmed just now to see that something had opened a cmd.exe window saying simply, “Installing drivers…” Task Manager showed it was UNCServer.exe. Since getting updated drivers from Lenovo is probably a good thing, I set my panic level back down to normal and got on with my work.

  7. Joe   |  March 19, 2016 at 7:32 am

    Many thanks again!

  8. Andrew   |  April 11, 2016 at 8:53 am

    Thank you, this really helped!!!

  9. Bob   |  May 02, 2016 at 1:13 pm

    Awesome post! I was also surprised that this was running, and of course stumbled onto this great post with a quick Google search.

  10. Miško   |  February 07, 2017 at 7:34 am

    Brilliant, Mark! Thanks a lot. Not only have I solved the problem, but also used the Task manager for the first time and understood the logic of this application. Of course I consequently disabled some other annoying tasks that were spoiling my use of the computer. People like you deserve a huge credit! See how your work helps people even after years you have posted it.

  11. Mark Berry   |  February 07, 2017 at 11:45 am

    I’m glad this post is still useful!

  12. Andrey Zagi   |  February 12, 2017 at 9:25 am

    Amazing work, analysis and explanation! Thank you for the saved time.

  13. Hyve   |  March 13, 2017 at 4:04 am

    In my case UNCSerever is not closed when I right-click on the red Lenovo icon in the system tray and choose Exit.

    When I open Lenovo Update (in Control Panel) and click on Next, I get a message that Update has to update it’s self, than I click OK but Update does not update it’s self !

    The most nerve braking is that the mouse pointer keeps showing on and off that Lenovo Update is working in the background . I have changed the “Working in the Background” pointer to the same as “Normal Selection” but that’s a daft makeshift solution.

    I don’t like to uninstall Update, is there any other way to solve this problem ?

    I have a E530c ThinkPad running W10.

  14. Mark Berry   |  March 13, 2017 at 9:41 am

    Hyve, the purpose of this article was to confirm that UNCServer.exe is not a virus but is part of Lenovo System Update. If you need help with actual update functionality, I suggest contacting support or posting your question in the Lenovo forum (https://forums.lenovo.com).

Leave a Reply





*