Lenovo System Update UNCServer.exe

Mark Berry June 11, 2013

I had a moment of panic this morning when I discovered UNCServer.exe running on my Windows 7 workstation. I thought it was a VNC server, which could allow external control of my PC. Do I have a virus? I immediately unplugged my network cable and started researching.

I first noticed this when using Alt+Tab to flip through applications. UNCServer is listed as an application, although selecting it does not open a window:

Lenovo UNCServer 1

Task Manager shows the program and path:

C:\Program Files (x86)\Lenovo\System Update\UNCServer.exe

Lenovo UNCServer 2

Probably Not a Virus

So apparently it’s part of Lenovo System Update, as this article and this post confirm. The file is also digitally signed by Lenovo.

The article and post also point out that the program opens firewall ports. The program grants itself access on all TCP and UDP ports for both the Domain and Public profiles:

Lenovo UNCServer 4

So it’s from Lenovo, and others see the same thing, so it’s probably not a virus. I still wondered what it does.

Probably Not VNC

Task Manager says it’s running as PID 9996. Checking for listening ports, we see that PID 9996 is listening on port 20050:

Lenovo UNCServer 3

In case this was a just a renamed VNC server, I installed the viewer portion of RealVNC and UltraVNC on another computer. Neither one was able to connect to my workstation on port 20050. Good.

Next I tried a Raw connection from Putty to port 20050. I had to turn on logging to capture the message that flashed across the screen:  “Server encountered an internal error. To get more info turn on customErrors in the server’s config file.” That would seem to refer to the UNCServer.exe.config file in C:\Program Files (x86)\Lenovo\System Update. That looks like a .NET config file, and in fact it contains references to what appear to be .NET versions. I did not try adding a customErrors line.

.NET Analysis

I opened UNCServer.exe in IL DASM, part of the .NET framework SDK. Sure enough, it’s a .NET executable:

Lenovo UNCServer 5

At first glance at the procedure names, UNCServer.exe seems to be mostly about transferring files, not about remote control. So why does it need open ports on the inbound firewall? Is it supposed to allow an external program to connect to my computer to transfer files? My edge firewall should prevent connections from outside the network, but I still don’t like it.

When Does It Start

After a reboot, I noticed that UNCServer.exe did not start as soon as I logged on. However, it did start when I started Lenovo System Update, and it closed when I exited System Update. With System Update closed, nothing is listening on port 20050, although the firewall exceptions are still there.

So apparently System Update was running when I happened to see UNCServer this morning. Why? In Task Scheduler, TVT > TVSUUpdateTask is scheduled to run monthly on the 4th of the month. That’s a week ago. When I ran it manually, it finished in one second, but it left UNCServer.exe running. Then after a few minutes, I got a balloon notification from Lenovo that updates are available. Sure enough, there’s System Update in the system tray:

Lenovo UNCServer 6

At this point, UNCServer.exe is still running. If I right-click on the red Lenovo icon in the system tray and choose Exit, UNCServer.exe closes.

So if you don’t want UNCServer.exe to start, the (so far untested) options are:

  • Uninstall Lenovo System Update.
  • Disable the task TVT > TVSUUpdateTask. That should prevent Lenovo System Update from running on a schedule and leaving UNCServer.exe running in the background. However you would still be able to run Lenovo System Update manually.


9 Comments

  1. David   |  August 13, 2013 at 10:55 pm

    Thanks for thorough analysis and explanation!

  2. Chris   |  February 02, 2014 at 10:54 am

    Yeah, well done!

  3. Bonnie   |  September 13, 2014 at 8:49 am

    Thank you for this! I really appreciate it!!!

  4. Diego   |  November 08, 2014 at 2:21 am

    Beautiful explanation mate. Saved me a lot of hassle.

  5. Brad   |  November 20, 2014 at 8:36 am

    Thank You for this. Like all others have said, I appreciate you taking the time to investigate this and letting the rest of us know.

    Thanks again!

  6. Craig   |  March 23, 2015 at 5:10 am

    Thanks for doing the research. I was alarmed just now to see that something had opened a cmd.exe window saying simply, “Installing drivers…” Task Manager showed it was UNCServer.exe. Since getting updated drivers from Lenovo is probably a good thing, I set my panic level back down to normal and got on with my work.

  7. Joe   |  March 19, 2016 at 7:32 am

    Many thanks again!

  8. Andrew   |  April 11, 2016 at 8:53 am

    Thank you, this really helped!!!

  9. Bob   |  May 02, 2016 at 1:13 pm

    Awesome post! I was also surprised that this was running, and of course stumbled onto this great post with a quick Google search.

Leave a Reply





*