Mark Berry June 11, 2013
I had a moment of panic this morning when I discovered UNCServer.exe running on my Windows 7 workstation. I thought it was a VNC server, which could allow external control of my PC. Do I have a virus? I immediately unplugged my network cable and started researching.
I first noticed this when using Alt+Tab to flip through applications. UNCServer is listed as an application, although selecting it does not open a window:
Task Manager shows the program and path:
C:\Program Files (x86)\Lenovo\System Update\UNCServer.exe
Probably Not a Virus
The article and post also point out that the program opens firewall ports. The program grants itself access on all TCP and UDP ports for both the Domain and Public profiles:
So it’s from Lenovo, and others see the same thing, so it’s probably not a virus. I still wondered what it does.
Probably Not VNC
Task Manager says it’s running as PID 9996. Checking for listening ports, we see that PID 9996 is listening on port 20050:
Next I tried a Raw connection from Putty to port 20050. I had to turn on logging to capture the message that flashed across the screen: “Server encountered an internal error. To get more info turn on customErrors in the server’s config file.” That would seem to refer to the UNCServer.exe.config file in C:\Program Files (x86)\Lenovo\System Update. That looks like a .NET config file, and in fact it contains references to what appear to be .NET versions. I did not try adding a customErrors line.
I opened UNCServer.exe in IL DASM, part of the .NET framework SDK. Sure enough, it’s a .NET executable:
At first glance at the procedure names, UNCServer.exe seems to be mostly about transferring files, not about remote control. So why does it need open ports on the inbound firewall? Is it supposed to allow an external program to connect to my computer to transfer files? My edge firewall should prevent connections from outside the network, but I still don’t like it.
When Does It Start
After a reboot, I noticed that UNCServer.exe did not start as soon as I logged on. However, it did start when I started Lenovo System Update, and it closed when I exited System Update. With System Update closed, nothing is listening on port 20050, although the firewall exceptions are still there.
So apparently System Update was running when I happened to see UNCServer this morning. Why? In Task Scheduler, TVT > TVSUUpdateTask is scheduled to run monthly on the 4th of the month. That’s a week ago. When I ran it manually, it finished in one second, but it left UNCServer.exe running. Then after a few minutes, I got a balloon notification from Lenovo that updates are available. Sure enough, there’s System Update in the system tray:
At this point, UNCServer.exe is still running. If I right-click on the red Lenovo icon in the system tray and choose Exit, UNCServer.exe closes.
So if you don’t want UNCServer.exe to start, the (so far untested) options are:
- Uninstall Lenovo System Update.
- Disable the task TVT > TVSUUpdateTask. That should prevent Lenovo System Update from running on a schedule and leaving UNCServer.exe running in the background. However you would still be able to run Lenovo System Update manually.