Question Task Manager- Service Host: User Manager ?

[The Guy From The Thing]

Combing through Windows 10 Task Manager I found Service Host: User Manager. According to Services, it provides runtime components needed for multi-user interaction. Other than that, I literally cannot find anything on Google Search because it thinks I want to learn about Task Manager generally.

I'm essentially asking if this is a legitimate process? I'm the only user on the PC. the launch type in Services, which I never change, is set to Automatic (Trigger Start) and opening file location does indeed seem to send me to the svchost.exe file in System32 folder


it uses 0% CPU from what I'm seeing + 2.3mb of Memory (my System32 folder is 7.2gb on disk, idk if that's really relevant here but thought I'd add)

 

[Ralston18]

Legitimate.

Service Host: User Manager is also running on my system.

Even if there is only "one" user that is indeed a user and must be managed.

And remember that Windows has built in user accounts as well.

Open the Command Prompt and type "net user" (without the quotes).

Another tool that you may be interested in is Process Explorer (Microsoft, free).

https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

 

[Colif]

You may be the only human user but windows runs other system users to perform the tasks you ask the PC to run.

Look in details tab of task manager and you soon notice that there is more than just your username listed.
I have
DWM1 - Desktop Windows Manager - sits between GPU & all applications
SYSTEM - Is used to do most of actions of PC
Local Service (Multiple) - Every service has its own host. These are the environment they run in
Network Service
UMFD 0 & 1 - Universal font Driver


An application is a program which you interact with on the desktop.
A process is an instance of a executable (.exe program file) running.
A service is a process which runs in the background and does not interact with the desktop.

In Windows, services almost always run as an instance of the svchost.exe process, the windows service host process; however there are sometimes exceptions to this.

Sometimes, processes may run in the background without interacting with the desktop, but without being installed as a service. Antivirus programs usually employ a service so they can continue running even when the user is not logged in.

Processes usually exit when an application is closed, however this is not always the case. Some programs, particularly download and backup programs, may continue to run in the background without displaying any windows. Antivirus is also an example of this - in addition to using a service, many antivirus applications run a process silently in the background which only displays an application to the user when action is required

 

[The Guy From The Thing]

Legitimate.

Service Host: User Manager is also running on my system.

Even if there is only "one" user that is indeed a user and must be managed.

And remember that Windows has built in user accounts as well.

Open the Command Prompt and type "net user" (without the quotes).

Another tool that you may be interested in is Process Explorer (Microsoft, free).

https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer

You may be the only human user but windows runs other system users to perform the tasks you ask the PC to run.

Look in details tab of task manager and you soon notice that there is more than just your username listed.
I have
DWM1 - Desktop Windows Manager - sits between GPU & all applications
SYSTEM - Is used to do most of actions of PC
Local Service (Multiple) - Every service has its own host. These are the environment they run in
Network Service
UMFD 0 & 1 - Universal font Driver


An application is a program which you interact with on the desktop.
A process is an instance of a executable (.exe program file) running.
A service is a process which runs in the background and does not interact with the desktop.

In Windows, services almost always run as an instance of the svchost.exe process, the windows service host process; however there are sometimes exceptions to this.

Sometimes, processes may run in the background without interacting with the desktop, but without being installed as a service. Antivirus programs usually employ a service so they can continue running even when the user is not logged in.

Processes usually exit when an application is closed, however this is not always the case. Some programs, particularly download and backup programs, may continue to run in the background without displaying any windows. Antivirus is also an example of this - in addition to using a service, many antivirus applications run a process silently in the background which only displays an application to the user when action is required

ah gotcha, thanks both. also kind of unrelated, but do either of you have any information on what "Event ID: 5379 Credential Manager Credentials were read" truly means?


seems like there's generally not a lot of information about it online, other than the Microsoft description that states "occurs when a user performs a read operation on stored credentials in Windows Credential Manager (WCM)."

every couple of minutes, ranging from 4-10min, I'll get a fair amount of these events in the Security log of Event Viewer, even when not necessarily accessing any specific app. Event ID 4798 ("A user's local group membership was enumerated") does the same thing. not necessarily at the same time, but every so often


is this like a 'routine' event that tends to fill the Security log in Event Viewer? attached an example of Event 5379

https://imgur.com/a/ikNKTCl

View: https://imgur.com/a/ikNKTCl



not really sure I need to cross out all the stuff I did, but eh

 

[Colif]

Are you having any problems?

In other words, why are you looking in event viewer? Most of the time you can ignore it, as the events are one offs and may not happen the very next time it tries.

Event 5379: This event occurs when a user performs a read operation on stored credentials in Credential Manager.

https://answers.microsoft.com/en-us...-special/ae2f007f-4e19-4d60-9f3d-0d8ed0e9cf33 << this might help.

 

[The Guy From The Thing]

Are you having any problems?

In other words, why are you looking in event viewer? Most of the time you can ignore it, as the events are one offs and may not happen the very next time it tries.

Event 5379: This event occurs when a user performs a read operation on stored credentials in Credential Manager.

https://answers.microsoft.com/en-us...-special/ae2f007f-4e19-4d60-9f3d-0d8ed0e9cf33 << this might help.

not "one off" because as described, it happens frequently. but no atm, I don't believe there's problems. just a scare from earlier; I was trying to see what UAC value changes were and I clicked a website called Menasec (specifically it was called blog.menasec.net threat-hunting)


the website took a bit longer to direct me from the initial search than I'm used to, and idk if it was just the layout of the website but the first thing I saw was 3 big options which had a very 'pop-up' look to it, so I closed the tab as soon as I could.

I grabbed the link again (without going onto the site) and put it through VirusTotal, where it said there was nothing flagged by the vendors. I haven't used HybridAnalysis because I can't right now and I haven't really had much experience with it

 

[SkyNetRising]

is this like a 'routine' event that tends to fill the Security log in Event Viewer? attached an example of Event 5379
not really sure I need to cross out all the stuff I did, but eh

Do you actually have some issue, you're trying to solve?
Or just asking because of curiosity?

None of those questions should be concerning to an average pc user.

 

[The Guy From The Thing]

Do you actually have some issue, you're trying to solve?
Or just asking because of curiosity?

None of those questions should be concerning to an average pc user.

context provided in the other reply;


I don't believe there's problems. just a scare from earlier; I was trying to see what UAC value changes were and I clicked a website called Menasec (specifically it was called blog.menasec.net threat-hunting)

the website took a bit longer to direct me from the initial search than I'm used to, and idk if it was just the layout of the website but the first thing I saw was 3 big options which had a very 'pop-up' look to it, so I closed the tab as soon as I could.

I grabbed the link again (without going onto the site) and put it through VirusTotal, where it said there was nothing flagged by the vendors. I haven't used HybridAnalysis because I can't right now and I haven't really had much experience with it.

have run MalwareBytes (Normal and Rootkit Scans) and Windows Defender Full Scans out of anxiety and they detected nothing overall

 

[Colif]

that website is blocked by UBlock Origin but I cannot tell why, could be advertising related. might be malware

You could use something like Malwarebytes and see if it finds anything

Windows Event ID 5379 to Detect Malicious Password-Protected File unlock - Security Investigation

Attacks by malware are continuously growing. These malicious files use high-obfuscation algorithms to hide from traditional anti-malware detection solutions, and unfortunately, the threat actors are becoming more and more successful. One technique that has seen a positive track record for...

www.socinvestigation.com

 

[The Guy From The Thing]

that website is blocked by UBlock Origin but I cannot tell why, could be advertising related. might be malware

You could use something like Malwarebytes and see if it finds anything

Windows Event ID 5379 to Detect Malicious Password-Protected File unlock - Security Investigation

Attacks by malware are continuously growing. These malicious files use high-obfuscation algorithms to hide from traditional anti-malware detection solutions, and unfortunately, the threat actors are becoming more and more successful. One technique that has seen a positive track record for...

www.socinvestigation.com

so I could be infected now just because I went to the website? I didn't click anything within the actual site

 

[Colif]

i would check Malwarebytes anyway as some sites can download things just by you visiting them.

 

[The Guy From The Thing]

i would check Malwarebytes anyway as some sites can download things just by you visiting them.

idk if I mentioned in relation to visiting the website but yeah, I've run MalwareBytes and Windows Defender, both in Full scan, and I've run MalwareBytes for Rootkits too. did several tests yesterday and have done a few more today, they've detected nothing

 

[Colif]

No problem then, I was just making sure