Winver.exe
Saundra Balock
The genuine winver.exe file is a software component of Microsoft Windows by Microsoft.
Windows is a range of operating systems developed by Microsoft. Version Reporter Applet is component of Windows, and is tasked with reporting the version of Windows on PCs. Winver.exe is the file that runs the Version Reporter Applet service, and does not cause any harm to your PC.
Windows, released in 1985, represents a series of graphical operating systems developed by Microsoft. It is available in over a 100 languages, and several versions, with the latest being Windows 10 for PCs, tablets, smartphones and embedded devices, and Windows Server 2016 for server computers. Version Reporter Applet is a Windows service that tells users the version and edition of Windows they are using.
Established in 1975, the Microsoft Corporation headquartered in Redmond, Washington is a leading American technology company that develops, sells and supports computer software, personal computers and consumer electronics. The company is noted for several innovative products including the Windows range of operating systems, Microsoft Office Suite and Xbox video game consoles.
The .exe extension on a filename indicates an executable file. Executable files may, in some cases, harm your computer. Therefore, please read below to decide for yourself whether the winver.exe on your computer is a Trojan that you should remove, or whether it is a file belonging to the Windows operating system or to a trusted application.
Important: Some malware also uses the file name winver.exe, for example Artemis!221C5310D1CD (detected by McAfee), and Generic PUA BL (PUA) (detected by Sophos). Therefore, you should check the winver.exe process on your PC to see if it is a threat. If Microsoft Windows Status Protocol has changed your browser's search engine and start page, you can recover your browser's default settings as follows:
A clean and tidy computer is the key requirement for avoiding problems with winver. This means running a scan for malware, cleaning your hard drive using 1cleanmgr and 2sfc /scannow, 3uninstalling programs that you no longer need, checking for Autostart programs (using 4msconfig) and enabling Windows' 5Automatic Update. Always remember to perform periodic backups, or at least to set restore points.
Should you experience an actual problem, try to recall the last thing you did, or the last thing you installed before the problem appeared for the first time. Use the 6resmon command to identify the processes that are causing your problem. Even for serious problems, rather than reinstalling Windows, you are better off repairing of your installation or, for Windows 8 and later versions, executing the 7DISM.exe /Online /Cleanup-image /Restorehealth command. This allows you to repair the operating system without losing data.
To help you analyze the winver.exe process on your computer, the following programs have proven to be helpful: ASecurity Task Manager displays all running Windows tasks, including embedded hidden processes, such as keyboard and browser monitoring or Autostart entries. A unique security risk rating indicates the likelihood of the process being potential spyware, malware or a Trojan. BMalwarebytes Anti-Malware detects and removes sleeping spyware, adware, Trojans, keyloggers, malware and trackers from your hard drive.
klnagent.exe amsi_plugin32.dll.a51fb2a90b8a1435cdd16af856b105b1 cloudctl.exe winver.exe active.exe winvxm.exe xcoronahost.xem stgramdiskhandler32.exe onlinemanager_service.exe joxi.exe sldbgdwld.exe [all]
I'm using the CMD quite often and after Windows Updates I usually check with the Winver command what version I'm now on. Interestingly, I can't execute this command anymore when I start a new CMD instance with Win.Key + R because it tells me there is no such command. When I open up an admin CMD everything works fine. This issue also applies to the PowerShell. I've checked on some Windows 10 virtual machines and some other Windows 10 PCs to see if it has been a general change, but it seems the problem just affects my PC.
From there you should be able to see where the winver.exe is located. On my machine, it's in C:\Windows\System32 but it might be different for you. It's likely that the non-admin level command prompt is not using the same path as the admin-level one.
Check your path for both scenarios. Copy the winver.exe to a folder in the non-admin's path. You might want to actually manually try to run the winver.exe from the non-admin command prompt first manually to make sure it's not a permissions issue instead, but I would think that you would have gotten a different message had that been the case.
Host Name: MYCOMPUTERNAME OS Name:
Microsoft Windows 7 Enterprise OS Version: 6.1.7601 Service Pack 1 Build 7601 OS Manufacturer: Microsoft Corporation OS Configuration: Member Workstation OS Build Type: Multiprocessor Free BIOS Version: Dell Inc. A08, 10/18/2011 [04]: Microsoft Virtual WiFi Miniport Adapter
A handy but ill-documented feature in most versions of Windows is that pressing Ctrl-c while the focus is on a dialog will copy the text in the dialog. I'm not sure whether it works with the dialog produced by winver.exe, but I would be surprised if it didn't; try hitting Ctrl-c in that dialog and then Ctrl-v in a Notepad window, and see what you get.
winver, short for Windows Version, is a utility included in most versions of Microsoft Windows used to obtain information about the operating system version. Depending on the Windows version, the tool is also referred to as Windows-version utility or Version Reporter Applet in its file version information on DOS-based Windows and Windows NT, respectively.
It was first introduced in Windows 3.0, where it was implemented as a simple message box with the Windows logo, major and minor version number, copyright notice and information about the currently active mode of operation. The tool also includes a custom MS-DOS executable stub that prints the version information onto the screen. It was kept virtually unchanged throughout the classic Windows series, with Windows 3.1 only changing the logo, and Windows 95 reducing the version information to the operating system name.
On NT-based Windows versions, the utility was included since Windows NT 3.1, where it was implemented similarly to its 16-bit counterpart as a simple box with the Windows logo, version and build numbers and a copyright notice. However, starting with Windows NT 3.5, it merely calls the ShellAbout API function to display a standard about box, which aside from the version and copyright notices also contained information about the computer and the registered owner. With the introduction of the timebomb during the development of Windows 2000, winver was updated to query information about the timebomb, and if present, display it in the about box.
On Windows versions that don't include a standalone winver.exe executable, such as Windows Server Core or the Windows Preinstallation Environment, the dialog can be invoked using the rundll32 shell32,ShellAbout command. However, when invoked this way, the dialog won't include timebomb information, as that functionality is exclusive to the applet. The dialog caption will show garbled characters when invoked this way due to the differences between the arguments expected by rundll32 and the actual signature of the function.[a]
I made the registry tweak some time ago to display the Windows 10 version on my desktop. A few days ago I updated to Windows 10 version 1909, expecting the version displayed on my desktop to reflect the update upon next startup. However, several starts later it is still showing version 1903. I ran winver.exe to check that that update was successful, and that showed I am running version 1909. Does the winver app pull the version information from a different location than the registry tweak? If not, I cannot understand why the desktop screen still shows version 1903. I have included a screenshot showing both the winver info and the desktop display info.
Tinba performs code injections on running processes to hide itself and achieve persistence. In 2014 the source code for Tinba leaked on an underground cybercrime forum, giving threat actors worldwide access to this powerful malware.
Tinba also monitors user activity in the active window by calling GetForegroundWindow. These functions allow the malware to judge whether the platform is an analysis environment such as sandbox or debugger.
When Tinba executes it creates another process of itself. This second process launches a legit Windows application called winver.exe and injects the malicious code into it. Winver.exe is the standard program for displaying Windows version information.
The injected code checks for the presence of explorer.exe by finding the window with the Shell_TrayWnd class name. If found, the malware attempts to inject secondary code into explorer.exe. The secondary code also injects the main Tinba code into all active processes. When successful, this attack results in ten or more injected process running Tinba in their threads (See Figure 2):
The random string is eight alphanumeric characters ([0-9A-Z]8 in regular expression) that are unique to each infected machine. Bin.exe is the polymorphic version of Tinba, which means the file hash differs for each infection. The malware also creates directories using the random string then sets the hidden attribute:
Some variants of Tinba use DGA (Domain Generation Algorithm) domains. This process uses a hardcoded domain as the seed to generate short-lived DGA domains which obfuscate C2 communications. Tinba also uses Fast Flux domains where allocated IP address change frequently. In the above case, the server was not available at the time of our investigation because it was taken down.
The infected explorer.exe seeks out Internet Explorer and Firefox so Tinba can use Man-in-the-Browser (MitB) attacks to steal bank account information. Tinba targets accounts related to financial institutions, Google, Facebook, and Microsoft. Malicious code injected into the browser will monitor credential information as it is entered into login pages or steal it from the browser cache. Tinba encrypts stolen data with the RC4 algorithm and sends it to the C2 server.
93ddb68554