consent.exe

[Guest]

Hi does anyone know why consent.exe which is the consent ui for
administrative applications would want to accesss the internet. I know the
obvious that it could be a virus or spyware but I am running an up to date
windows onecare and do regular scans and nothing is found. Also my router as
an inbuilt firewall. My vista ultimate is fully up to date. There are no
rogue programs in task manager or in the registry. Shieldsup shows my system
as full stealth. I therefore think its the operating system thats doing it
but why?

 

[Val]

Because every darn thing in Vista thinks it needs to talk to someone?

Since installing ZoneAlarm, I'm amazed at all the processes that want to
talk to my router, DNS, want to "multicast" to who knows where, and, in a
few cases, actually call somewhere out on the 'net.

What does disk defragmenter, for example, have any damn reason to talk to
anyone? Just defragment, for cryin' out loud.
(Sorry, end of rant.)

I've not seen consent.exe yet come up. Are you operating as a Standard User
or as an Administrator?

Val

 

[Guest]

I am operating as an administrator. I have it blocked in onecare firewall and
it does not seem to affect operations but it would be nice to know why it
needs to access the internet. anyone at Microsoft got an answer.

 

[Lang Murphy]

Hi does anyone know why consent.exe which is the consent ui for
administrative applications would want to accesss the internet. I know
the
obvious that it could be a virus or spyware but I am running an up to date
windows onecare and do regular scans and nothing is found. Also my router
as
an inbuilt firewall. My vista ultimate is fully up to date. There are no
rogue programs in task manager or in the registry. Shieldsup shows my
system
as full stealth. I therefore think its the operating system thats doing
it
but why?

It -looks- like it's an MS exe. Claims it's a "Consent UI for administrative
applications." I don't know... maybe it's part of UAC. Why it accesses the
internet? Dunno. Seems like everything wants to access the internet these
days. ;-)

Lang

 

[Spirit]

There is a MalWare version of Consent.exe
Right Click ALL of the ones you find and look for
Microsoft details in Properties

http://spywarefiles.prevx.com/RRHJID405482/CONSENT.EXE.html
Consent.exe - Malware

 

[Jon]

Why oh why would "consent.exe be connecting to 64.18.25.38?" This
address resolves to:
OrgName: Baltimore Technologies

Sounds dodgy. Don't give consent.exe consent.

 

[Joe Morris]

Sounds dodgy. Don't give consent.exe consent.

With the obvious caveats about its level of authority, according to
Wikipedia "Baltimore Technologies" was at one time in the business of
selling PKI certificates but sold that business to Betrusted in 2003.

ARIN maps that IP address to Baltimore Technologies (as the OP stated), but
the nameservers for that domain are shown as NS3.US.BETRUSTED.NET and
NS4.US.BETRUSTED.NET, which support the info from Wikipedia.

Betrusted in turn is now Cybertrust; the base Vista distribution includes a
root certificate issued by Cybertrust. Interestingly, there is a root
certificate that's part of the standard Windows XP distribution from
Cybertrust, which (unusual for a root certificate) includes a CRL link --
and that CRL link ("www2.public-trust.com") maps to 64.18.25.45, which is
also registered to Baltimore Technologies.

My guess is that the OP is running an application whose executables are
signed by a certificate issued by Betrusted, Cybertrust, or one of their
relatives, and that the system is attemting to validate that certificate.
Recall that the text (and colors) used in a UAC challenge window are
different depending on whether the requesting executable is or is not
validly signed.

So...the request is probably legitimate, but refusing to approve the request
for external access is probably harmless.

Joe Morris

 

[Jon]

With the obvious caveats about its level of authority, according to
Wikipedia "Baltimore Technologies" was at one time in the business of
selling PKI certificates but sold that business to Betrusted in 2003.

ARIN maps that IP address to Baltimore Technologies (as the OP stated),
but the nameservers for that domain are shown as NS3.US.BETRUSTED.NET and
NS4.US.BETRUSTED.NET, which support the info from Wikipedia.

Betrusted in turn is now Cybertrust; the base Vista distribution includes
a root certificate issued by Cybertrust. Interestingly, there is a root
certificate that's part of the standard Windows XP distribution from
Cybertrust, which (unusual for a root certificate) includes a CRL link --
and that CRL link ("www2.public-trust.com") maps to 64.18.25.45, which is
also registered to Baltimore Technologies.

My guess is that the OP is running an application whose executables are
signed by a certificate issued by Betrusted, Cybertrust, or one of their
relatives, and that the system is attemting to validate that certificate.
Recall that the text (and colors) used in a UAC challenge window are
different depending on whether the requesting executable is or is not
validly signed.

So...the request is probably legitimate, but refusing to approve the
request for external access is probably harmless.

Joe Morris

Interesting research. Cybertrust subsequently also bought by Verizon
Business.


Verizon Business acquires Cybertrust
http://www.networkworld.com/news/2007/051407-verizon-business-acquires-cybertrust.html

I can spot a "GTE CyberTrust Global Root" certificate in my store which
supposedly



Protects e-mail messages
Proves your identity to a remote computer
Ensures the identity of a remote computer
Ensures software came from software publisher
Protects software from alteration after publication
All issuance policies



but I tend to work on the principle that if things work fine without these
mysterious connections to information-gathering government-connected
organizations, then there's no real need for them.

 

[Roberto le Corneille]

For example,
the DOS command CD %windir% will change the directory to C:\windows
(assuming that you installed onto C)

I was hoping that someoone would confirm the file size for me.

Malware is perfectly capable of replacing files in the system32
directory.

karl

Mine is 80KB File verson 6.0.6001.1800
HTH
rgds
Roberto

 

[Joe Morris]

Mine is 80KB File verson 6.0.6001.1800

If it gains write access to a protected system folder it's trivial for
malware to substitute its own file for a legitimate one, with the "correct"
folder, filename, version information, date stamps, and size. It's not so
easy (although not completely impossible) to make the bogus file produce the
same crypto hash as the real one.

There are numerous hash generators available on the Internet; Microsoft
offers one that can be found at:

http://support.microsoft.com/kb/841290

It's a command-line tool. I pulled consent.exe from both SP0 and SP1;
here's what the tool calculated using the commands below (the files are
slightly renamed):

For SP0: date is 11/2/2006; size is 81,920; version is 6.0.6000.16386

fciv consent-sp0.exe -both

MD5 SHA-1
-------------------------------------------------------------------------
425de986081eb4ed5b58c12ead23c03f cdd5deb5c0420a1a29ba7673191de7599eb9b623


For SP1: date is 1/18/2008; size is 81,920; version is 6.0.6001.18000

fciv consent-sp1.exe -both

MD5 SHA-1
-------------------------------------------------------------------------
2cb2ebf09b7f7d84d1a733db43449c72 db44766ef1f42380d5b83c94209105affaec56dd


With the -both switch two different hashes (MD5 and SHA-1) are calculated.
If you run the tool against the copy of consent.exe on your system it should
exactly match both of the above hashes for the appropriate version of the
file.

Joe Morris

 

[Manny Weisbord]

No, this is a new process, I track, after year and a half, never seen
before.

vistadrone1

This is your third post with no quoting of what you're replying to and
no details why you are posting.

You are surely posting to an old thread that none of us can see,
because we don't use the service you are using to access these
newsgroups.

Please start a completely new thread.