I just had this same alert happen on our build server. This system has a copy of svchost.exe in:
C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356 So something caused windows to install a side-by-side copy. The actual exe is the same version, binary compare turns up no differences and that is the only file present in the above directory. I searched the registry for any references to that path, and found the following: HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356 I believe that is a legit winsxs registry value. It would be nice if this alert included the PID of the process, that might help narrow down the cause. When I got into the server and started looking I found 12 svchost.exe processes running, several dropped off while I was looking so I couldn't get any more details at that time. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.