repmgr.exe showing childproc wsl.exe

search cancel

repmgr.exe showing childproc wsl.exe

book

Article ID: 403475

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter) Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

EDR tools show repgmr.exe having a childproc of wsl.exe with the cmd:

C:\WINDOWS\system32\wsl.exe --update --confirm --prompt-before-exit

Environment

Carbon Black Cloud Sensor: Versions 3.7.0 - 4.0.3
Microsoft Windows: All Supported Versions

Cause

The Carbon Black Cloud sensor periodically checks if WSL is enabled on the system. During this check, repmgr calls WslGetDistributionConfiguration. A call to WslGetDistributionConfiguration starts a new thread, which executes "C:\WINDOWS\system32\wsl.exe --update --confirm --prompt-before-exit".

Resolution

This behavior is going to be changed in the upcoming 4.1 sensor release.

Feedback

thumb_up Yes

thumb_down No