-
1
×InformationNeed Windows 11 help?Check documents on compatibility, FAQs, upgrade information and available fixes.
Windows 11 Support Center. -
-
1
×InformationNeed Windows 11 help?Check documents on compatibility, FAQs, upgrade information and available fixes.
Windows 11 Support Center. -
- HP Community
- Notebooks
- Notebook Operating System and Recovery
- why is mc-wps-secdashboardservice.exe in the HP Support Fram...

Create an account on the HP Community to personalize your profile and ask a question
12-01-2024 12:28 AM
Hello,
I studied 800 disparate Windows 7, 8, 10, 11 computers some of whom had HP computers (perhaps typically with a trial version of McAfee and certainly with HP Support Framework).
Some eventually properly had removed McAfee (such as with the MCPR tool). However, on one computer I observed that every few days starting perhaps two months ago, an mc-wps-secdashboardservice.exe would install itself as a service and I assume eventually exit because it was not running when I looked. It did leave a vestige in the Windows prefetch folder.
I could not figure out how it got launched as a service. There were no schedule tasks. I did not check the dependencies of every driver/service to see if someone else was doing it programmatically. I did observe that it was located in the
C\Program Files (x86)\HP\HP Support Framework\Resources on three different machines
01/04/2024 01:41 AM 1,204,608
c:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe
09/04/2024 03:19 AM 1,254,064
c:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe
09/25/2024 04:04 AM 1,254,064
c:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe
Virus Total and Hybrid-Analysis said it was fine. The digital certificate was mostly okay (properly signed by McAfee and I suppose not stolen) and signed while it was valid. However it was now outside the range of valid dates (I used sigcheck and digicert to check - see EXHIBIT A below).
Instead of trying to run it in a sandbox or disassembling it, I tried to take an easier path and asked HP support and McAfee Support why this service was located in the c:\Program Files (x86)\HP\HP Support Framework\Resources folder on three different machines.
I had no confidence in the response with HP and was unable to escalate (the fellow said "HP would never put any AV product in it's folder but he admitted it was an opinion as a junior support person and could not verify that statement).
With McAfee, they insisted I look at the certificate and I had to explain to them that everything in the properties could be faked (product name, company name, file version, revision, and even various digital signature fields.). The certificate itself could have even been stolen. I said i just wanted to know in very broad terms (1) "what does this service do" and (2) is it supposed to be in the HP folder or not? No answer but McAfee agreed to escalate it and I have not heard back and I don't think I will ever get a proper answer. IMO, only a senior person at both HP and McAfee could say without any doubt what those answers are.
Keep in mind McAfee had already been removed and often properly with MCPR. I doubt MCPR makes it it's business to look for components inside:
Also, on a fourth machine you can see where it (perhaps) normally belongs. Example:
C:\Program Files\McAfee\WPS\mok\mc-wps-secdashboardservice.exe
In https://www.reddit.com/r/Hewlett_Packard/comments/196wjsw/mcafee_system_security_check_dashboard_fou... the same question was asked and was not properly answered.
Bottom line, I cannot tell if this is well written malware disguised as mc-wps-secdashboardservice.exe in an HP folder or not. I believe an HP subject-matter-expert on HP Support Framework and mc-wps-secdashboardservice.exe should be able to 100% definitely state if it belongs there or not and why it is there and what it does.
Sidenote: I knew how to manually remove all the registry entries and folders - the registry entries were problematic in terms of a rabbit hole research filled with GUID's but I include it in EXHIBIT B
Thank you.
Harry S.
EXHIBIT A
Verified: Signed
Signing date: 11:34 PM 1/4/2024
Signing date: 11:34 PM 1/4/2024
Catalog: ...Support Framework\Resources\mc-wps-secdashboardservice.exe
Signers:
McAfee, LLC
Cert Status: This certificate or one of the certificates in the certificate chain is not time valid.
Valid Usage: Code Signing
Cert Issuer: GlobalSign GCC R45 EV CodeSigning CA 2020
Serial Number: 7D 9E 98 88 D0 F9 7A 54 32 82 7A 5E
Thumbprint: 5DCA543C1C261FB16252D630EE75B2DC5A09D8F6
Algorithm: sha256RSA
Valid from: 11:33 AM 10/4/2021
Valid to: 11:33 AM 10/4/2024
GlobalSign GCC R45 EV CodeSigning CA 2020
Cert Status: Valid
Valid Usage: Code Signing
Cert Issuer: GlobalSign Code Signing Root R45
Serial Number: 77 BD 0E 05 B7 59 0B B6 1D 47 61 53 1E 3F 75 ED
Thumbprint: C10BB76AD4EE815242406A1E3E1117FFEC743D4F
Algorithm: sha256RSA
Valid from: 6:00 PM 7/27/2020
Valid to: 6:00 PM 7/27/2030
GlobalSign Code Signing Root R45
Cert Status: Valid
Valid Usage: Code Signing
Cert Issuer: GlobalSign Code Signing Root R45
Serial Number: 76 53 FE AC 75 46 48 93 F5 E5 D7 4A 48 3A 4E F8
Thumbprint: 4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Algorithm: sha384RSA
Valid from: 6:00 PM 3/17/2020
Valid to: 6:00 PM 3/17/2045
Counter Signers:
DigiCert Timestamp 2023
Cert Status: Valid
Valid Usage: Timestamp Signing
Cert Issuer: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
Serial Number: 05 44 AF F3 94 9D 08 39 A6 BF DB 3F 5F E5 61 16
Thumbprint: 66F02B32C2C2C90F825DCEAA8AC9C64F199CCF40
Algorithm: sha256RSA
Valid from: 6:00 PM 7/13/2023
Valid to: 5:59 PM 10/13/2034
DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
Cert Status: Valid
Valid Usage: Timestamp Signing
Cert Issuer: DigiCert Trusted Root G4
Serial Number: 07 36 37 B7 24 54 7C D8 47 AC FD 28 66 2A 5E 5B
Thumbprint: B6C8AF834D4E53B673C76872AA8C950C7C54DF5F
Algorithm: sha256RSA
Valid from: 6:00 PM 3/22/2022
Valid to: 5:59 PM 3/22/2037
DigiCert Trusted Root G4
Cert Status: Valid
Valid Usage: All
Cert Issuer: DigiCert Assured ID Root CA
Serial Number: 0E 9B 18 8E F9 D0 2D E7 EF DB 50 E2 08 40 18 5A
Thumbprint: A99D5B79E9F1CDA59CDAB6373169D5353F5874C6
Algorithm: sha384RSA
Valid from: 6:00 PM 7/31/2022
Valid to: 5:59 PM 11/9/2031
DigiCert Assured ID Root CA
Cert Status: Valid
Valid Usage: All
Cert Issuer: DigiCert Assured ID Root CA
Serial Number: 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
Thumbprint: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Algorithm: sha1RSA
Valid from: 6:00 PM 11/9/2006
Valid to: 6:00 PM 11/9/2031
Signing date: 11:34 PM 1/4/2024
Catalog: C:\CUSTOMERS\R-Z\Rojas.Twila\HP Support Framework\Resources\mc-wps-secdashboardservice.exe
Signers:
McAfee, LLC
Cert Status: Valid
Valid Usage: Code Signing
Cert Issuer: GlobalSign GCC R45 EV CodeSigning CA 2020
Serial Number: 47 E0 D8 57 8A B2 00 08 39 19 FA 11
Thumbprint: AAFB69C1A3FD4C2D5207E98F818B994664DB71CD
Algorithm: sha256RSA
Valid from: 8:08 AM 10/13/2023
Valid to: 8:08 AM 10/13/2026
GlobalSign GCC R45 EV CodeSigning CA 2020
Cert Status: Valid
Valid Usage: Code Signing
Cert Issuer: GlobalSign Code Signing Root R45
Serial Number: 77 BD 0E 05 B7 59 0B B6 1D 47 61 53 1E 3F 75 ED
Thumbprint: C10BB76AD4EE815242406A1E3E1117FFEC743D4F
Algorithm: sha256RSA
Valid from: 6:00 PM 7/27/2020
Valid to: 6:00 PM 7/27/2030
GlobalSign Code Signing Root R45
Cert Status: Valid
Valid Usage: Code Signing
Cert Issuer: GlobalSign Code Signing Root R45
Serial Number: 76 53 FE AC 75 46 48 93 F5 E5 D7 4A 48 3A 4E F8
Thumbprint: 4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Algorithm: sha384RSA
Valid from: 6:00 PM 3/17/2020
Valid to: 6:00 PM 3/17/2045
Counter Signers:
DigiCert Timestamp 2023
Cert Status: Valid
Valid Usage: Timestamp Signing
Cert Issuer: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
Serial Number: 05 44 AF F3 94 9D 08 39 A6 BF DB 3F 5F E5 61 16
Thumbprint: 66F02B32C2C2C90F825DCEAA8AC9C64F199CCF40
Algorithm: sha256RSA
Valid from: 6:00 PM 7/13/2023
Valid to: 5:59 PM 10/13/2034
DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
Cert Status: Valid
Valid Usage: Timestamp Signing
Cert Issuer: DigiCert Trusted Root G4
Serial Number: 07 36 37 B7 24 54 7C D8 47 AC FD 28 66 2A 5E 5B
Thumbprint: B6C8AF834D4E53B673C76872AA8C950C7C54DF5F
Algorithm: sha256RSA
Valid from: 6:00 PM 3/22/2022
Valid to: 5:59 PM 3/22/2037
DigiCert Trusted Root G4
Cert Status: Valid
Valid Usage: All
Cert Issuer: DigiCert Assured ID Root CA
Serial Number: 0E 9B 18 8E F9 D0 2D E7 EF DB 50 E2 08 40 18 5A
Thumbprint: A99D5B79E9F1CDA59CDAB6373169D5353F5874C6
Algorithm: sha384RSA
Valid from: 6:00 PM 7/31/2022
Valid to: 5:59 PM 11/9/2031
DigiCert Assured ID Root CA
Cert Status: Valid
Valid Usage: All
Cert Issuer: DigiCert Assured ID Root CA
Serial Number: 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
Thumbprint: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Algorithm: sha1RSA
Valid from: 6:00 PM 11/9/2006
Valid to: 6:00 PM 11/9/2031
Signing date: 11:34 PM 1/4/2024
Catalog: C:\CUSTOMERS\R-Z\Rojas.Twila\HP Support Framework\Resources\mc-wps-secdashboardservice.exe
Signers:
McAfee, LLC
Cert Status: This certificate or one of the certificates in the certificate chain is not time valid.
Valid Usage: Code Signing
Cert Issuer: McAfee Code Signing CA 2
Serial Number: 13 A1 91 C0 EB 27 AE 85 EA 99 D7 29 14 B6 91 E4
Thumbprint: 3ADBEC57AD771081833D07C4B0906FD26580D76C
Algorithm: sha256RSA
Valid from: 6:00 PM 3/11/2021
Valid to: 5:59 PM 3/11/2024
McAfee Code Signing CA 2
Cert Status: This certificate or one of the certificates in the certificate chain is not time valid.
Valid Usage: Code Signing
Cert Issuer: USERTrust RSA Certification Authority
Serial Number: 00 CA C1 F1 DD 01 7E 80 F1 2B 4D 17 C1 69 6D 9B A5
Thumbprint: 17661DFBA03E6AAA09142E012D216864F01D1F5E
Algorithm: sha384RSA
Valid from: 6:00 PM 10/26/2014
Valid to: 5:59 PM 10/26/2024
Sectigo
Cert Status: Valid
Valid Usage: Client Auth, Code Signing, EFS, Email Protection, IPSEC Tunnel, IPSEC User, Server Auth, Timestamp Signing
Cert Issuer: USERTrust RSA Certification Authority
Serial Number: 01 FD 6D 30 FC A3 CA 51 A8 1B BC 64 0E 35 03 2D
Thumbprint: 2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Algorithm: sha384RSA
Valid from: 6:00 PM 1/31/2010
Valid to: 5:59 PM 1/18/2038
Counter Signers:
DigiCert Timestamp 2023
Cert Status: Valid
Valid Usage: Timestamp Signing
Cert Issuer: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
Serial Number: 05 44 AF F3 94 9D 08 39 A6 BF DB 3F 5F E5 61 16
Thumbprint: 66F02B32C2C2C90F825DCEAA8AC9C64F199CCF40
Algorithm: sha256RSA
Valid from: 6:00 PM 7/13/2023
Valid to: 5:59 PM 10/13/2034
DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
Cert Status: Valid
Valid Usage: Timestamp Signing
Cert Issuer: DigiCert Trusted Root G4
Serial Number: 07 36 37 B7 24 54 7C D8 47 AC FD 28 66 2A 5E 5B
Thumbprint: B6C8AF834D4E53B673C76872AA8C950C7C54DF5F
Algorithm: sha256RSA
Valid from: 6:00 PM 3/22/2022
Valid to: 5:59 PM 3/22/2037
DigiCert Trusted Root G4
Cert Status: Valid
Valid Usage: All
Cert Issuer: DigiCert Assured ID Root CA
Serial Number: 0E 9B 18 8E F9 D0 2D E7 EF DB 50 E2 08 40 18 5A
Thumbprint: A99D5B79E9F1CDA59CDAB6373169D5353F5874C6
Algorithm: sha384RSA
Valid from: 6:00 PM 7/31/2022
Valid to: 5:59 PM 11/9/2031
DigiCert Assured ID Root CA
Cert Status: Valid
Valid Usage: All
Cert Issuer: DigiCert Assured ID Root CA
Serial Number: 0C E7 E0 E5 17 D8 46 FE 8F E5 60 FC 1B F0 30 39
Thumbprint: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
Algorithm: sha1RSA
Valid from: 6:00 PM 11/9/2006
Valid to: 6:00 PM 11/9/2031
Company: McAfee, LLC
Description: McAfee System Security Check Dashboard
Product: McAfee System Security Check DashboardService exe
Prod version: 3.0.0.0
File version: 3.0.186.1
MachineType: 64-bit
EXHIBIT B
Registry search for keyword "secdashboardservice" exported as a CSV:
HKCR\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0\0\win64,,REG_SZ,C:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe,1/10/2024 5:26:37 PM,88,BUILTIN\Administrators
HKCR\WOW6432Node\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0\0\win64,,REG_SZ,C:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe,1/10/2024 5:26:37 PM,88,BUILTIN\Administrators
HKLM\SOFTWARE\Classes\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0\0\win64,,REG_SZ,C:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe,1/10/2024 5:26:37 PM,88,BUILTIN\Administrators
HKLM\SOFTWARE\Classes\WOW6432Node\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0\0\win64,,REG_SZ,C:\Program Files (x86)\HP\HP Support Framework\Resources\mc-wps-secdashboardservice.exe,1/10/2024 5:26:37 PM,88,BUILTIN\Administrators
HKCR\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},mc-wps-secdashboardservice,REG_SZ,LocalService,11/13/2024 11:46:35 PM,13,gringo\Callie
HKCR\WOW6432Node\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},mc-wps-secdashboardservice,REG_SZ,LocalService,11/13/2024 11:46:35 PM,13,gringo\Callie
HKLM\SOFTWARE\Classes\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},mc-wps-secdashboardservice,REG_SZ,LocalService,11/13/2024 11:46:35 PM,13,NT AUTHORITY\SYSTEM
HKLM\SOFTWARE\Classes\WOW6432Node\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},mc-wps-secdashboardservice,REG_SZ,LocalService,11/13/2024 11:46:35 PM,13,NT AUTHORITY\SYSTEM
HKCR\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,gringo\Callie
HKCR\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},LocalService,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,gringo\Callie
HKCR\WOW6432Node\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,gringo\Callie
HKCR\WOW6432Node\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},LocalService,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,gringo\Callie
HKLM\SOFTWARE\Classes\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,NT AUTHORITY\SYSTEM
HKLM\SOFTWARE\Classes\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},LocalService,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,NT AUTHORITY\SYSTEM
HKLM\SOFTWARE\Classes\WOW6432Node\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,NT AUTHORITY\SYSTEM
HKLM\SOFTWARE\Classes\WOW6432Node\AppID\{03c60971-8d65-4b18-b7de-47ce0f0576ee},LocalService,REG_SZ,mc-wps-secdashboardservice,11/13/2024 11:46:35 PM,27,NT AUTHORITY\SYSTEM
HKCR\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0,,REG_SZ,mcwpssecdashboardserviceLib,1/10/2024 5:26:37 PM,28,BUILTIN\Administrators
HKCR\WOW6432Node\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0,,REG_SZ,mcwpssecdashboardserviceLib,1/10/2024 5:26:37 PM,28,BUILTIN\Administrators
HKLM\SOFTWARE\Classes\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0,,REG_SZ,mcwpssecdashboardserviceLib,1/10/2024 5:26:37 PM,28,BUILTIN\Administrators
HKLM\SOFTWARE\Classes\WOW6432Node\TypeLib\{03C60971-8D65-4B18-B7DE-47CE0F0576EE}\1.0,,REG_SZ,mcwpssecdashboardserviceLib,1/10/2024 5:26:37 PM,28,BUILTIN\Administrators
HKCR\AppID\mc-wps-secdashboardservice.EXE,AppID,REG_SZ,{03c60971-8d65-4b18-b7de-47ce0f0576ee},1/10/2024 5:26:37 PM,39,gringo\Callie
HKCR\WOW6432Node\AppID\mc-wps-secdashboardservice.EXE,AppID,REG_SZ,{03c60971-8d65-4b18-b7de-47ce0f0576ee},1/10/2024 5:26:37 PM,39,gringo\Callie
HKLM\SOFTWARE\Classes\AppID\mc-wps-secdashboardservice.EXE,AppID,REG_SZ,{03c60971-8d65-4b18-b7de-47ce0f0576ee},1/10/2024 5:26:37 PM,39,NT AUTHORITY\SYSTEM
HKLM\SOFTWARE\Classes\WOW6432Node\AppID\mc-wps-secdashboardservice.EXE,AppID,REG_SZ,{03c60971-8d65-4b18-b7de-47ce0f0576ee},1/10/2024 5:26:37 PM,39,NT AUTHORITY\SYSTEM
the end
12-03-2024 10:30 AM
Hi @harrystein,
Welcome to the HP Support Community.
Thank you for posting your query, I will be glad to assist you.
The presence of the file mc-wps-secdashboardservice.exe in the HP Support Framework directory raises valid concerns, especially given its ambiguous origins and connections to both McAfee and HP software. Here’s an analysis of the situation based on the details you’ve provided:
1. What is mc-wps-secdashboardservice.exe?
- Name Association: The file name suggests it is related to McAfee's Web Protection Service (WPS) or Security Dashboard services.
- File Location: On typical installations of McAfee products, similar executables reside in directories like C:\Program Files\McAfee. Its location within the HP Support Framework folder is unusual.
- Digital Signature: The file appears to be signed by McAfee and uses a valid certificate chain (though the specific cert may be out of date).
2. Why is it in the HP Support Framework folder?
- Bundled Software: HP often includes McAfee trial software with new PCs. During initial installation, remnants of McAfee services (such as the Security Dashboard) could be inadvertently placed in other folders. If McAfee was later removed, its uninstaller (or MCPR) might not clean up these remnants.
- HP Support Framework Scripts: Some HP Support Framework scripts might reference third-party services like McAfee. This would explain why this file exists in the HP directory.
- Potential Misplacement or Bug: The inclusion might also be accidental or a packaging issue.
3. Is it Malware?
- VirusTotal and Hybrid Analysis: These scans suggest that the file is not malicious.
- Digital Signature: While digital certificates can be forged, the chain and metadata suggest authenticity.
- Prefetch Folder Evidence: Its periodic installation indicates an automated, possibly legitimate process.
However, malware authors sometimes disguise malicious executables under the guise of legitimate files. Without decompiling the file or testing it in a sandbox, we cannot completely rule this out.
4. Why does it relaunch as a service?
- Residual Registry Entries: If the McAfee uninstaller didn’t completely clean registry entries, scheduled tasks, or service triggers, they could still be launching the service.
- Service Dependencies: Another process (potentially an HP framework module) might programmatically reinitialize it.
5. What does this service do?
- The service likely pertains to McAfee’s dashboard, which aggregates security data for users. However, determining its specific role without disassembling the binary or official documentation is speculative.
6. Recommendations
For Ensuring Safety:
Backup and Quarantine:
- Move the file to a separate folder for investigation. Monitor system behavior for errors or missing dependencies.
Analyze Dependencies:
- Check if any HP software depends on this file. Tools like Autoruns can help identify triggers.
HP and McAfee Support Escalation:
- Request written confirmation from HP and McAfee about the file’s role. Mention its recurrence despite McAfee being uninstalled.
- HP’s Enterprise Support team may have better insights.
For Thorough Removal:
Registry Cleanup:
- Use tools like RegEdit or CCleaner to locate and remove entries referencing mc-wps-secdashboardservice.exe.
Verify System Integrity:
- Use SFC and DISM commands to check for any underlying OS integrity issues:
Sandbox or Reverse Engineering:
- If you have advanced expertise, test the executable in a controlled environment to identify its actions.
Reinstall HP Support Framework:
- Uninstall the HP Support Framework, remove all associated files, and then reinstall the latest version from HP's website.
For Peace of Mind:
- Consider fresh installations of Windows on systems showing this behavior.
Please click on this link to perform a recovery on your Laptop. (Take a backup of the data before performing a recovery)
Please mark this post as “Accepted Solution” if the issue is resolved and if you feel this reply was helpful click “Yes”.
I hope this helps.
Take care and have a great day ahead!
Irwin6
HP Support
Irfan_06-Moderator
I am an HP Employee
12-03-2024 10:34 AM
Hi @harrystein,
Welcome to the HP Support Community.
Thank you for posting your query, I will be glad to assist you.
The presence of the file mc-wps-secdashboardservice.exe in the HP Support Framework directory raises valid concerns, especially given its ambiguous origins and connections to both McAfee and HP software. Here’s an analysis of the situation based on the details you’ve provided:
1. What is mc-wps-secdashboardservice.exe?
- Name Association: The file name suggests it is related to McAfee's Web Protection Service (WPS) or Security Dashboard services.
- File Location: On typical installations of McAfee products, similar executables reside in directories like C:\Program Files\McAfee. Its location within the HP Support Framework folder is unusual.
- Digital Signature: The file appears to be signed by McAfee and uses a valid certificate chain (though the specific cert may be out of date).
2. Why is it in the HP Support Framework folder?
- Bundled Software: HP often includes McAfee trial software with new PCs. During initial installation, remnants of McAfee services (such as the Security Dashboard) could be inadvertently placed in other folders. If McAfee was later removed, its uninstaller (or MCPR) might not clean up these remnants.
- HP Support Framework Scripts: Some HP Support Framework scripts might reference third-party services like McAfee. This would explain why this file exists in the HP directory.
- Potential Misplacement or Bug: The inclusion might also be accidental or a packaging issue.
3. Why does it relaunch as a service?
- Residual Registry Entries: If the McAfee uninstaller didn’t completely clean registry entries, scheduled tasks, or service triggers, they could still be launching the service.
- Service Dependencies: Another process (potentially an HP framework module) might programmatically reinitialize it.
4. Recommendations
For Ensuring Safety:
Backup and Quarantine:
- Move the file to a separate folder for investigation. Monitor system behavior for errors or missing dependencies.
Analyze Dependencies:
- Check if any HP software depends on this file. Tools like Autoruns can help identify triggers.
HP and McAfee Support Escalation:
- Request written confirmation from HP and McAfee about the file’s role. Mention its recurrence despite McAfee being uninstalled.
- HP’s Enterprise Support team may have better insights.
For Thorough Removal:
Registry Cleanup:
- Use tools like RegEdit or CCleaner to locate and remove entries referencing mc-wps-secdashboardservice.exe.
Verify System Integrity:
- Use SFC and DISM commands to check for any underlying OS integrity issues:
Sandbox or Reverse Engineering:
- If you have advanced expertise, test the executable in a controlled environment to identify its actions.
Reinstall HP Support Framework:
- Uninstall the HP Support Framework, remove all associated files, and then reinstall the latest version from HP's website.
For Peace of Mind:
- Consider fresh installations of Windows on systems showing this behavior.
Please click on this link to perform a recovery on your Laptop. (Take a backup of the data before performing a recovery)
Please mark this post as “Accepted Solution” if the issue is resolved and if you feel this reply was helpful click “Yes”.
I hope this helps.
Take care and have a great day ahead!
Irwin6
HP Support
Irfan_06-Moderator
I am an HP Employee
12-05-2024 11:52 AM
Hi Irwin,
This is not helpful. This strikes me is a (familiar) chatGPT answer and it is insufficient and useless. Take a look at what it says at the bottom of chatGPT: "ChatGPT can make mistakes. Check important info."
Although no mistakes, you have to have the mindset of a malware writer. 50% of all malware is undetectable by all anti-viruses combined. People do not want to do a full reset if they don't have to. It's far easier to escalate this to a human at HP and ask them to research it. If were that engineer, and I cared, I would research if we at Hp do this kind of thing from time to time. And instead of resetting the system and allowing this potential malware to stay in the wild, undetected, you should definitely nail it with the well (and easy-to-do) research to resolve this instead of being so dismissive with a chatGPT scripted answer.
On my tedious to do list is to see if I can follow some of those registry items to figure out how this thing was launched every few days. I can tell you it's not a schedule task. And it's not a McAfee vestige in the registry. It has to be something in the many components that define the HP Support Framework because if is evil, then for now only the authors of the malware know how it gets launched and they know it's painfully tedious to monitor for days and weeks with a tool like procmon to see who launched it (as well, these apps will not launch the bad app if they see something monitoring them).
Please escalate and acknowledge you understand my concern and response.
******************
BTW, here is what chatGPT said when I put your response and mine. Keep in mind I have spent long hours already and the remaining suggestions are a huge time-sink. It's time to do your share!
Your response to HP's reply was well-articulated and effectively highlighted the shortcomings of their initial reply. You've pointed out critical areas that warrant further investigation and emphasized the necessity of escalation to ensure a thorough analysis of the issue. Here’s how I’d frame further actions and suggestions:
Key Points in Your Response:
Highlight of Insufficient Effort:
- You underscored that their response appears scripted, likely generated by AI or a generic template.
- The suggestion of a full system reset is overkill and avoids addressing the root cause.
Call for Escalation:
- By asking HP to escalate to a knowledgeable engineer, you emphasize the importance of their responsibility in verifying if this behavior is legitimate or malicious.
Proactive Investigation:
- Your willingness to manually inspect the registry and use tools like Procmon showcases a high level of technical literacy, demonstrating that you're not relying solely on their solution.
Critical Concern for Potential Malware:
- You acknowledged that malware can hide in plain sight and operate undetected by antivirus software, calling for deeper scrutiny.
Suggested Next Steps for You:
Escalate Through Alternate HP Support Channels:
- If the response remains unsatisfactory, escalate the issue through:
- HP’s enterprise support (if applicable).
- HP’s corporate or public relations email or social media channels (Twitter or LinkedIn).
- A direct support ticket asking for technical documentation on the specific file.
- If the response remains unsatisfactory, escalate the issue through:
Investigate Using Advanced Tools:
- [not a good idea] Procmon (Process Monitor):
- Use it to track the specific processes or services triggering mc-wps-secdashboardservice.exe.
- Configure a filter for the executable and monitor over time to determine its initiator.
- [did this of course and was useless] Autoruns by Sysinternals:
- Scan for any obscure or hidden startup entries related to this file.
- [might do it] Registry Analysis:
- Focus on HP-related keys, such as those under HKLM\Software\HP or HKCU\Software\HP.
- [not a good idea] Procmon (Process Monitor):
File Analysis in a Sandbox Environment:
- [did this] Upload the file to a secure sandbox like Any.Run or use your own VM environment to analyze its behavior.
- [did this] Check for outbound connections, process creation, or other suspicious activities.
Seek Community Input:
- [doing this here] Post your findings in forums such as Bleeping Computer or Reddit to crowdsource opinions or advice from experienced users.
Enhanced Reply to HP:
[chatGPT is right -- I apologize for my tone above] If you escalate further, consider rephrasing some parts for a more formal tone while maintaining the substance:
Subject: Escalation Request: mc-wps-secdashboardservice.exe Concerns in HP Support Framework
Dear HP Support Team,
Thank you for your earlier response to my inquiry about mc-wps-secdashboardservice.exe. While I appreciate your attempt to address the matter, I find the provided resolution insufficient and misaligned with the seriousness of the concern. I am requesting an escalation to a technical team member with in-depth knowledge of the HP Support Framework.
My Concerns:
File Placement in HP Directory:
- The presence of a McAfee-signed executable (mc-wps-secdashboardservice.exe) in the HP Support Framework folder is unusual and lacks sufficient explanation.
Potential Security Risk:
- Malware authors often exploit legitimate-looking files and placements. Current antivirus tools detect less than 50% of advanced malware, meaning this file’s activity and location warrant close scrutiny.
Launch Mechanism Unexplained:
- The executable relaunches periodically, yet:
- It is not tied to scheduled tasks.
- No McAfee remnants remain in the registry.
- Its invocation may originate from within the HP Support Framework.
- The executable relaunches periodically, yet:
Recommendations:
Internal Escalation:
- Please escalate this issue to an engineering team that can provide:
- A definitive explanation of the file’s purpose and placement.
- Confirmation on whether this behavior aligns with HP software practices.
- Please escalate this issue to an engineering team that can provide:
File Validation:
- Confirm if mc-wps-secdashboardservice.exe is part of the HP Support Framework's intended functionality.
- Investigate if its inclusion and behavior are accidental or the result of tampering.
User-Centric Resolution:
- A complete system reset is impractical for identifying the root cause. Instead, HP should conduct an internal review and share detailed findings.
I look forward to your acknowledgment and a more comprehensive investigation.
Best regards,
Harry Stein
[Your Contact Information]
Final Thoughts:
You're right to push back on HP's scripted response, as it reflects a lack of accountability and investigation. By pressing for escalation and providing detailed context, you increase the likelihood of a meaningful response.
12-05-2024 11:55 AM
Hi @harrystein,
I am sorry to hear that the above steps did not help much but i do appreciate your efforts in performing the troubleshooting steps.
As you have exhausted all the possible troubleshooting steps shared to fix it. We appreciate your understanding and patience.
I've sent you a private message with the instructions to get in touch with the HP phone support to assist you further with remote access. In order to access your private messages, Click the Private message icon on the upper right corner of your HP Community profile Next, to your profile Name, you should see a little blue envelope, please click on it or simply click on this link
Take care and have a good day.
Irwin6
HP Support
Irfan_06-Moderator
I am an HP Employee