CSI: My Computer - What is netsession_win.exe from Akamai and how did it get on my system?

November 15, 2011 6:10 AM Comments [46] Posted in Tools

I know my system backwards and forwards and I do not like noticing stuff running in the background that I don't recognize. Recently I was checking out the Task Manager (right click on the clock, and select Task Manager or press Ctrl-Alt-Del and click Task Manager) and noticed TWO copies of "netsession_win.exe" running with a peak memory working set of about 25 megs. Ok, what's this? It's the Akamai Net Session Interface. Ick.

netsession_win.exe in my Windows Task Manager

You can always right click on suspicious processes and click Open File Location. This little tip is often enough to jog your memory and go, "Oh, THAT."

Open File Location in Task Manager's Context Menu

Hm, that dropped me into C:\Users\scottha\AppData\Local\Akamai. I know who Akamai is. They are a download accelerator used by lots of companies. Kind of the first large Content Distribution Network or CDN.

Am I sure it's them and not someone evil trying to fake me out? Right click on netsession_win.exe, then Properties.

Akamai's NetSession digital signature is legit

Well, they have a legitimate digital signature, interestingly they signed this on the 11th of November. Looks like this was recently installed automatically by something, perhaps Flash or Adobe Acrobat.

I wonder if someone needs to tell Akamai that their freshly installed service that just (kinda, a little) snuck on my system has a digital certificate that expires in 5 weeks. Are they or one of the companies that uses them going to update this client and cert soon?

Akamai's digital certiticate expires before Christmas

Running services.msc from Start | Run tells me that this runs as an Automatic Service. At least it's a Delayed Start so it doesn't slow down my boot.

Services (158)

The only thing I installed on my machine on the 11th was an automatic update to Adobe Flash. That's my #1 suspect right now as it's the only thing that I ran as Administrator that day.

For now, I'll keep it on my machine because it:

  • Is from a reputable (so far) company
  • Is known to be used by folks like Netflix, etc to speed up downloads
  • Has an uninstall available in Installed Programs
  • Feels legit
  • Has a control panel icon and a Read Me with lots of info about what it does (except who installed them)
  • Has a customer bill of rights online with details with test demo pages about their API.

I will say this, though. Whatever program installed it should have told me first before chaining it in. At least with Evil Toolbars I can see them. Not cool Akamai. Who installed you?

You're on notice.

UPDATE: Looks like this is using my own computers bandwidth to upload to other Akamai users. They're using our computers and network to make other people's uploads faster. That sounds like I'm running a Torrent and no one asked if it was OK. I'm continuing to dig into this, like disk space usage, etc.

Comments [46]
« How To: Convert a PowerPoint Presentatio... | Home | This Developer's Life 2.0.6 - Play »
Tuesday, November 15, 2011 6:17:18 AM UTC
HI Scott,

Did you try to download some software from MSDN using Chrome or Firefox (non IE). In the recent past I was trying to download a SQL Server Beta and I got this Java download manager from Akamai. I'll check to see if it installed something like this.

Cheers,
Sumit.
sumitmaitra.wordpress.com
Tuesday, November 15, 2011 6:34:04 AM UTC
I think it's obvious who installed it without telling you - it's Microsoft!
Michael Bezman
Tuesday, November 15, 2011 6:36:52 AM UTC
As a side note:

You know you can press Ctrl-Shift-Esc and start Task Manager directly right?

Best Regards
Tom
Tom Reiertsen
Tuesday, November 15, 2011 6:42:16 AM UTC
As far as i know ASUS is providing its drivers through this download manager.
selman ay
Tuesday, November 15, 2011 7:15:10 AM UTC
I tend to find that the "Command Line" column within Task Manager helps greatly in this scenario as well.

This, at least, gives some sort of context of processes at a glance. Handy when companies have obscurely named executables, e.g. ATI & MOM.exe (?)
Christopher Hewitt
Tuesday, November 15, 2011 7:16:58 AM UTC
It appears to be Akamai's download manager and peer-to-peer caching client.

http://www.akamai.com/html/misc/akamai_client/csd_faq.html

You can run "C:\Program Files (x86)\Common Files\Akamai\AdminTool.exe" to get an idea of which application installed it (in my case it's Lenovo).
Talljoe
Tuesday, November 15, 2011 7:48:38 AM UTC

[...] a digital certificate that expires in 5 weeks. Are they or one of the companies that uses them going to update this client and cert soon?


No need to update the client, as the screenshot shows that a timestamp service was used when signing the bits. NitsPicked++;
Arnout Grootveld
Tuesday, November 15, 2011 10:52:22 AM UTC
You can check in the Akamai control panel the Support tab. There is a button called "File Status" that shows you the downloads that have been executed via this service.
In my case this service was used by an Autodesk application.

Would be nice if this Autodesk application (or any other related application) would also be shown on the "Applications" tab within the control panel.
Fred Ahrens
Tuesday, November 15, 2011 12:04:20 PM UTC
It's from MSDN - alot of the new subscriber downloads are using that new download client...
Jason
Tuesday, November 15, 2011 1:01:14 PM UTC
Did you recently upgrade Flash and/or Tweetdeck. I think I saw this installed after doing upgrades of both of those apps
John Ptacek
Tuesday, November 15, 2011 1:51:21 PM UTC
This reminds me of my childhood; someone parked a Ford pickup truck in my neighbors living room. I (being all of 7) said "not cool Ford" and my neighbor pointed out that it had nothing to do with Ford but rather the driver.
Not cool Akamai
Perhaps it is time that we, as a community, start talking about installers and what should be considered "acceptable" behavior in general, or more specifically, when installing 3rd party services.

After all, it was not Ford who paid for the new bay window.
Jeff Garoutte
Tuesday, November 15, 2011 2:26:19 PM UTC
Interestingly, waking up this morning and booting up my machine, I got a Windows Firewall warning for granting access to this executable. I believe it's something very recent (in the past 48 hours). I can't remember downloading/installing anything in the past couple of days so I was suspicious and blocked it.
Keyvan Nayyeri
Tuesday, November 15, 2011 2:44:37 PM UTC
Blame one of the Adobe rootkits (flash, reader, take your pick..).
No flash here, no adobe, and no akamai...
(Adobe is on top of my blacklist. I'd rather install a sasser worm than that).

It surprises me a lot though, that this installed without your knowledge. The UAC should pop up when something invades your machine like that? It must be something you manually approved?
I really don't know why you would keep it. Remove it, see if anything complains. A quick search almost immediatly shows people describing its invasive behavior, unstability. Appearantly, it sends data to Akamai servers all the time.
Some users even suspect it might use YOUR pc, to ease their server traffic! lol

Check your client.ini file.
-->eulaAccepted":true ? Really true?!
--> http://124.40.51.155:80/logs/YOUR UNIQUE TRACKING ID.

And remove it!
Unless you wanna analyze the traffic it generates and report back to us?! That could be (a lot of) fun. And would either clear up the bad rumours, or confirm how evil it is. A lot of mixed views on this...
NNM
Tuesday, November 15, 2011 2:50:15 PM UTC
I believe MetroTwit is installed via this download manager
Steven Berkovitz
Tuesday, November 15, 2011 3:01:44 PM UTC
I've got both bits of Adobe crap installed and no Akamai crap. I haven't downloaded anything from MSDN in a while though.

The Adobe crap doesn't actually auto-update on my computer -- even the ActiveX Flash plugin. I don't recall doing anything special (this time) to arrive at this state of bliss.

In the absence of any decent patch and package management on Windows, the best way I've found to actually keep a Windows box patched up and current is Secunia's PSI utility. Is there anything better?
andrej
Tuesday, November 15, 2011 3:12:39 PM UTC
The Akamai NetSession Interface FAQ for your perusal.
Christopher Estep
Tuesday, November 15, 2011 3:52:19 PM UTC
Isn't that the app that installs to augment the MSDN downloads?
Robby Gregory
Tuesday, November 15, 2011 4:02:56 PM UTC
Scott,

I just checked my box, and did not find this process running; its not installed at all.
I recently received a flash update and can safely say that its not the culprit.
codechimp
Tuesday, November 15, 2011 4:12:01 PM UTC
Just as an aside, CTRL + ALT + ESC will bring up the task manager directly
Mark
Tuesday, November 15, 2011 4:29:56 PM UTC
It's probably this -

http://kb2.adobe.com/cps/526/cpsid_52698.html
Michael Schmidt
Tuesday, November 15, 2011 4:35:24 PM UTC
"I wonder if someone needs to tell Akamai that their freshly installed service that just (kinda, a little) snuck on my system has a digital certificate that expires in 5 weeks...."

If there is a timestamp associated with the digital signature, the signature will remain valid, even if the certificate expires. So that's not really a problem :)
jeroenlandheer.myopenid.com
Tuesday, November 15, 2011 5:25:14 PM UTC
I got this just yesterday (11/14) from nfl.com: I was watching a video, clicked on the "HD" video in their Flash based player and I was asked to install this.
Christian
Tuesday, November 15, 2011 6:13:43 PM UTC
I noticed a conversation or two on the web suggesting that this is part of a NetFlix install. I don't have netflix installed and don't have this exe. But, I do have Flash installed...
Peter Ritchie
Tuesday, November 15, 2011 8:31:54 PM UTC
I'm infected too. The only thing I've installed in the last couple of days is Adobe Air.
Adam Langley
Wednesday, November 16, 2011 4:05:49 AM UTC
So, wait. Hopefully I'm following this correctly. You're saying you found the executable netsession_win.exe running from C:\Users\scottha\AppData\Local\Akamai? So that means that the installer installed a system wide service in a user home directory? Holy crap! If that's incorrect, just ignore me. :)
gibwar
Wednesday, November 16, 2011 4:17:29 AM UTC
Scott, here's a link to www.akamai.com's My Web Of Trust(WOT) entry. They seem to be a reputable company...
Robert Miesen
Wednesday, November 16, 2011 8:16:42 AM UTC
It's Adobe Flash. You must have updated adobe flash via offline installer. I feel the same after recent update of flash. same Akamai services i found in my systems. worst thing is adobe does it all the time no notification of things that is going to be installed in your system.
Wednesday, November 16, 2011 12:29:43 PM UTC
I think, akamai is a reputable clouding service,
that MAYBE ...
I detected it 2 years ago, when different ISPs and
universities in Austria, resolved
www.bing.com with different end IPv4 adresses.
(each one with open port 22,80 -> ssh don't look
like MS, it looks like the ...)
he23 area23
Wednesday, November 16, 2011 4:08:06 PM UTC
"Feels legit" this is worst adviser ever. Just sayn.
Liudas Sodas
Wednesday, November 16, 2011 5:43:20 PM UTC
I have it on two of my machines. For me the blame is Autodesk. I think it's part of there client they use to download installs.
Rodney Thomas
Thursday, November 17, 2011 2:36:55 AM UTC
I think this is the renamed Red Swoosh client. I used to work for that company -- it's a P2P data delivery system that helps speed up downloads by pulling some bits from other people who've already downloaded the file from its origin. Akamai bought Red Swoosh a few years back, and I think this is the renamed client software.
Ilya Haykinson
Monday, November 21, 2011 1:49:45 AM UTC
Scott, dude, "on notice"? Give it to Mark Russinovich. They are using your computer to serve torrents. That's so not cool that I think it could be another 'sony rootkit' type of affair, Akamai is making a big mistake here. The fact that it is 'discoverable' doesn;t make it any less dispicable. Someone has to call time on these aggressive installation practices.
Tim Long
Monday, November 21, 2011 6:25:08 PM UTC
Thanks for a good reminder on finding details about a running service.

I dislike the torrent model, especially when a client is installed surreptitiously. Sure my machine has spare cycles and memory, but those are my cycles and memory to waste as I see fit.
Stuart Thompson
Tuesday, November 22, 2011 7:13:15 PM UTC
this is discraceful. Tried running the admintool.exe and it just dies w/ no message.

No way to safely turn this off. And who authorized Akamai to use my machine and my bandwidth to serve? Clearly a violation.
Shawn Cicoria
Wednesday, November 23, 2011 2:45:01 PM UTC
I hope the author as come to his senses and deleted this now then, and mentally blacklisted that "ugly thingie", after reading the comments?? :D
NNM
Thursday, November 24, 2011 8:01:21 PM UTC
Check thier faq for details about it - yes, they say it's a "secure p2p" CDN, basically.

http://www.akamai.com/html/misc/akamai_client/netsession_interface_faq.html

MarkA
Saturday, November 26, 2011 7:37:00 PM UTC
i found when i went to go uninstall this program it said that need for speed world needed it to run so its looking like i got it from Ea or there downloader
mastablasta.myopenid.com
Sunday, November 27, 2011 6:26:28 PM UTC
I've got Flash, Air, Reader on several machines, and never saw this service.
Héctor
Sunday, December 11, 2011 4:42:41 PM UTC
http://www.akamai.com/html/misc/akamai_client/netsession_interface_faq.html
Mat
Tuesday, December 20, 2011 4:10:18 AM UTC
I found this software consuming 25% of my CPU, an entire core. Uninstalled immediately.
Chris Z
Tuesday, January 31, 2012 11:36:57 PM UTC
This thread may be closed, does anyone think it could be like a bit torrent or frost wire or something other p2p program?
Mike
Thursday, March 22, 2012 6:04:48 AM UTC
nice site, wiped the thing from system, think it has something to do with kuma games, which is disabled from running at start up
steve liddle
Saturday, April 07, 2012 3:57:06 PM UTC
Nice details Scott. I appreciate the thoroughness on this post. I am with you on this one. I believe it may have come from my recent install of ultraviolet. Thanks again for taking the time to be technical!
John Sellers
Tuesday, April 10, 2012 8:54:00 AM UTC
I have just remove akamai from my system. I have a software that record upload and download and akamai been uploading at least 80mb each day with out my consent. This program is not legit, if you ask me. It doesn't run all the time but it will upload at random time. That how it caught me off guard.
eiji ogata
Saturday, May 05, 2012 8:42:09 PM UTC
I just happened to install uTorrent today and i thought it was that... but nevermind... killing process now
PitaJ
Wednesday, May 09, 2012 5:42:00 AM UTC
I just found this same thing, 2 copies of the process running. Tracked it to Staples, Inc where I bought & downloaded some software. Thanks a lot Staples!
Mike
OpenID
Please login with either your OpenID above, or your details below.
Name
E-mail
(will show your gravatar icon)
Home page

Comment (Some html is allowed: a@href@title, b, blockquote@cite, em, i, pre, strike, strong, sub, super, u) where the @ means "attribute." For example, you can use <a href="" title=""> or <blockquote cite="Scott">.  

Live Comment Preview
Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer’s view in any way.