I had a moment of panic this morning when I discovered UNCServer.exe running on my Windows 7 workstation. I thought it was a VNC server, which could allow external control of my PC. Do I have a virus? I immediately unplugged my network cable and started researching.
I first noticed this when using Alt+Tab to flip through applications. UNCServer is listed as an application, although selecting it does not open a window:
Task Manager shows the program and path:
C:\Program Files (x86)\Lenovo\System Update\UNCServer.exe
Probably Not a Virus
So apparently it’s part of Lenovo System Update, as this article and this post confirm. The file is also digitally signed by Lenovo.
The article and post also point out that the program opens firewall ports. The program grants itself access on all TCP and UDP ports for both the Domain and Public profiles:
So it’s from Lenovo, and others see the same thing, so it’s probably not a virus. I still wondered what it does.
Probably Not VNC
Task Manager says it’s running as PID 9996. Checking for listening ports, we see that PID 9996 is listening on port 20050:
In case this was a just a renamed VNC server, I installed the viewer portion of RealVNC and UltraVNC on another computer. Neither one was able to connect to my workstation on port 20050. Good.
Next I tried a Raw connection from Putty to port 20050. I had to turn on logging to capture the message that flashed across the screen: “Server encountered an internal error. To get more info turn on customErrors in the server’s config file.” That would seem to refer to the UNCServer.exe.config file in C:\Program Files (x86)\Lenovo\System Update. That looks like a .NET config file, and in fact it contains references to what appear to be .NET versions. I did not try adding a customErrors line.
.NET Analysis
I opened UNCServer.exe in IL DASM, part of the .NET framework SDK. Sure enough, it’s a .NET executable:
At first glance at the procedure names, UNCServer.exe seems to be mostly about transferring files, not about remote control. So why does it need open ports on the inbound firewall? Is it supposed to allow an external program to connect to my computer to transfer files? My edge firewall should prevent connections from outside the network, but I still don’t like it.
When Does It Start
After a reboot, I noticed that UNCServer.exe did not start as soon as I logged on. However, it did start when I started Lenovo System Update, and it closed when I exited System Update. With System Update closed, nothing is listening on port 20050, although the firewall exceptions are still there.
So apparently System Update was running when I happened to see UNCServer this morning. Why? In Task Scheduler, TVT > TVSUUpdateTask is scheduled to run monthly on the 4th of the month. That’s a week ago. When I ran it manually, it finished in one second, but it left UNCServer.exe running. Then after a few minutes, I got a balloon notification from Lenovo that updates are available. Sure enough, there’s System Update in the system tray:
At this point, UNCServer.exe is still running. If I right-click on the red Lenovo icon in the system tray and choose Exit, UNCServer.exe closes.
So if you don’t want UNCServer.exe to start, the (so far untested) options are:
- Uninstall Lenovo System Update.
- Disable the task TVT > TVSUUpdateTask. That should prevent Lenovo System Update from running on a schedule and leaving UNCServer.exe running in the background. However you would still be able to run Lenovo System Update manually.
Thanks for thorough analysis and explanation!
Yeah, well done!
Thank you for this! I really appreciate it!!!
Beautiful explanation mate. Saved me a lot of hassle.
Thank You for this. Like all others have said, I appreciate you taking the time to investigate this and letting the rest of us know.
Thanks again!
Thanks for doing the research. I was alarmed just now to see that something had opened a cmd.exe window saying simply, “Installing drivers…” Task Manager showed it was UNCServer.exe. Since getting updated drivers from Lenovo is probably a good thing, I set my panic level back down to normal and got on with my work.
Many thanks again!
Thank you, this really helped!!!
Awesome post! I was also surprised that this was running, and of course stumbled onto this great post with a quick Google search.
Brilliant, Mark! Thanks a lot. Not only have I solved the problem, but also used the Task manager for the first time and understood the logic of this application. Of course I consequently disabled some other annoying tasks that were spoiling my use of the computer. People like you deserve a huge credit! See how your work helps people even after years you have posted it.
I’m glad this post is still useful!
Amazing work, analysis and explanation! Thank you for the saved time.
In my case UNCSerever is not closed when I right-click on the red Lenovo icon in the system tray and choose Exit.
When I open Lenovo Update (in Control Panel) and click on Next, I get a message that Update has to update it’s self, than I click OK but Update does not update it’s self !
The most nerve braking is that the mouse pointer keeps showing on and off that Lenovo Update is working in the background . I have changed the “Working in the Background” pointer to the same as “Normal Selection” but that’s a daft makeshift solution.
I don’t like to uninstall Update, is there any other way to solve this problem ?
I have a E530c ThinkPad running W10.
Hyve, the purpose of this article was to confirm that UNCServer.exe is not a virus but is part of Lenovo System Update. If you need help with actual update functionality, I suggest contacting support or posting your question in the Lenovo forum (https://forums.lenovo.com).
Thanks for a great, detailled article. Strange behavior I’ve seen that seems to coincide with a couple of times that I’ve found UNC Server running is resetting some Windows options.
The one I notice is “Use visual styles on windows and buttons” gets disabled and all my VBA popups look like they’re running under XP!
I’m sure that can’t be the only thing going on (too insignificant and wierdly random) and maybe UNC/Lenovo update is not responsible. It may be a seperate issue and coincidentally UNC was running…
Wow ! I’m impressed…didn’t understand all of it, but it’s not a virus. Right clicked on it and exit and disabled the automatic update. From Quebec we Thank you very much !!!!!
Obrigado, foi de grande ajuda todo esse post.
Vous êtes un héros.
I’m searching this in 2019 and it’s just as relevant to me in my lenovo laptop lmao. Thanks soo much for that in depth analysis as not many go as far as that! It might be a w7 pc but it’s just as useful in w10!
I just saw UNCS server and check on google and fortunately i saw your article which you explained clear simple and understandable. I really appreciate your time and investigation.
Thank you
I looked at the code using Dotpeek and it’s listening on ipv4 Loopback (127.0.0.1).
Thanks for this article, helped me a lot!