none
Cortana & Cain.exe RRS feed

  • Question

  • My Host IPS is picking up a file called Cain.exe on several of our systems that appears to have originated from here:

    C:\WINDOWS\SoftwareDistribution\Download\291d6754191367c88639c4f65b66381e\Package_for_RollupFix~~amd64~~17134.286.1.0\amd64_microsoft-windows-c..sktop.appxmain.root_31bf3856ad364e35_10.0.17134.286_none_bc911cbb04b1148f\Cain.exe

    and now lives here:

    C:\Windows\WinSxS\amd64_microsoft-windows-c..sktop.appxmain.root_31bf3856ad364e35_10.0.17134.1_none_c09197bf17a9336c\Cain.exe

    here:

    C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cain.exe

    and here:

    C:\WINDOWS\SoftwareDistribution\Download\601d980273273a4be112599b10f92f9b\inst\amd64_microsoft-windows-c..sktop.appxmain.root_31bf3856ad364e35_10.0.17134.286_none_bc911cbb04b1148f\cain.exe

    This post suggests that it is a component of Cortana: https://social.technet.microsoft.com/Forums/windows/es-ES/aaf02478-ec58-4614-83b2-0fd30e0ce98e/cainexe?forum=win10itprogeneralES

    as does the location of one of the files, but I have a hard time believing MS would name a file cain.exe and also it is the only exe file in those locations that DOESN'T have information in the file details. 

    Other info:

    VirusScan isn't flagging anything on these systems.

    File first appeared in August.

    All systems that this is being flagged on are 1803.  Systems that have not been updated are not being flagged.

    If someone could point me to some definitive reference that lists the file as being of Microsoft origin I would appreciate it.  

    Monday, October 1, 2018 1:58 PM

All replies

  • I have the same file.
    it has file information: "Cortana Notebook", but is not signed.
    but all other .exe files in this directory have no signature, except SearchUI.exe.
    Probably not needed as the App itself has a signature.

    I don't understand why the name of the file would by a problem?
    Seems to come from "CortanaAINotebook"

    Monday, October 1, 2018 3:00 PM
  • Cain.exe is also the executable used by Cain & Abel.  It has to be drawing some attention on more systems than mine. 
    Monday, October 1, 2018 3:16 PM
  • Hi Melissa,

    I agree with EckiS. 

    I also have this file and its details as below. there is signature tab but it's Product name & Copyright indicate it belongs to Microsoft Windows Operating System.

    I think Cain & Abel's application details should not be like this.

    In addition, WinSxS folder are the location for Windows Component Store files should be safe. SoftwareDistribution folder is used to temporarily store files which may be required to install Windows Update on your computer. It's also safe.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 2, 2018 6:23 AM
    Moderator