Just few days back one of my blog visitor emailed me about an unidentified process named KMservice.exe running on his machine. His concern was that, though the process didn’t showed any signs similar to a virus but it was detected as a Riskware by an Antispyware program.
What exactly is Kmservice.exe?
KMservice.exe is a Microsoft office pirate activator. It is a cracking tool that fools Microsoft office to think that the MS office version installed on the machine is a legit version and is pre activated. This program cracks Microsoft office by tampering the Windows Key management service.
In normal mode this service keeps on running in the background and will consume very less CPU resources.
Location of this File:
Kmservice.exe is located at %WINDIR%\kmsem\KMService.exe
Or sometimes also at: %WINDIR%\KMService.exe
And the file size is: 151,552 bytes
Registry changes associated with KMService
When the process is installed on your machine it creates following 7 keys in the system registry:
HKCU\Software\Microsoft\Windows Script Host
HKCU\Software\Microsoft\Windows Script Host\Settings
How is it installed on my computer?
As, I have foretold that the file is a part of Microsoft office 2010 pirate activator. Hence this file is present on your computer because on your machine you have a pirated version of MS Office 2010.
Please note that if you have activated Microsoft Office 2010 in the legal prescribed way then this file should not be present on your computer.
Is it a dangerous Program?
The actual Kmservice process is not dangerous, though it is illegal to use but using it does not harm your computer. Antiviruses detect this file as a malware malicious file or some hacktool as they don’t want anyone to use cracked, patched or pirated software.
But Hackers, Crackers and all the bad coders of the world are smart enough they generally create viruses with the name of some genuine process. This helps them to disguise their malware as a genuine windows component. So if you have kmservice running on your machine and you have not activated Office 2010 by using the pirated method then there is a strong possibility that your system is infected by some malicious program.
How to find whether KMService process running on my system is a malware or not?
To find if your system is infected by some malicious program with the same name (“Kmservice.exe”) follow any one of the below methods:
If you have not installed Microsoft Office 2010 on your machine and you still find an instance of kmservice.exe running in task manager, then there is a strong possibility that your system is infected.
If you have installed MS office 2010 on your system but you have activated it in the legit way. By legit way I mean you have not used any crack or patch to activate it. And still you have spotted an instance of kmservice running on task manager then it’s a strong possibility that your system is infected.
In this method simply check if kmservice registry key exists in your registry editor. Follow the below steps:
- Open the Run window by pressing Win+R
- Type “regedit” (without quotes) in the run and hit enter.
- Now navigate to the path : HKLM\System\CurrentControlSet\Services\KMService\Parameters\Application
- If you are not able to find out any such key in the registry editor then this simply means that you have not installed the activator patch for MS office 2010. Even after this if you are able to see any running instance of Kmservice then it simply depicts that your system is infected.
How to fix KMservice.exe
In case KMservice installed on your system is a malware follow the Fix 1 otherwise follow the Fix 2.
Fix 1# How to remove the malware:
Simply scan your system with a good antivirus and it will take care of everything else itself.
Fix 2# How to disable the antivirus alerts or pop-ups if you have yourself installed KMService:
If you have yourself installed the kmservice.exe and now you are fed up of your antivirus which is showing alerts about deleting this process then you can simply add this process to the exclusion list of your antivirus and it won’t prompt you again for deleting this file.