what causes ping.exe to run?

Keyes · Aug 25, 2014

I noticed there was a prefetch file for ping.exe in c:/windows/prefetch

Tracing the time that it was created, I compared it to event viewer. I compared 3 different prefetchs, and they were all created around the same the volume shadow copy service started and the Microsoft shadow copy provider service.

Looking at othet prefetches, win32tm which I believe is for syncing time had been created the same time as the ping prefetch.

Are these services related to ping or win32tm? Neither are running, just found the prefetch.

Windows 7, ping.exe present in syswow64, system32 and winsxs folders.

dgingeri · Aug 25, 2014

Normally, ping would only run if a command line command was issued or it was run from a batch file. Make sure the size of the file in prefetch is only about 15-16k. If it is much larger, like 100k+, then it is malware disguising itself as ping. If it is that small, then don't worry about it. It isn't running. Windows is just prefetching it into memory to make it run faster. It doesn't hurt if it is the right program. Although, I have never heard of ping.exe being in the prefetch cache before.

Keyes · Aug 25, 2014

It was only abput 16KB In size. I'm guessing ping wouldn't show as ping.exe in task manager, but conhost.exe? Since its a command line?

I was thinking a service was using it, so would linking a conhost pid with a svchost pid find anything?

Im only guessing at the moment. is there a reason it should only be around 15k?

dgingeri · Aug 25, 2014

It's a simple little program that runs when it is called and then shuts down. You shouldn't see it running for any serious length of time. The real program is very tiny because it is so simple. It wouldn't be being used by any other service. It's a program for humans only. In 17 years of IT, I have never seen another program use it, but I have seen some automated batch files use it.

It would actually show up in task manager if you were to do this:
open a command line window
type in ping 8.8.8.8 -t
check task manager
return to the command line window and hit ctrl-C on the keyboard to cancel the ping

the -t means to ping continuously until canceled.

Keyes · Aug 25, 2014

So what is happening in my case? I seem to have a conflicting answer, saying that different programs use it to test connectivity.

If a batch file is doing this, how can I find which one is doing it? If this is a normal operation, im fine but you say its really a manual program so I a bit unsure.

dgingeri · Aug 25, 2014

no, nothing is using it. If it is not in the task manager, it is not running. It can be in prefetch without running. Prefetch is just a cache of frequently used programs kept in memory to allow them to load faster when they are used. It's just there, kind of like your favorite shoes sitting by the door instead of in your closet.

Keyes · Aug 25, 2014

I see lots of programs I regularly use (browser, steam, games). Its not running, but I want to know is it of my concern that it had run? I had deleted the prefetch (which was created on the 24th) and it had come back a few hours later.

So are you saying an executable can be prefetched without it being run? How does it decide then which to add? If you say its frequently used (I dont personally use ping) then must it mean something had run it?

dgingeri · Aug 26, 2014

The best explanation of Windows' Prefetch is here:
http://www.osnews.com/story/21471/SuperFetch_How_it_Works_Myths

Basically, Windows decides what to prefetch by its own preferences. Since Ping is so small, it is not a big deal to have it in prefetch, or to not have it in prefetch. Either way won't cause problems. It looks like Windows just puts it in there for their own design reasons. I have looked, and it is in the prefetch folder of all 9 servers (Win2008r2) and all 3 Windows desktop boxes (one Win7 and two Win8.1) I checked. I just never noticed it before. It wasn't something to note until you asked.

Keyes · Aug 26, 2014

Anyone else have info on this?

Keyes · Aug 26, 2014

Oh sorry, I didnt see your post. When you say windows 7 boxes do you just mean a normal personal use system? So its safe? As I want to make VERY clear, I am not worried about the prefetch file. I was worried because I believed that a prefetch was made when a program runs. Ive deleted the prefetch, but I am 100% sure it wasnt over 17KB in size.

Is ping.exe like a conhost process, where it can be used by other programs to draw console windows, but instead ping a server? I was worried it was a rogue ping file.

I have 4 ping.exe

In system32 it is 16.5KB , aswell as in the winsxs respective folder (same ping.exe)

In syswow64 it is 15.00KB, aswell as in a winsxs folder (same ping.eze I believe?)

All 4 ping.exe files were created, accessed, modified last, July 14th in 2009, within an hour of each other. Ive had the system for little under a year, and current install is as old as the system.

File and product version of the esecutables are : 6.1.7600.16385, and copyright Microsoft. Is there anything else to add? And if you can answer some questions above I would be very grateful.

ex_bubblehead · Aug 26, 2014

Don't worry about it, it's a non issue.

Keyes · Aug 26, 2014

Is that taking into account my scenarioand latest post?

ex_bubblehead · Aug 26, 2014

Yes. It's perfectly normal for ping.exe to be cached by Windows. You're obsessing over nothing.

Keyes · Aug 26, 2014

And it can happen even though ive never used it or ran ping.exe before? And the only other files related were ping.exe.mui.

ex_bubblehead · Aug 26, 2014

As you were told earlier, yes, Windows precaches it automatically. Again, you're worrying over absolutely nothing. You, as a user, actually have no business playing around in that area anyway.

orlbuckeye · Aug 26, 2014

Keyes :

When you issue a ping command you do it through the command windows which shows as cmd.exe in the taskmanager the ping is a command within the the little DOS type window. Ping is used to communicate with a device. You issue the command to Ping either a device name or IP address. Ping looks for a reply from that device to verify it's communicating on the network. I use this to verify time clocks are communicating on our network. Our timeclocks are static unique Ip addresses (Hopefully) sometime our system and networks assign printer the same IP address by accident and if the printer is on it will respond to the ping and not the clock.

Keyes · Aug 26, 2014

Ive never used cmd to ping anything (ive used netstat before and thats as far as ive went with cmd)

The above answers have solved this, but thanks. And thanks to the others for piece of mind.

orlbuckeye · Aug 26, 2014

I use ping everyday now if i have issue I talk to systems and networks and they use their tools. Ping.exe is a executable program written by microsoft and distributed with Windows (all versions). It's desinged to run within the command prompt (basically a DOS program).

what causes ping.exe to run?

Honorable

Distinguished

Honorable

Distinguished

Honorable

Distinguished

Honorable

Distinguished

Honorable

Honorable

Titan

Honorable

Titan

Honorable

Titan

Distinguished

Honorable

Distinguished

Share this page