What is Wrtmon.exe – Is it a Genuine File or Malware?

Like so many executable files, wrtmon.exe is both a genuine file and malware. This article is divided into two sections, first we will discuss the genuine version of this file and then we will take a look at its malware variant.

Genuine Wrtmon.exe

The process is associated with Presto PageManager, an application that allows users to scan, share, and organize photos and documents. In addition to all this, Presto PageManager also allows you to digitize your photos and documents and create PDF files. The software is bundled with Cannon scanners and many other printers/scanners.

The genuine wrtmon.exe file is located in a subfolder of C:\Windows\System32. The most common size of this file in Windows XP is 20,480 bytes.

By default, the file starts automatically everytime you boot Windows. However, you don’t really require the process to start automatically when you power on your computer. So, if you want to only keep essential processes in your startup sequence, then you can go ahead and remove this process from the Windows Startup Menu. The steps discussed below take you through how to achieve this:

  1. Click Start.
  2. Click Run to launch this utility.
  3. In the Open dialog box, type msconfig, and then press Enter.
  4. Click Startup.
  5. Clear the checkbox before wrtmon.exe.
  6. Click Apply.
  7. Click OK.

Wrtmon.exe Virus

The malware version of this file is known to display the following behavior:

  • Runs itself automatically every time you boot Windows
  • Creates other processes
  • Executes a process and registers a DLL (Dynamic Link Library) file
  • Hides itself from system/security process
  • Resists interrogation from security tools
  • Records keyboard input, screen contents, and mouse activity

The malicious wrtmon.exe is also known to use the filenames listed below:


How to Identify if the Wrtmon.exe File Running on your Computer is Genuine or Malware

Open the Task Manager window (by pressing Ctrl+Alt+Del or Ctrl+Shift+Esc), click Processes, and see how many instances of this process are running on your computer. In case two instances of this process are running or you see the process running even when you don’t use Presto PageManager then your PC is likely to be infected. To fix the issue, immediately scan your entire computer using robust antivirus software.