What Is Wrtmon.Exe?

Wrtmon.exe – what is it?

The wrtmon.exe process belongs to Presto PageManager that comes bundled with Cannon Scanners.

File Information

By default, the wrtmon.exe file is located in the C:\Windows\system32\spool\drivers\w32x86\3 folder and its file size is 20,480 bytes.

You may find entries related to this file in the following locations within the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The wrtmon.exe process loads automatically when you start your system.

Is it essential to have wrtmon.exe run when your system starts?

No, it is not. You should only let essential programs load automatically when your system starts. Startup programs consume a lot of system resources and having too many of them can considerably slow down your system startup and shutdown processes.

As Wrtmon.exe is not an essential process, you can safely remove it from your startup sequence. You can run the wrtmon.exe process manually whenever you require it.

How to remove the wrtmon.exe process from your startup sequence

Perform the following steps to prevent wrtmon.exe from running at system startup:

  1. Open Start menu and then select the Run command.
  2. In the Open box, type msconfig and then click the OK button.
  3. Next, in the System Configuration Utility box, click the Startup tab.
  4. Here, clear the box for WRTMON and then click Apply to save your changes.
  5. Now, click Close to exit the System Configuration Utility box.
  6. Finally, restart your system when prompted.

Is wrtmon.exe a safe file?

The genuine wrtmon.exe is a safe file and does not pose any danger to your system.

However, there is also a rogue wrtmon.exe that is associated with malware. The rogue wrtmon.exe file is reported to also use the following file names:

  • INDICATORSYSTEM.EXE
  • GOOGLETOOLBARNOTIFIER.EXE
  • SPYWAREFIGHTERUSER.EXE
  • PKLAGXM.TMP

The harmful version of wrtmon.exe is known to have the following file sizes:

  • 23,052 bytes
  • 26,704 bytes
  • 364,032 bytes
  • 20,480 bytes

Further, the rogue wrtmon.exe is known to have the following capabilities:

  • It loads automatically as a process when you start your computer.
  • It registers a DLL file in your registry.
  • It creates other processes on your system.
  • It adds codes to all running processes to gain control of your system or to record your keyboard inputs, mouse activities and screen contents.
  • It successfully hides itself from system or security processes by using low level functions.
  • It displays polymorphic behavior, which means that it can change its structure to disguise its identity from security programs.

How to ensure that wrtmon.exe is not a malicious process

To ensure that rogue wrtmon.exe is not running on your PC, go through the list of currently running processes on your system. To view this list, press Ctrl+Alt+Del and click the Processes tab in the Windows Task Manager Window that opens.

The presence of wrtmon.exe in the list of currently running processes list even when you don’t use a Cannon Scanner indicates that your PC is infected. Similarly, multiple wrtmon.exe processes running on a PC that has a Cannon Scanner installed also indicates to malware infection.

If you find out your PC is infected, run a virus/malware scan, using robust and trustworthy antimalware tools, such STOPzilla Antivirus and Spyware Cease to get rid of the malicious wrtmon.exe process. Also, after you have successfully removed it, run a registry scan using a reliable registry cleaning software, such as RegServe, to remove any malicious and invalid entries that may have been added to the registry by the rogue wrtmon.exe process.