The Windows Process Journey — “bthudtask.exe” (Bluetooth Uninstall Device Task)
<p>“bthudtask.exe” is a PE binary located at “%windir%\System32\bthudtask”, which is the Bluetooth uninstall device task. It is used to remove the pairing with a remote Bluetooth device, which is specified by service ID (<a href="https://www.shouldiblockit.com/bthudtask.exe-91.aspx" rel="noopener ugc nofollow" target="_blank">https://www.shouldiblockit.com/bthudtask.exe-91.aspx</a>).</p>
<p>Moreover, on 64-bit systems there is also a 32-bit version of the executable located at “%windir%\SysWOW64\bthudtask.exe%”. Also, the executable is digitally signed by Microsoft and “auto elevated”.</p>
<p>Thus, the “Task Scheduler” task (<a href="https://medium.com/@boutnaru/windows-scheduler-tasks-84d14fe733c0" rel="noopener">https://medium.com/@boutnaru/windows-scheduler-tasks-84d14fe733c0</a>) that runs “bthudtask.exe” is “UninstallDeviceTask” which is located in the following hierarchy “Microsoft->Windows->Bluetooth” — as shown in the screenshot below. The scheduled task exits after the device is uninstalled (<a href="https://support.microsoft.com/en-gb/topic/description-of-the-scheduled-tasks-in-windows-vista-21f93b44-7260-a612-5ec3-fb2a7be5563c" rel="noopener ugc nofollow" target="_blank">https://support.microsoft.com/en-gb/topic/description-of-the-scheduled-tasks-in-windows-vista-21f93b44-7260-a612-5ec3-fb2a7be5563c</a>).</p>
<p>Lastly, from the “Actions” tab we can see that the program is started “BthUdTask.exe $(Arg0)”. </p>
<p><a href="https://medium.com/@boutnaru/the-windows-process-journey-bthudtask-exe-bluetooth-uninstall-device-task-bf17fc5d0c59"><strong>Website</strong></a></p>