A lot of users are suspecting the au_.exe process of being malicious after seeing the amount of system resources that it consumes in Task Manager. Users typically report a high resource usage caused by the au_.exe process when the system is busy either installing or uninstalling a particular software.
The au_.exe is often reported to get flagged by security suites such as Avast, McAfee, and Avira. However, in most cases, these cases turned to be nothing more than false positives.
Although the executable is most likely not malicious, additional investigations should be made if you see that the AU_.exe process remains active (with high resource usage) even when the system is not installing/uninstalling a software.
What is au_.exe?
Au_.exe is a scripting engine that is often included inside of AutoIt executables. In fact, the majority of applications that have been released during the past few years are using AutoIt either during the installation or uninstallation. Here’s a shortlist of popular Windows-based programs and games that are using Au_.exe during installation or uninstallation:
- Flash Player (or Flash Player ActiveX)
- Adobe Reader
- Google Calendar
- Registry Helper
- Mozilla Firefox
- DivX Player
- Comodo GeekBuddy
- Yahoo Toolbar
- Dragon Age (PC game)
- Razer Synapse
In essence, what the AU_.exe does is packing a particular script into a SFX file that auto starts the script engine. Because of this, the user ends up seeing the AU_.exe process inside Task Manager while this process is occurring.
Note: Manually stopping the process from Task Manager will likely force-stop the installation / uninstallation process.
The excessive amounts of false positives related to the AU_.exe process can be traced to the rise of adware installers and the likes. Au_.exe is extremely common in adware installers, security suite developers often choose to take no chances. Because the antivirus suites have very few means of figuring out if the script ran by AU_.exe is legitimate or not, a common practice is to flag every occurrence.
Potential security threat?
Now that you know the purpose of AU_.exe, let’s make sure that the process is indeed genuine. Since au_.exe is dynamically used by installers and uninstallers, the process will automatically be created and stored in a temporary folder (nsu.tmp).
Navigate to C: / Users / *YourUserName* / AppData / Local/Temp / ~nsu.tmp and see whether you’re able to locate the au_.exe executable. If you are able to locate the au_.exe process in the ~nsu.tmp folder, you can rest easy as you’re not dealing with a security threat.
However, if you see that the au_.exe process persists in Task Manager (Ctrl + Shift + Esc) long after the installation or uninstallation of a certain program is complete, aditional investigations should be made. Start by rebooting your system and promptly check to see if the au_.exe process is still there. If it is, open Task Manager, right-click on the au_.exe process and choose Open File Location. Next, copy the au_.exe process and upload it to VirusTotal in order to be analyzed for any malicious activity.
If the analysis is inconclusive, you can put the matter to rest by scanning your system with a powerful malware remove. For the best results, we recommend either Malwarebytes or Microsoft’s Security Scanner. If you want extra help in installing configuring your security scanner to specifically look for treats of this type, follow our in-depth article on installing and scanning with Malwarebytes (here).
Should I delete au_.exe?
For the most part, deleting the au_.exe process is completely unnecessary as your operating system should automatically remove it once it decides to clean up the temp folder. However, deleting the process will not have any repercussions on the way your OS operates.
Even more, every installer or uninstaller that needs to make use of the au_.exe process is perfectly capable of creating one once it’s needed.
But you can also delete the au_.exe manually by navigating to C: / Users / *YourUserName* / AppData / Local/Temp / ~nsu.tmp and deleting the process from there. You can also automate the whole process by using a system cleaner capable of removing cleaning up the temp folder (like Ccleaner or BleachBit).