What is Ntvdm.exe

NTVDM.EXE - Microsoft® Windows® Operating System - Microsoft Corporation

File description

Ntvdm.exe with description NTVDM.EXE is a process file from company Microsoft Corporation belonging to product Microsoft® Windows® Operating System.
The file is digitally signed from Microsoft Windows Component Publisher - Microsoft Timestamping Service
We do not recommend removing digitally signed files from Microsoft Windows Component Publisher

What is ntvdm.exe?
Ntvdm.exe is the Windows NT Virtual DOS Machine. This is used by Windows to allow DOS applications to run under Windows NT-based operating systems (2000, XP, Vista). It is also used in conjunction with wowexec.exe to run 16-bit applications under 32-bit Windows.

This executable is a critical part of the operating system; however, there is not necessarily any harm in terminating it when it is running. Terminating it will cause any DOS applications that are running inside of it to terminate. The screenshot below illustrates how this process should appear in the task manager:



In the above screenshot, ntvdm.exe is running as the current user (Mike); however, it can run as any user, as any user may be running a DOS program. The legitimacy or illegitimacy of a given instance of this process cannot be inferred by which user it is running under.

Dangers of ntvdm
As this is a common process that runs whenever a DOS program or a 16-bit application is started, it is common for virus writers and spyware vendors to disguise their malware as the genuine one.

Some malicious files may have the same name but be stored somewhere other than in %SystemRoot%\System32. Other malware may use a name that appears similar to it but with slight differences in spelling or with appended digits. The following malware is known to disguise itself as the genuine ntvdm.exe:
  • W32/Tilebot-JX (%SystemRoot%)
    • This is an IRC backdoor Trojan that spreads via known exploits, network shares, and MSSQL servers with weak passwords.
  • W32/Sdbot-DFQ (%SystemRoot%)
    • This is an IRC backdoor Trojan that allows an attacker to remotely take control of an infected system.
There can sometimes be several instances of this process running at any given time. The presence of multiple instances is not necessarily an indicator of a malware infection. If this process is running before any DOS or 16-bit applications are started, however, it is possible that your system is infected with malware.

Common problems
  • This process uses 100% of the CPU
    • This is normal behavior under some DOS applications. If this is a problem, try downloading an alternative DOS emulator.
    • This can also be caused by a DOS program that has crashed.
  • "The NTVDM CPU has encountered an illegal instruction"
    • This can happen when a DOS application you are running has an error or if you try to run a 32-bit application under NTVDM.
  • "NTVDM encountered a hard error"
    • This can happen if you or a program you are running tries to mix 8.3 filenames with long filenames.

Automatic startup locations

001 Running Processes
003 Autorun registry entries Current User
010 Installed services
065 Image File Execution Options (debugger)
148 Wow cmdline
149 Wow wowcmdline

Digital signatures found for this file

    Certificate 
53 Microsoft Windows Component Publisher - Microsoft Timestamping Service
35 Microsoft Windows Publisher - VeriSign Time Stamping Services Signer
28 Microsoft Windows XP Publisher - VeriSign Time Stamping Service
26 Microsoft Windows 2000 Publisher - VeriSign Time Stamping Services Signer
18 Microsoft Windows XP Publisher - VeriSign Time Stamping Services Signer
13 Microsoft Windows XP Publisher (Europe) - VeriSign Time Stamping Service
12 Microsoft Windows 2000 Publisher - VeriSign Time Stamping Service
4 Microsoft Windows - Microsoft Time-Stamp Service
2 Microsoft Windows 2000 Publisher (Europe) - VeriSign Time Stamping Service
2 Microsoft Windows 2000 Publisher (Europe) - VeriSign Time Stamping Service CA SW1
1 Microsoft Windows Component Publisher - VeriSign Time Stamping Services Signer
1 Microsoft Windows - VeriSign Time Stamping Services Signer
1 Microsoft Windows Publisher - VeriSign Time Stamping Service
1 Microsoft Windows 2000 Publisher - NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.
1 Microsoft Windows - Microsoft Timestamping Service

MD5 security rating in our database

872 files (Not yet rated and not signed)
8 files (Safe and not signed)
245 files (Safe and digitally signed)
Some versions of this filename have not yet been checked for safety.
Warning: Some malware might rename itself to ntvdm.exe. Always make sure that your file is from a verified publisher.

User ratings for this file

File rating: Average rating of ntvdm.exe: by 1125 files and users.

Application errors

Fix ntvdm.exe application error:  Run a FREE registry scan

User comments

I have a brand new XP Pro SP 3 machine & am getting this error: "The NTVDM CPU has encountered an illegal instruction".

How can I fix this without reloading everthing as it took at least 3 days to get this machine ready for use.
I have Comodo antivirus installed. Whenever I tried to run Turbo C++ 3.0 application, the warning says "Ntvdm.exe is unsafe application and is trying to modify E:\Windows\Temp\Scs7E.temp" and the system screen becomes blank with only cursor blinks. When I closed the application, the Comodo asks me if I treat this as Trusted application. I chose as Trusted. Now I can run Turbo C without problem


Please add your comments if you have more information about this file or if you know how to solve ntvdm.exe application errors.


File safety :

File security rating :

Are you human? How much is 16+16:


Like this page?

Please support this free service by giving us a Google+1


Browse files by letter

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

More system processes

ntviehelp.dll ntw4.ocx NtwCA.exe
NTWCALDR.DLL NTWIOT5.sys ntwlib.dll
ntwsgopp.dll NtwSpeed.exe ntx.exe
ntx_print.exe ntx_rip.exe ntxpgp.sys

Lansweeper computer inventory From the creator of Runscanner:

Lansweeper
is an automated IT asset management tool. It can quickly scan your computers and has over 250 default reports available.

There is no need to install any agents on the scanned computers, all hardware and software inventory scanning is done by standard build-in functionality.