MuseHub - What does it do and can it really cause harm? In search of facts.

• Jan 6, 2023 - 16:54

This topic is an invitation to share information on MuseHub and how it works. The aim is to assess whether it is safe to use, and to take action should there be cause for concern.

In several topics on this forum, doubts have been expressed whether MuseHub is safe.

The main reason is the apparent installation of a service with "root" permissions, that is a service that can access and change many or all of the files on the computer, and perform arbitrary actions.

Permissions that allegedly go way above what normal programs can and do.

This has been reported several times, at least for MacOS and Linux. If affirmed, it might open the computer to attacks from the outside, and also make it vulnerable to possible programming errors in the service itself.

If there really is cause for concern, this should be reported to MuseHub development to be fixed as soon as possible.

This topic results from a discussion on "MuseScore 4 Multiple Tabs" ( Its purpose is to objectively establish the facts.

I would like to invite all who can contribute to come forward with facts and observations that can make clear whether there really is a problem. And if so, what exactly is its nature and what can and should be done about it.

And that for each of the three operating systems (Windows, MacOS, Linux), since the situation may differ per OS.

To kick the discussion off, a small list of questions that might be addressed:


  • Is it true that MuseHub installs a service with root permissions and on which platforms? Please provide details.
  • If so, is there a need for such power in view of its apparent function?
  • Are such powers excessive compared to what other programs is given? How can you tell?
  • Could such powers lead to damage to the system or its users? What sort of damage, and how?

More in technical depth (some examples, not meant to be limitative):

  • What ports (TCP/UDP) has the service open and what would be their function? Could they present a possible attack route?
  • What can be said about files and services accessed by it, with the same question?
  • What other issues could be investigated to assess the possible harm the service could cause?

When we have a clear picture we can make a well argued proposal to MuseHub. Or lay the issue to rest once and for all.

So please, if you feel you have something to contribute don't hesitate! All contributions welcome, in full detail where possible.


Note: I am running Windows 10.

- Yes, MuseHub installs a service with root permissions.
- Maybe. The service supposedly exists so that downloads can continue even if MuseHub gets closed. It also probably helps with the "feature" of using your bandwidth to speed up others' downloads (torrenting?)
- Yes. MuseHub makes it as hard as possible to disable or uninstall this service. The service starts on login (or potentially before, but I can't tell). Disabling MuseHub in the "startup" tab in Task Manager does not stop this. I'm surprised that I have permission to stop the service, but I can't change the "startup type" from automatic to any other value. I don't even have permission to change the permissions, even through the command prompt. The only way to do it seems to be through the registry. It doesn't get removed when uninstalling MuseHub. It also makes it unusually hard (but possible) to change permissions to the C:\Program Files\WindowsApps\Muse.MuseHub_[Version_HexString] folder.
- Yes, these powers could definitely cause harm. Whether they do, I don't know. It really depends on whether MuseHub is doing anything malicious in the background.

I somehow broke the service, so it doesn't start automatically anymore (and throws an error when trying to start it manually). After a reboot, it even stopped showing up in the list of services, so I can't check to see what the error message was. I have NO idea how it happened, but it was definitely something I did. Unfortunately, this means that MuseHub no longer works properly. Reinstalling MuseHub doesn't help; I'd probably have to delete something in the registry to get it to reinstall the service.

In conclusion, MuseHub COULD be doing basically anything on a computer without asking for permission, but I can't find out what it's actually doing, because I broke it.

If I ever reset this computer, I will not be downloading Muse Hub. I compressed C:\ProgramData\MuseHub to a 7z file so I can (hopefully?) get MuseSounds without Muse Hub.

Also, for some reason, Markdown bulleted lists don't seem to be working for me, with asterisks or hyphens. Weird.

In reply to by ThePython10110


Thank you for your information!

Can I ask a few followup questions?

  • "Yes, MuseHub installs a service with root permissions." How exactly did you determine that? Did you enter some command at the command prompt? If so, what was it and how could you tell from its output that the service is indeed running with root permissions? Or do you maybe use some graphical view, and if so, what is that and how does the output tell you the situation?

  • Am I correct in assuming that the above actions tell you that the service is actually running (as opposed to merely sitting somewhere as a program file, but not running)?

Knowing what you did should help others assess their own situation.

Example from my own situation (MacOS):

  • I run "ps aux" in a terminal window
  • the output contains the line

root 87814 0,0 0,1 35046524 25536 ?? Ss 4:31pm 0:00.27 /Library/PrivilegedHelperTools/com.muse.museservice

This tells me that the museservice runs indeed with root privileges. (A brief summary of "ps aux" and its output can be found at…. In brief, it tells you about all running processes and their permissions.)

  • You say the service is not being removed when MuseHub is uninstalled. Do you mean that the program file for the service is still there? Or it also running after uninstalling MuseHub?

"On the MuseScore forums there is broad concern..." about this?
Seems to me that there is broad concern about playback. There is broad concern about missing instruments. There is broad concern about crashes. There is broad concern about a dozen things. Should we all be concerned about the Hub. That is yet to be seen. I continue to ask without result, for some kind of way I can verify this problem. So far, I don't see it. With the hub closed, the service that is running has the same system permissions as most anything else I have. Please direct me to the cmd prompt I should be looking at. I would like nothing better than to be wrong. As it is, the lecture the developers get from the issue post, seems a bit presumptuous. I need to know how "facts" are arrived at. Not just what someone claims. A line was posted showing a line from Linux. That's closer, but means nothing to me on Windows.

In reply to by bobjp

You quite rightly ask for facts. I cannot give you them as I uninstalled MH very soon after installing on a Windows 11 PC. What I can say is that the experience was ghastly. The service consumed a lot of CPU (that I reported) even when musescore was not running. My PC is very beefy with 20Cores and 64GB ram and it was still consuming a lot. I like others tried to disable the service from starting up with no joy. Then when I tried to uninstall it I could not. It had a lot of permissions that not even administrator had. I managed to get rid of it by granting myself permissions and manually deleting files. I have been a Windows Admin for years and found the process tricky so how a normal user would be able to do it I don't know. One thing for certain is that I will not be installing it again on my main PC. Best be safe than sorry.

What really gets me is that if it is a peer to peer application then why does it not inform me when installing or at least start up with any external connections disabled and why is the uninstall so difficult. It would seen that you have to run this to be able to download the sounds. I ask myself why are they doing this and for the time being do not trust it. Muse could easily respond with the facts if they desired.

In reply to by jimmaevans

Interesting. When I quit the Hub there is one service running. As far as I can tell, it as all the same permissions that several other services have. I don't know of away to tell if it has root permission or not.
I opened the start menu and right clicked the Hub. One of the choices was "Uninstall". That's what I did. Afterwards that Hub service was no longer running. I have no idea if I completely uninstalled the Hub or not. I just did it to see what I had to go through. I am still waiting for some kind of evidence that the Hub is actually a problem.

I don't think most users know the difference between a user and admin account. They just set up the default admin account.

On my puny dual core, 8GB system I was able to open 12 instances of MS4 and MuseSounds. Normally I would never have more than 2 open. I just wanted to see if it was possible. I had to make some system adjustments. But that isn't all that unusual. Many years ago, we needed a more powerful computer than most of us had at the time, to be able to run Flight Simulator. After many tweaks it became at least usable. It seems like today we just expect software to run properly out of the box. If it doesn't, it must be no good.

In reply to by bobjp

To see the permissions of MuseHub in Windows, type "services.msc" in a command window (or run the Services app).

A window will pop up with information about installed services. Scroll down to the MuseHub service. On my Windows 10 system the following information is shown:

Name Description Status Startup Type Log On As
Muse Hub Muse Hub Running Automatic Local System

This says that it starts automatically, and that it uses the LocalSystem account. What does that mean for permissions? Microsoft says (…):

"The LocalSystem account is a predefined local account used by the service control manager (...). It has extensive privileges on the local computer, and acts as the computer on the network. (...) Most services do not need such a high privilege level."

In reply to by jimfoster

I looked at this some time ago. I find it interesting that about 70% of the services on my system run on the Local System Account. Including any software that looks for updates and hardware connection. Corel, Focusrite, network and audio connections and the like.

In reply to by bobjp

It's worth pointing out that the fact that the service is known to have all sorts of bugs is all the more reason why you really don't want it running as root and connecting to the internet. Any bug in it has potential to be weaponized to take over or destroy your computer.

In reply to by oscardssmith

Absolutely. To have a service running as root you

  • need to have a reason without which you cannot perform your task
  • need to know what you are doing.

As far as I can tell, MuseHub has neither.

It is also worth pointing out that the vast majority of services running under LocalSystem are from Microsoft themselves.

In reply to by jimfoster

OK guys. I know I must seem, at best, just stupid. But I think that if you want to get very far, you need to be able to convince someone like me. I'm asking questions and not getting answers.

  1. I have at least 16 services running under LocalSystem that have nothing to do with MicroSoft. Not including the Hub. This is a problem because.....?

  2. I've only seen one reference to the Hub running with root permissions and that was on Linux. I asked how I could check on Windows but no help.

  3. The Hub is full of bugs. How do I know this?

  4. The Hub was said to be running on a certain port that is known to be used by torrents. The port that was listed was not the port that the Hub is using on my system.

  5. As far as you can tell? How far is that? I need to be able to tell. I hear that If such and such is the case then this or that might happen. We can play that tune all day and get nowhere.

All I'm asking is that if the Hub is dangerous, how can I demonstrate that to myself? Posters make claims without much backup. I have learned that I need to be able find these things myself. So much of the time when I take the time to do the research, I find things that have been overlooked. But I don't mind being proven wrong.

In reply to by bobjp

For 1: see… and… specifically LocalSystem is an administer account meaning it has almost full control over your computer.
2. This is answered above. The account it uses (LocalSystem) is basically the Windows equivalent to the Linux/Mac idea of a root account
4. It's not surprising that MuseHub is running on a port used by torrents. It is a torrent client.
5. I can't prove that MuseHub is malware or a security vulnerability because it isn't open source and so I can't see the source code.

The TLDR is that if you run MuseHub, you are letting a piece of software on your computer that downloads code from other people and runs it. Is it well written? Does it have any vulnerabilities? Is it using background CPU to mine bitcoin? Will it delete everything on your computer? I don't know and MuseHub has specifically decided to make it impossible for you to check. It might be fine...

In reply to by oscardssmith

Thank you for taking the time to put this together. I appreciate it.

  1. a. Yes. My Focusrite service has the same permissions. Although more on this below.
    b. This post is thirteen years old. I understand that W10 has had security redone. W11 even more so.

  2. What I am trying to find out if if these permissions apply to the regular admin account like I have, or to the higher built in admin account.

  3. This must be the list of bugs.
    a. I've seen this listed before but never had this problem. Hard to say how wide spread this is.
    b. Linux. Doesn't apply to my question.
    c. I agree that I can stop the service but not disable it. It also depends on the StateRepository service. Has anyone looked into that? My guess is not.
    d. Never had this issue.
    e. Not a bug. Just how the program works.
    I see it all the time. The program doesn't work the way they think it should, or the way they are used to, therefore there must be a bug. We all know that most people don't maintain their system like they should, and might run into problems.

  4. I can't establish that the Hub is indeed running on ports used by torrents. What little info I have says that it is not. At least on Windows.

  5. I can't establish any of these things for any software on my computer. Therefore I can't validate any of your statements.

I'm not trying to be difficult. I just need some real evidence. Rather than something looks suspicious. We should certainly be cautious of everything we put on our systems. I get that just because I haven't experienced a real problems, that doesn't mean they aren't there. Thanks again for your time.

In reply to by bobjp

@bobjp: You ask for real evidence. I get that. It is a good thing being skeptical. There is much speculation in this field, and not always with solid evidence. (If I may say so, this is the exact reason I started this thread.)

Having said that, please tell us what you would consider real evidence.

For example: if it should be proven

  • that a piece of software is all-powerful on your computer and also on its network interfaces;
  • and if it should be established that that software is buggy, that is, the developers dropped the ball somewhere;
  • would you then consider that software to be a potential risk to your system? If so, would you still want to allow that software on your computer? Why or why not?

On a different level:

  • If a piece of software is all-powerful on your computer and its network interfaces, would you agree that you need to decide that you can trust it before you install it?
  • If so, what would it take for you make that decision?

Knowing what you are looking for will help others to address your concerns.

In reply to by jimfoster

What I am looking for is evidence that the Hub is (not might be) a threat to my system. I get warnings all the time about unsigned drivers and the like. They might be a problem. Doesn't mean they are a problem. Just going on the internet might be a problem. I know people who don't go on the internet.
I need to see that the Hub has been misused. Not just might be misused. It might be too soon to know for sure. I get it. It might be a good idea to be warry. Be prepared.
And remember, I'm talking about Windows. I tried Linux a while back and found it wanting for what I needed to do. I'm not really surprised by the posts I see here regarding it. None of the "bugs" you listed seem to be definite failures by the developers that apply to my system.
How do I know that there isn't software on my computer right now (excluding the Hub) that is doing all the bad things that the Hub might do. Is there a way to monitor ports? Maybe that's what I'm looking for.

In reply to by bobjp

You have a service that forms network connections to strangers, and this service is running as a priviliged user. Contact any security researcher of choice and they will tell you this is already bad enough and that you do have a problem.

Because of this bad programming practice, any hacker/bot may gain full access to your computer as soon as a bug is found in libtorrent, which they are using for the bittorrent functionality.

In reply to by bobjp

Any service with root access is potentially a threat to your system. It's all about who you are prepared to trust. The only services on my PC with Local System access are from Microsoft and from my antivirus software and I trust these providers.

No-one has to convince you. We each have to use our own best judgement to keep our computers safe.

In reply to by bobjp

@bobjp: I understand that you are looking for evidence that the Hub is a threat to your system.

But the key question behind that is: What would you consider evidence? It seems to me that you are asking for technical information. But when it is given to you, you say that you are not convinced.

I therefore think that more technical information will not help you. No offense, it takes special skills and education to be able to judge that and I gather your background is different.

That is why I asked the two questions on a somewhat higher level. Could you please try to answer those, so that we might help you?

In reply to by jimfoster

I believe I gave a rather lengthy answer. I haven't been given any evidence. Mostly hearsay and conjecture. The link for LocalSystem is for an outdated OS. The list of "bugs" might not have anything to do with the software. I forgot about the Hub being open to third parties. What third parties are we talking about and why? And how do we know this to be true. I fear the answer will circle back to root access.
Here's what will convince me: I need a printout from my computer telling me what port is being used by what service and what kind if traffic is passing through that port. I've been doing some research. So far I can get only a partial list. I have software from major companies that have the same permissions. Are they poorly written, too?
Special skills and education? Maybe so. But I suspect that finding the evidence I need isn't all that special. I feel I just need to find the right cmd prompt.

In reply to by bobjp

"Here's what will convince me: I need a printout from my computer telling me what port is being used by what service and what kind if traffic is passing through that port. I've been doing some research. So far I can get only a partial list. I have software from major companies that have the same permissions. Are they poorly written, too?"

A port is just a number assigned for routing data through your computer's network transport layer. In some cases, a port can be used for any purpose. Some ports are standardized for certain purposes (such as the ports used by e-mail software, for example). Ports that aren't standardized are general purpose, and can be used for anything the program needs.

Muse Hub is often known to run on port 6881. However, if something else has reserved that port, it might be reassigned to a different port number. So, the port number your specific installation of Muse Hub uses may or may not be 6881.

Which port being used isn't as important as how it's being used. So a printout of which ports are being used is pretty irrelevant unless you're using it to actively monitor traffic, which can be done with something like Wireshark (has a bit of a learning curve, but it's a good gui-based tool) or any number of cli commands (I don't remember the Windows commands for this off-hand, but I'm sure a Google search would turn up something useful).

As far as how it's being used, Muse Hub is known to be a torrent client. The Muse Hub website says as much. The reason why this may be problematic when the program is given full system access by default, is that if a vulnerability in the torrent code is ever found and exploited, all someone has to do is use software designed to exploit this vulnerability. It might send a faux request for a torrent download of any of the files that Muse Hub manages, for example. Once they gain access to Muse Hub through the whatever port it's using, they have full access to whatever computer they connect with, potentially yours, to do whatever they want with it.

In reply to by bobjp

There is indeed a broad concern primarily about the numerous bugs the users encounter while using this new version. But I think it would be a mistake to think that most users don't care about this MuseHub being closed-source or demanding root permission when it is clearly unneccessary for what it is supposed to do.
Many people are probably also concerned about this wonderful program - which has always been open-source - slowly moving towards proprietary software, as some of its most prominent users keep saying “you don't have to use the Hub or the new sounds if you don't want to”. This seems a bit off to me, and I suspect many others are concerned even if they don't bother writing here about it - they just don't install MuseHub and watch it with suspicion, which is not a good thing for Musescore in general, imho.

In reply to by Sebastien Morin

I read somewhere that they kept the Hub closed-source to keep people from making unofficial copies, potentially with malware.

Honestly, with all the power the Hub has (and how hard it is to uninstall), making it open-source right now would be TERRIBLE, for that reason. If an open-source Hub will ever happen, it must be drastically improved first, removing the need for admin/root permissions and making it completely removable.

Muse Hub uses a lot of power after the display is turned off for power saving - more than it uses for most of my normal usage. It settles down as soon as the display is triggered back on (e.g., shift keypress). It's as if it's mining crypto.

The MuseHub is truly a bizarre application. The best case scenario would be that this is what can happen when a manager wants it to work a certain way and the developers are afraid to tell him it's a bad idea.

Worst case scenario is that it's not just incompetence but something malicious. I will probably dust off my reverse engineering tools some day and see what secrets it holds.

But let's stay optimistic, because after all who wouldn't trust a Russian company with P.O. box headquarters in Cyprus. /s

In reply to by jimfoster

I had a quick look at it. All the fun stuff seems to happen in ServiceCore.dll. They are using libtorrent for the bittorrent functionality. I have not found any indications that it is doing anything we are not already aware of.

I can still not recommend anyone to use this software as it is a huge security risk to run torrents as Local System.

In reply to by yonah_ag

Yes.This is the third time I have been directed to this page. I do not think that says what you guys think it says. The last paragraph says that a service that is not interactive doesn't need these permissions. Yet the Hub is interactive.

The nagging question is do the developers have a clue how to write safe software? A legitimate question that I have no answer for. I don't have a reason to not trust them, either.

In reply to by bobjp

@bobjp ("I don't have a reason to not trust them, either"):

You must be a very trusting person. In my book, trust must be earned, not assumed.

It is like your grocery store offering a new service: They will deliver the goods into your kitchen and put them in the fridge. They will go through your stock and replace items that have been consumed. They will give you samples of new products free of charge. How convenient. The only thing they need is your house key. Would you give it to them?

With MuseHub it is actually worse: They take your key without even telling you.

In reply to by user2442

We all partake in far more serious activities than software every day. These activities involve trusting people we know nothing about. We trust that people are going to stay in their traffic lane. Or stop at a stop sign, or signal. Do they 100% of the time? Course not. That doesn't stop us from driving. Do we have to be cautious? Of course. That kind of trust isn't earned. That driver in the lane next to you indeed has the key to your getting home safely. We didn't give it to him. He didn't earn it.

Look, all I'm after is some backup. Several claims have been made about the Hub. Claims that may well be true. Claims that could also apply to dozens of other programs on my system. My dilemma is that I have a group of software users ( that I don't know ) on one hand and group of software developers ( that I don't know) on the other. I am asked to trust one group but not the other. As it is, I use MS4 for playback. Even with all the problems, it is far better than MS3. I can't get those better sounds without the Hub. Once I have the sounds I can delete the Hub ( which also deletes the service ). And reinstall it once in a while to update things. Though sometimes I forget to delete it (gasp!).
I'm just waiting for documentation ( not just someone claimed something ) that affirms going through that hassle. But I can see I'm getting nowhere.

In reply to by bobjp

Win11: Some results as checked by VirusTotal:
1. Downloaded file Muse-Hub.exe: certified. 2 of 88 scanners detect 3 sites which can't be trusted because they communicate with win32exe files which contain malware detected by the majority of the scanners. Possibly two false positives. Concerns Muse Hub.exe
2. Muse Hub Background Service: not verified. One scanner finds a suspected ips. Concerns
C:\Program Files\WindowsApps\Muse.MuseHub_1.0.1.693_x64__rb9pth70m6nz6\Muse.Service.exe
3. Muse exe: not signed. "No security vendors and no sandboxes flagged this file as malicious". No suspected relations.

In reply to by bobjp

Re: bobjp • Jan 18, 2023 - 18:48
Since you already have "dozens of other programs" on your system with LocalSystem access then I reckon you may as well just add MuseHub to the list.

Sure, it's only software but I don't want to risk the inconvenience of having my PC trashed and/or data stolen. Maybe MuseHub is safe but maybe it's not - or maybe it could be a target for hackers. If it was open source it could be checked but I just think that system access level is too high for such an unverified service.

In reply to by yonah_ag

I do want to be safe. I'm not saying otherwise. None of the other programs that I have are open source, either. Focusrite, Samsung, Intel driver updater, HP printer service. I think it may be that because MuseScore is open source, it is therefore subject to suspicion. Even though I am unaware of any reason for this.

In reply to by yonah_ag

Does that mean you use MuseScore because it is open source? Isn't it just possible that the Hub needs to be closed so that it can do the things it needs to do? I don't know. Apparently no one here does. Instead other things are looked at. A few suspicious things show up. That might indeed be bad. I'm wondering about other programs I use. Do I know they are safe? They all have the same permissions. How do I know my Microsoft things are safe? Why does my audio interface need those permissions?

In reply to by bobjp

Open source means that everybody can inspect the source code and thus understand what the software does, and also can verify that it contains no malware. It has nothing to do with what the software can and cannot do on the machine. An example is Linux: all powerful on the machine where is sits on, yet open source.
That the Hub is closed means that no one except the developers can know what it does. Again, nothing to do with the powers it wants.

In reply to by bobjp

I use Musescore because it is a good piece of software.
I have confidence in it's safety because it is Open source (but, of course, my confidence may be misplaced.)
Musescore 3.6.2 does not request super-powers on my computer so it also presents a lower risk.

In reply to by yonah_ag

B^) Hello, my friend

long time no hear from you, and belatedly happy new year 2023. The silence is probably mainly because the "FarrierPete" on is still banned as a "criminal" (like a Nawalny), because he dares to speak umcomfortable truths ... after more than 10 years of constructive cooperation. I will probably end up in the gulag too.... Anyway. I agree with you: MuseScore 3.6.2 is still up to date, a great piece of software, and it will remain installed on my PC - next to MuseScore 4, which unfortunately still needs many updates and bug fixes. Would advise any user to do the same.
If you want to reply to the "banned" you can do so here, or you can reach me at or by eMail .
Best regards to all

In reply to by user2442

Official comment on
"All that said, whilst the privileged helper + sandboxed UI approach is the Apple/MSFT recommended way to do those kinds of responsible operations, it is not the only way.
We are actively investigating other methods that allow us to deliver the current and planned feature set
of the Hub in a safe and secure way, without the need for a helper.
If a suitable and secure method shows up, and it is mutually beneficial to move to that method, then we will do."

In reply to by MichLeon

Sounds good, but the issue is not whether to use a helper. That is just one way of doing it. It can be done in other ways. But it would make no difference for the real problem: admin privileges. They will need them if they want to install software without user intervention. No getting around that. That is the source of the problem. If they give up on that, as virtually all software makers do, the problem would vanish in an instant.

In reply to by MichLeon

Certainly, if done in the standard way. That is, the Hub alerts me that there is a new version of the software. Maybe they have already downloaded it (no special privileges needed for that), or I download it myself if I want it. I then install it myself - more precisely, the OS does it for me when I enter my admin password.

But: No way, if it would mean that the Hub wants to do the installation and asks me to temporarily grant it superpowers for that. That would be the same security breach as is currently the case.

There is a fundamental difference between asking the OS to use its superpowers to install the software (and nothing else), and granting superpowers to a third party app that can do whatever it likes with them.

In reply to by user2442

I just wanted to chime in for clarification... My point on that referenced post was specifically talking about the Linux version, as I have little experience with Windows/Mac security procedures (although I would imagine these things could possibly apply to all OSes), and my point was mostly that root should not be needed except for very specific situations, at which point the user is asked for temporary root privileges and informed about why they are needed and for how long, and can decline that permission at any point. On Linux, authorizing that root level permission generally requires password authentication.

Those situations include:

  • When installing the sounds and the user chooses to install them in a non-user-specific location (so that a multi-user system, such as what would be used at an educational institution for example, would only need to install one set of sounds for all users). If the user prefers to install them in their own user account, there is no need for Muse Hub to require root privileges.

  • If Muse Hub was capable of installing the various software and either needed root access (if it installs a native package, such as a .deb file on a Debian/Ubuntu system, as native packages often require root access to install system-wide). This is probably needed by non-Linux systems as well for this task. The better route, though, would be to not use this kind of helper software, and just let the user install the software as they normally have in the past.

  • If the user chooses to have Muse Hub install software in Muse group's preferred AppImage format package into a location that can be accessed by all users. This is again only needed if this is a multi-user system. In most cases, the AppImage can be safely run from a user account without root privileges.

These are the only situations I can think of where root privileges would be warranted on a Linux system, and only for the short time that these specific tasks are being done, after which they must be dropped. Everything else that Muse Hub does, does not ever need root privileges. To maintain root privileges beyond these situations is questionable at best, a major security risk at worst. Especially since Muse Hub is not open source, and we cannot ever know what exactly it is doing on, with, and to our own systems.

In reply to by mikefreeman

I am not sure I quite understand your point. Are you saying that, if only for a short while, the program would get root privileges? Would that also mean that the program itself would ask for the password so as to obtain them, then uses it, for example, to install a new version of itself, then relinquish the privileges again?

I would say that root privileges should never be given to a user program. I don't know about Linux, but on MacOS this is not necessary, even for having user software installed. The process is as follows:

  • You download a piece of software that you want installed, or it has been downloaded for you. MacOS programs are .app files and must be moved to the /Applications folder to be available for all users. (Sometimes what you download is a .dmg file that is essentially a disk image that is mounted and contains a .app file.) Anyway, when you try to move the .app to /Applications the OS kicks in and asks for your admin password, because a normal user cannot write to that folder. If you give it the move will succeed.
  • When you run the program for the first time, the OS asks you if you are sure that you want to run this program that you downloaded from the internet. That happens because when it moved the app to /Applications, it sets a special attribute on the file. If you allow, the attribute is removed so next time it will start without asking. This is how it goes with MuseScore.

The whole point of this is that you never give the program root privileges, not even for a short while, and it never sees your admin password.

For MuseHub the situation is slightly different, because it wants to install a "service", which is not a normal program to be run by a user. It sits in a different folder: /Library/PrivilegedHelperTools. This is an architecture developed by Apple to minimize the amount of critical code an application has to run if it really needs admin privileges for some of its tasks. The main app then can call the service for those special tasks. That is why during installation the OS asks for special permission to install the service.
Of course, even though Apple developed this architecture it does not guarantee that it is completely safe. It may mitigate the risk, but does not eliminate it. If there is a bug in the service, the system could go down or become corrupted. Also, if it has ports open to the internet, it could become compromised and allow an attacker root access.

It is important I think to realize that never during this process the app itself gets root privileges. But in the second scenario, the helper service does get them, at least in the case of MuseHub.

Are you saying that with Linux the mechanism is different and that the app itself needs to get root privileges to install e.g. a new version of itself? If so, how can you tell that it will give those privileges back, or if it does give them back, that it has not installed some malware in the meantime?

In reply to by user2442

I probably wasn't explaining it well. I'll try to explain it a little better. I think Linux works a little different than MacOS, maybe. In general, most installed software is installed system-wide, unless it's an AppImage (which I'll explain in a bit), or compiled manually by the user and placed in a user account. Both of these methods are currently the most uncommon methods of software management on most Linux distros. The most common way software is installed is through a package manager, which acts sort of like an app store. Software packages installed through this method are downloaded from online repositories that are curated and checked for compatibility and stability by whichever Linux distribution you are running. This makes them the most secure way to install packages. This manager can be run by a user, and can download software packages, asking for a password for authorization before installing it, which elevates privileges in order to install the files in a system-wide location so that any user can access them. After installation, these elevated privileges are lowered after a certain amount of time. Unfortunately, MuseScore uses AppImages, which have to be managed manually instead of through a package manager. They are generally stored in a basic user account, unless the user decides to place them in a system-wide location, in which case they need to temporarily elevate privileges in order to move the AppImage into that location.

In the case of Muse Hub: yes, it runs a service in the background with constant root-level access all the time, as you say. On Linux, the only software that should be doing that is software that must perform background operations system-wide, which is usually lower-level, operating system- or hardware-related management tasks. The only things that Muse Hub does on Linux, is download Muse Sounds files and the MuseSampler library (which is what MuseScore needs to access Muse Sounds), run a torrent on your machine to help them distribute the Muse Sound files with less impact on their servers, and run a check to make sure Muse Sounds files are up-to-date. So, looking at those tasks individually to see if any of them really need root access...

  • In my opinion, MuseSampler should just be a part of the MuseScore package itself, and not need a separate download. So this should be offloaded from Muse Hub altogether.

  • Downloading the sound files shouldn't require root-level access unless it's specifically being saved in a location for system-wide use (the location can be optionally changed in the Muse Hub settings). When being placed in a location that needs elevated privileges, it should simply ask for the administrative password, save the files in that location, and then drop the privileges. This is just like what you described in your MacOS example, when the user needs to enter a password to save the app files in a system-wide location. Once the files are installed, these privileges are no longer needed and should be dropped, because an Internet-facing program like Muse Hub, known to have bugs, and being closed-source so that no one can know exactly what it's doing can be a vector for system compromise.

  • The torrent shouldn't need any elevated privileges. In order to be used, the locations the Muse Sounds files are saved in have read access, which means a user-level access can read them and distribute them in a torrent.

  • The update checker can check for versions and available updates without elevated privileges, and should require administrative permissions only when the location for the Muse Sounds files is in a location that requires it. And in my opinion, anytime that is needed, it should inform the user/administrator and require authorization before doing so, and not be able to do that in the background without anyone's knowledge of EXACTLY what it's doing and when.

So there is no reason at all for Muse Hub to have constantly-elevated privileges on a Linux system.

In reply to by mikefreeman

I completely agree with you about not having software or content installed without your consent.

The torrent itself does not need admin privileges, I agree.

On the mechanism of installing: I still seem to understand that in the scenario you sketch MuseHub will obtain root access for installing new software or content, albeit only for a short while. I even seem to read that MuseHub will ask for the admin password for that. I think that is giving it more than I am willing to - as a matter of principle, I never trust any third party software with my password. Who will tell what will happen? You don't have to assume ill intent, a programming bug could also do a lot of harm.

What about asking MuseHub to download the files, then move them yourself to the desired location using your admin password? In that way only the OS is given your password, not MuseHub.

Summarizing, I would like to strengthen your position to: There is no reason at all for Muse Hub to have elevated privileges, even temporarily, on any system.

In reply to by user2442

"On the mechanism of installing: I still seem to understand that in the scenario you sketch MuseHub will obtain root access for installing new software or content, albeit only for a short while. I even seem to read that MuseHub will ask for the admin password for that. I think that is giving it more than I am willing to - as a matter of principle, I never trust any third party software with my password. Who will tell what will happen? You don't have to assume ill intent, a programming bug could also do a lot of harm."

I can't speak for other operating systems, but on Linux, it's not Muse Hub that would ask for the password. It's a service built into Linux operating systems, either sudo (which is cli only) or pkexec (the gui equivalent of sudo).

Here's how that works: Let's say the creators of Muse Hub create a separate updater module called "update-me". In order to safely and temporarily obtain root privileges, Muse Hub would run the updater through pkexec. So instead of just calling "update-me", it would call "pkexec update-me". This would prompt Linux to ask the user for their password, giving some basic information about the program that would be given elevated privileges. The user then has to decide if they are willing to grant elevated privileges by entering their password. If the password is entered, the "update-me" program is run with elevated privileges until the process is completed and the "update-me" process ends, at which point the privileges are dropped back to user-level. If no password, or an incorrect password is entered, the elevated privileges are not granted, and the program isn't run. Throughout this process, nothing but the pkexec tool sees your password. Neither "update-me" nor Muse Hub it can see it, and thus no security is threatened. So, as far as our conversation goes, as long as things are done properly, with existing tools in Linux, Muse Hub would never, ever see your password. Only pkexec would, which is a secure process within Linux.

"What about asking MuseHub to download the files, then move them yourself to the desired location using your admin password? In that way, only the OS is given your password, not MuseHub."

That would work, too, but would be more work for the user, and like I said, there are safe ways to do this properly. At least on Linux there are. Again, I can't speak to how Windows/MacOS work in this regard.

"Summarizing, I would like to strengthen your position to: There is no reason at all for Muse Hub to have elevated privileges, even temporarily, on any system."

Maybe. In most cases, you are completely correct in that assessment. The only exceptions I can think of is when the software needs to be accessible across multiple user accounts. Here is where I think something like pkexec, or whatever Windows/MacOS equivalent there may be, can be useful for this, instead of relying on the user to know what to do and where to put things.

I installed Musescore4 and Musehub and then attempted to delete everything 2 days later. I am just using Musescore 3 for the foreseeable future (maybe forever) but I do have a question...

There is one small thing that I am unable to remove.
On my iMac Ventura OS with M1 chip in the Login items:
I have a "Musecy SM Ltd" 1 item affects all users. (The switch is turned to the off position)
But if possible I would just like to remove the entire item.
Does anyone know how?

Here is some more conspiracy theory fodder.
It seems like most of the people that have a problem with the Hub either only had it installed for a short period of time, or not al all. I wouldn't claim to know how the Hub works. Burt I have had it installed since MuseSounds came out. So I have seen it in action. I don't know what it is doing undercover in the background. Is it spying on me and setting me up to destroy my computer? No idea. But I do know what it is not doing. It is not downloading and installing updates for MuseScore in the background. Today I fired up a computer that I haven't used for over a week. I ran it for a few hours and saw the Hub was active in my taskbar. I clicked on it and was notified that I had several updates waiting to be downloaded and installed. I had to tell it to do that. Even though I had keep my stuff updated checked.

The naysayers will say that we've been lied to. But I'd rather have it this way where I OK updates. Which is the way other software works that has the same permissions. But even so, I still have seen no proof that the Hub is dangerous. I know that sounds like I won't be happy until the Hub destroys my computer.

Previously to the release of MS4, I was only on the forum every once in a while. But sense then I have been here every day for hours trying to find way to get MS4 to work and help others to do the same. So if I suddenly disappear because the Hub took over,'s been fun.

In reply to by ThePython10110

And the fact that I can't find out exactly what's going on is pretty much meaningless to me. I understand that others are bothered by this. That's fine. There is no way to find out what other programs are doing, either.

I actually find this discussion fascinating. And I'm learning a lot. But is the sky falling?

In reply to by bobjp

Don't know about the sky, but glad to hear you're enjoying the discussion.

You once said you see no bittorrent port in use on your computer. On my three platforms (Windows, MacOS, Linux) MuseHub always uses ports 6771 and 6881, and also a varying number of other ports somewhere in the high range (49152 and up). These are so called private ports, which are not assigned to any specific application.

Ports 6771 and 6881 are for Bittorrent. This information can be found on,…. (Port no. 6888 is meant for MUSE, coincidentally because this is a company called Muse Communications Corporation (… which has nothing to do with MuseScore as far as I can tell.)

You can see that some associations of port numbers are "official", others such as 6771 and 6881 "unofficial". Whatever their status, it is important to know that these associations are in any case conventions that are not enforceable. All ports are created equal and can carry all possible traffic.

Some ports have double use, such as 6888 which belongs to MUSE but can also be used by Bittorrent. Port 6881 is also used by games such as World of Warcraft (

On my Windows machine I enter "netstat -ab" in a command window to get a list of all processes with open ports (run it as administrator). Search for "muse" and you should find what you are looking for. Do you indeed see 6771 and 6881?

In reply to by user2442

With the Hub closed and MS4 open, this is what I see.

Between TCP and UPD, 45 port listings for Muse Service,

7 for MS4.

No listing for 6888.

  1. Muse service (3), MS4 (1), scvhost (1), Team viewer (3), can not obtain ownership (1)

  2. Muse service (10), scvhost (2)

Hello MuseScorer,

Yes, I have something to say about this "MuseHub". This kind of app has proliferated in music software over the last few years like algae on a puddle. (As another example of many, I cite "Native Access" from

These alleged helpers all have one problem in common; they always request storage capacity on the system drive (on Windows this is called "Drive C:" for themselves and their main program incl. all sound data - no matter what happens then, and without asking the user "may I, or are you running low on disk space?"

On my current machine (WIN 11 desktop) the drive is C; a 128 GB capacity SSD. I was reckless enough to launch MuseHub...that went just fine. When MuseHub was finished, there was only 4GB remaining capacity available on C: - now just one drive further on D: (SATA hard disk 2TB capacity) would have been enough space for the entire data...

Dear people: Getting stuck in an installation because the storage capacity runs out - this is one of the stupidest computer mistakes I know. If you have to rebuild a complete system afterwards, you might realize that this "helper" doesn't really help!

I recommend anyone interested to download the software and all other data by hand and install it yourself (and that's where you stumble upon the fact that you can only get to the sounds with this MuseHub...).


MuseScore since 2012 (v 0.9 on a WIN ME)

In reply to by FarrierPete

I can certainly sympathize with you. I have a Surface go with a 128 gb ssd. Frankly, I would never buy another computer with such a small drive ever again. I also have an additional SD card. But everything wants to download to the C drive.
If I remember correctly, there is a warning that the Sounds are a 15 GB file. There is a preferred download location setting in the Hub. But I don't know if you can set that at the very beginning after opening the Hub. There doesn't appear to be much documentation. I also understand that the sounds can be moved along with some kind of change that must be made so that the software can find them.

I realize I'm a little late to this party, but here are my answers to your questions from a Linux user's perspective:

  • Is it true that MuseHub installs a service with root permissions and on which platforms? Please provide details.

On Linux, Muse Hub does, indeed use root privileges. As I type this, with Muse Hub installed, and their "Automatically keep sounds up to date" and "Enable Community Acceleration" turned off, I can see both muse-hub-service and Muse.Service (not sure why there are two of them) running with root privileges on my system.

  • If so, is there a need for such power in view of its apparent function?

I do not see why this software would need constant root privileges, although I can see specific tasks in very specific circumstances where they would be temporarily needed. I don't know what the MacOS/Windows protocols are for security, but the Linux way of doing things is that a user-run program never has root privileges until the user needs them and specifically authorizes them for a very specific task, after which the privileges are dropped. Linux includes tools to manage that sort of privilege escalation.

  • Are such powers excessive compared to what other programs is given? How can you tell?

Yes. As mentioned above, in a Linux environment, no user-interacting software should ever get root privileges without requesting them specifically for a specific task (such as installing software), and only for the time required for that task, after which they are dropped. This is the way software on Linux is generally known to work. Anything functioning differently than this should always immediately be questioned.

  • Could such powers lead to damage to the system or its users? What sort of damage, and how?

Yes. This level of access is basically allowing the software unfettered access to anything and everything on your system. Since it is Internet-facing, and has already been known to have bugs, it brings with it the possibility that an online offender could use it to gain full access to your system. Malware, ransomware, viruses, etc. can be easily spread this way, should a vulnerability in the software be found.

  • What ports (TCP/UDP) has the service open and what would be their function? Could they present a possible attack route?

On my system, Muse.Service is open on port 6881. I don't know what the function of that would be (hence the problem), especially since I have all of the possible Internet-facing options that I could find turned off in the program.

  • What can be said about files and services accessed by it, with the same question?

On my system, muse-hub-service has access to the following system process files: /proc/1135/cwd, /proc/1135/root, /proc/1135/exe, /proc/1135/fd, and is set by default to save data to /srv/muse-hub/downloads (which is not a user-authorized location, although this file path can be changed by the user in Muse Hub).

  • What other issues could be investigated to assess the possible harm the service could cause?

I don't know. I honestly don't understand the need for any root-level access, at least on Linux, since Muse Hub cannot install software, except for the musesampler library for using Muse Sounds, and in my opinion that should be included in MuseScore package, not with the sound set. Other than that, it can only download the Muse Sounds sets, which as far as I know can functionally be installed anywhere, including user account folders. So no root access should be necessary at all with this, in my opinion. Even with the torrent functions turned on, root shouldn't be necessary.

In reply to by mikefreeman

So let me see if I can re-cap.

There is speculation that the Hub could be used by third parties for nefarious purposes.
There is speculation that because it uses certain ports, that it is not secure.
It is the opinion of some people that the Hub doesn't need root access.
The Hub is suspect because it is not open source.
It has been inferred that the developers either don't know what they are doing, or are hiding something.

I think if I were a programmer and knew facts rather than speculation. I might write something better. If it were needed

In reply to by bobjp

  • "So let me see if I can re-cap."

You recapped a fraction of what I said, and seem to have missed the point of, or mischaracterized, the rest.

  • "There is speculation that the Hub could be used by third parties for nefarious purposes."
  • "There is speculation that because it uses certain ports, that it is not secure."

Speculation? Maybe. But what are the easiest routes to follow if someone wants to gain access to a system, for "nefarious purposes" or whatever their intentions may be? Internet-facing, known buggy applications with unnecessary open ports and full root access to your entire system. That's just begging for trouble. I learned this in one of my network security classes. Basic stuff. Security is always a concern for computers on a network. No need to open yet another potential avenue of attack. Speculation is the only thing that any of us have to go on when trying to maintain a secure system - what could happen.

  • "It is the opinion of some people that the Hub doesn't need root access."

I'm not saying it doesn't need root access. I'm saying it doesn't need constant root access. For Linux, specifically, it doesn't do anything that should require constant root access. And, I don't know - it might be argued that it may not need it for any OS, but I can't speak to that, having not used it on anything except Linux.

What it does on Linux:
- Downloads sounds: It obviously doesn't need root access for that if the user chooses to place downloaded sounds in a user folder, and can obtain temporary root access via pkexec or sudo (which temporarily elevates privileges with administrative password authorization) if, and only if, they are placed in a location for system-wide use.
- Downloads a library that MuseScore needs to access these sounds: This should be included with MuseScore itself, and as such, shouldn't need root access beyond the normal MuseScore installation.
- Runs an opt-out (which is almost always a bad method, in my opinion) torrent to distribute these sounds: Torrent software normally runs on Linux without constant root access, and there is no reason for this to be any different.
- Runs an opt-out (again...) update system to keep the above sounds and library up-to-date: There is no need for root access to compare the installed versions with any versions available online, and updates should follow the same methods as what I said in the "Downloads sounds" section. It should also not be done in the background and without the user's knowledge and active consent, unless the user opts-in to allow that, and then, and only then, could a continuous service be launched as root, after the user has password-authorized such a service. This is how most similar software works on Linux systems. My computer's Software Manager has less system access than this thing does.

  • "The Hub is suspect because it is not open source."

"Suspect" is a bit harsh, but for Linux users, this is generally a given. In addition, it is strange that an organization such as Muse Group, which centers itself around two high-profile open source software projects (MuseScore and Audacity) would promote (mandate?) a closed source application in order to access a singular specific feature (Muse Sounds). This doesn't make them suspect, per se, and I don't believe I said they were. But it makes these projects concerning from an open source perspective. Why make a closed source "hub" a requirement for anything involving open source software?

  • "It has been inferred that the developers either don't know what they are doing, or are hiding something."

Nothing of the sort has been inferred. What was discussed was that the users cannot know what is being done on their own systems, which is generally an important aspect of open source.

  • "I think if I were a programmer and knew facts rather than speculation. I might write something better. If it were needed"

What is not factual about anything I've said? The questions were asked, not many Linux users have chimed in, so I'm just adding my voice and perspective to the conversation. Take it for what it is, not what you think it might be.

In reply to by mikefreeman

"So let me recap" means that I was trying to make sense of many of the posts that I have read on different threads. All of which have either hinted at, or outright stated what I posted. And it is certainly difficult to follow some of them. It is also difficult to believe some of them.

For example, the other day I was monitoring my network connections. Jeez, this is what my life has come to. Anyway, I had quit the Hub and had MS4 and a few other programs, as well as Chrome, open. The Muse service was running but nothing was really doing much. Then out nowhere, a new service opened running 50k bits/sec. This was it. Maybe just what I was looking for. So I Googled the service. The first thing I found said that it was a Sony power saving service. Funny, I don't have any Sony software installed. The page said what folder to look at to verify the service. There was nothing there. The article then said if the location didn't exist, then the traffic was probably a trojan and spent several paragraphs detailing what I should do. Great. Way down the page, almost as an afterthought, it was mentioned that sometimes Intel uses a service by the same name. I had a program that keeps my intel drivers up to date. I deleted that software and the heavy traffic stopped.

My takeaway is that I'm still waiting. But I probably won't waste any more time monitoring my network.

Hi men

Well, I read most of the comments contained in this page and I have to admit that I could grasp just a fraction of what I read. My fault, I know, that's no problem.

When I can't understand something, I turn into a suspicious, nasty sort of old man. My fault, again. And again, no problem.

That said, all that I would like to know is:

  1. how can I see if that nasty service resides in my system
  2. if it is there, how can I get rid of it from its very... roots (pun intended)

So, as you already wrote so many interesting words, could you please add just a few more lines to explain that couple of things? You would make a suspicious, nasty old man very happy.


P.S. Intentional damage apart, one should get angry just for knowing that someone is stealing his not-so-cheap and always limited (particularly on low-end PCs like mine) hardware resources.

In reply to by Aldo

I assume you are on WIndows. If so, see above ( jimfoster • Jan 16, 2023 - 14:50). That should tell you what you want to know.

But perhaps you do not understand the impact of what it says. In brief: it says that this program can do anything it likes on your machine. It can copy your files to an external party. It can modify or delete your files. It can install a virus. It can encrypt your files so that you will have to pay to be able to use them again. It could make your PC part of a botnet that can be used to disrupt vital services. It could use your machine for crypto mining. Etc, etc.

Mind you, I am not saying that the program does any of these things. But it could, if it wanted to, or if it were infected by some virus. It has that kind of power. Normal programs don't.

On my Windows system, uninstalling MuseHub through the normal Windows Settings app did remove the service. Others have different experiences I hear, and need to go deeper.

Does this answer your question?

In reply to by user2442

I unistalled the program with an utility named REVO uninstaller. I can't see any sign of the service related to muse hub, but... maybe I just lack the skills needed to find it? I have to say that modern Windows systems are litterally infested by so many software chunks scattered anywhere, and I get lost in a matter of seconds.

I uninstalled muse right now because I notices that it was eating away close to 5gb of VRAM (yes... graphics card memory... not normal RAM...)
So its definitely not worth having, especially if what you are saying is true...

I have just downloaded and installed the trial version of Guitar Pro 8, and to my surprise it was a whopping 1GB download. As it turned out this included the RSE soundbanks which, previously (with GP6), were a separate download. Maybe MS4 could have a version with the sounds bundled to avoid the need to use MuseHub.

In reply to by jimfoster

[Unrelated to this comment]

A quick note to say that we are now locking this thread due to two or three people intentionally trying to use up the team's time with unhelpful comments and conspiracy theories.

As mentioned above, the Muse Hub has its own site where your questions will (and have been) answered. Please put comments to that team and not to us on the MuseScore team.

If you would prefer to bypass the Muse Hub for whatever reason, there is a clear download button on the MuseScore site that let's you do this.

Those who persistently harass team members here or insist on denigrating our work will be banned and their comments deleted. This is a step of last resort. We are more than happy to be criticised but draw the line at being painted as malicious actors. We put an enormous amount of effort into our work. We constantly push for our software to be both ethical and inclusive. No one I work with would countenance malicious or duplicitous behaviour and I would not be working here if I witnessed anything underhanded going on.

In reply to by Tantacrul

I feel that I need to apologize to you for my comment that you deleted. I did not intend disrespect or slander against you or anyone at Muse Group, even though I admit that it did come across that way. So, I apologize for my careless words and negative sentiment toward the developers of Muse Hub. I do appreciate the work you guys do, even if I may not always agree with how things are always done (which should really be none of my concern, anyway). As a Linux user and free open source software enthusiast, I'm often hyper-sensitive to closed-source software (such as Muse Hub) or paywall services (such as the paid cloud services at being paired with open source software such as Musescore. Sometimes I can take that sensitivity a bit too far, and into the realm of suspicion and worry, as I probably did in this case. I'm sorry if my words negatively impacted the team or offended anyone there. That really wasn't my goal, even if it came out as such. I just want to see you guys succeed, and create the best possible music notation software possible.

The first time I started my laptop after MuseHub had been installed my entire UI was messed up: the screen resolution was set to another value, all my program items had been moved to another location (extremely irritating), and my laptop did not recognize my external screen anymore. These are the things I saw on launch. I don't know yet if there is more or deeper harm, but I am quite worried. A utility should not change a system's settings without asking.

Do you still have an unanswered question? Please log in first to post your question.