msiexec.exe wanting full access

The file
C:\winnt\system32\msiexec.exe
tries to gain write,terminate,set info, suspend access on each of my processes. Is this normal?

If it supposed to do this, then this should be included in the default config of PG.

regards,
hojtsy

 

It is a Windows Installer Component that is used to install new programs that use Windows Installer package files (MSI).

I have just tried running the msiexec.exe without any parameters & get absolutely no logs in PG, having said that it may depend upon what other programmes you have on your list as to what msiexec.exe is trying to see.

Can you copy the window log and post it please.

 

The window log copy-paste what you have written in an other topic works, but I can not copy more then what fits a screen. :-((( So I am copying the file log:

29 Feb 09:36:37 - Process Guard Protection is ACTIVE
29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\smss.exe [224]
29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\csrss.exe [192]
29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\winlogon.exe [160]
29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\services.exe [248]
29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\lsass.exe [260]
29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\svchost.exe [444]
29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\svchost.exe [524]
29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\navnt\rtvscan.exe [552]
29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\kerio\personal firewall\persfw.exe [576]
29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\processguard\pg_msgprot.exe [596]
29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\mstask.exe [688]
29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\wbem\winmgmt.exe [784]
29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\explorer.exe [1080]
29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\ati technologies\ati control panel\atiptaxx.exe [1216]
29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\navnt\vptray.exe [1244]
29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\tds3\tds-3.exe [1328]
29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\internat.exe [1348]
29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\proxomitron\proxomitron.exe [1384]
29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\processguard\procguard.exe [1444]
29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\smss.exe [224]
29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\csrss.exe [192]
29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\winlogon.exe [160]
29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\services.exe [248]
29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\lsass.exe [260]
29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\svchost.exe [444]
29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\svchost.exe [524]
29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\navnt\rtvscan.exe [552]
29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\kerio\personal firewall\persfw.exe [576]
29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\processguard\pg_msgprot.exe [596]
29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\mstask.exe [688]
29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\wbem\winmgmt.exe [784]
29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\explorer.exe [1080]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\ati technologies\ati control panel\atiptaxx.exe [1216]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\navnt\vptray.exe [1244]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\tds3\tds-3.exe [1328]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\internat.exe [1348]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\proxomitron\proxomitron.exe [1384]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\processguard\procguard.exe [1444]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\smss.exe [224]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\csrss.exe [192]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\winlogon.exe [160]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\services.exe [248]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\lsass.exe [260]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\svchost.exe [444]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\svchost.exe [524]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\navnt\rtvscan.exe [552]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\kerio\personal firewall\persfw.exe [576]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\processguard\pg_msgprot.exe [596]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\mstask.exe [688]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\wbem\winmgmt.exe [784]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\explorer.exe [1080]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\ati technologies\ati control panel\atiptaxx.exe [1216]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\navnt\vptray.exe [1244]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\tds3\tds-3.exe [1328]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\internat.exe [1348]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\proxomitron\proxomitron.exe [1384]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\processguard\procguard.exe [1444]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\smss.exe [224]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\csrss.exe [192]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\winlogon.exe [160]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\services.exe [248]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\lsass.exe [260]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\svchost.exe [444]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\svchost.exe [524]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\navnt\rtvscan.exe [552]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\kerio\personal firewall\persfw.exe [576]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\processguard\pg_msgprot.exe [596]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\mstask.exe [688]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\wbem\winmgmt.exe [784]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\explorer.exe [1080]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\ati technologies\ati control panel\atiptaxx.exe [1216]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\navnt\vptray.exe [1244]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\tds3\tds-3.exe [1328]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\internat.exe [1348]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\proxomitron\proxomitron.exe [1384]
29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\processguard\procguard.exe [1444]


I have all these processes protected with PG 1.300 full version. I was installing Adobe Acrobat when this happended.

regards,
hojtsy

 

Can you also post your protection list, use the "Save protection list" menu item under "Protection"

This may help us analyse the cause - Thanks

 

I don't think the protection list will help, but anyway here it is...

 

I'll take a a stab at this but it could be when installing acrobat actual installs quite deep into the system. You can either add msiexec to the PG list or, providing Acrobat is working correctly, ignore it.

Personally I have had no logs generated from msiexec.exe and ther are no other reports here or on the beta forum. So to answer your question "Should it be added to the default list" probably not. You can, of course, add any trusted programme.

As PG is a very new and powerful tool in our security set ups it will take a while for a database of preferred settings to be compiled, any feedback is always welcome regarding PG's behaviour.

Thanks & HTH. Pilli

 

MSIEXEC.exe will also cause PG 1.3 to bark on certain updates of Microsoft Office 2003. On my system (XP-XP1 Home) with Office 2003, MSIEXEC.exe is activated each time I go to MS Office update site and do a scan for needed updates. For reasons I have yet to determine, MSIEXEC.exe will stay in memory even after exiting the MS Office Update site. I have to manually kill it.

Personally, I have added MSIEXEC.exe to PG with READ, WRITE, TERMINATE, SUSPEND "ALLOWS", because a liveupdate of Office 2003 was blocked by PG 1.3 and I had to go back and install it manually.

 

no log from here too, can i know which OS do you have and what is the MD5 fingerprint of your file ?

 

HI siliconman01, That is interesting, I have version 1.320 beta and as you can see from the screenshot PG never murmered.

Office 2003 now with Visio update.

XP Pro SP1 + all patches AMD 2200+ cpu

 

Windows 2000 sp4
file: C:\WINNT\system32\msiexec.exe
size: 64,512 bytes
md5: ca1900f0ba173b76ef752b467075154b
crc32: 41f3f03c

 

XP - SP1 (all updates)

MD5 - 038F161E1FF865FD35A308C851BA51FE

 

The Office 2003 update that caused me problems was an Outlook 2003 update. I keep Outlook active and minimized in the systray, so I feel sure MSIEXEC.exe needed to terminate Outlook prior to the installing the update.

As a side issue, does your MSIEXEC.exe stay in memory if you do an MS Update scan and find no updates needed.?

 

No, I do not.
I wonder if it might be being held open by windows update? I have Autoupdates switched off for windows.

 

Hmmm...interesting. I have autoupdates turned off as well.