verclsid.exe - MS Verify Class ID

Discussion in 'other security issues & news' started by bktII, Apr 12, 2006.

Thread Status:
Not open for further replies.
  1. bktII
    Offline

    bktII Registered Member

    Hi,

    I am new to the forum and have used ProcessGuard for over a year. Great product!

    Updated MS Windows XP Pro and Home last night on my PCs. After downloading and installing the updates and prior to rebooting, I enabled ProcessGuard, except for blocking new applications. After the reboot, a ProcessGuard window popped up requesting action on the following executable: "verclsid.exe" located in C:/Windows/System32.

    This file is identified in Windows Explorer as Verify Class ID from Microsoft Corporation with a file version of 5.1.2600.2869 and create date of 3//16/2006.

    I have done a google and yahoo search on this executable and no results were returned.

    My assumption is that this is a new executable and is not a concern as it is very likely associated with the most recent MS update. However, I thought I would see if anyone else has encountered it.

    Thanks,

    bktII
  2. gre87y
    Offline

    gre87y Registered Member

    Im receiving the same alert, just since the MS updates yesterday.
  3. G1111
    Offline

    G1111 Registered Member

    I set PG to learning mode and disable the four protection items (global hooks, etc.) and disable RegDefend until the updates are installed and I rebooted. That saves a lot of popups. I leave my firewall, anti-virus and anti-trojan running. I reenable all protection after the reboot.
  4. Upasaka
    Offline

    Upasaka Guest

    I have been getting queries from Process Guard and Kerio firewall on this .
    It is a new file that came with the updates and these updates have rendered my 2 machines useless.

    I had to perform System restore on both machines to get back to a useable state.

    Explorer hangs/ freezes ,menu buttons fail to work,called Thunderbird to read email and Spybot S+D openedo_O

    Browser Go buttons failed, could only call addresses from the favourites list and the system kept hanging/locking up, all in all there were so many problems I had to restore both PC's and turn off updates.

    There are already posts at Microsoft forums.
  5. azumi21
    Offline

    azumi21 Registered Member


    Ditto....and no info on the item yet.
  6. Bob D
    Offline

    Bob D Registered Member

    Ditto here too.
    Searches @ MS support site yields no clues. (jeez).

    [MOVE]Microsoft: What do you want to patch today?[/MOVE]
  7. Upasaka
    Offline

    Upasaka Guest

    The "offending " update appears to be KB 908531.

    I have downloaded and installed all but this one and everything "seems" ok.

    One post I found at MS forums had the user renaming Verclsid.exe each time a problem occurred.

    Several have posted that they have uninstalled KB 908531.

    There are a lot of very unhappy people out there today!
  8. Mem
    Offline

    Mem Registered Member

    Does this update contain any security-related changes to functionality?
    Yes. Besides the changes that are listed in the "Vulnerability Details" section of this bulletin, this update includes the following changes in security functionality:

    • This security update introduces a new file, Verclsid.exe. Verclsid.exe is used to verify a COM object before it is instantiated by Windows Explorer.

    • This security update includes a Defense in Depth change which ensures that prompting occurs consistently in Internet zone drag and drop scenarios.

    http://www.microsoft.com/technet/security/bulletin/ms06-015.mspx
    Last edited: Apr 12, 2006
  9. bktII
    Offline

    bktII Registered Member

    Thanks Mem,

    This URL must not have been "up" when I posted this A.M.

    I repeated my google search and it, and nothing else, was returned.

    bktII
  10. buffet
    Offline

    buffet Registered Member

    Hi,

    I dont know for sure what caused the similar problem. Firefox got done rendering pages with empty and only got some pages actually done. IE was also. I had to restore the whole thing to have the box working.

    Thx for who helps on this.
  11. bktII
    Offline

    bktII Registered Member

    This A.M. I ran Crap Cleaner, ccleaner.exe, to clean up some files on my PC and received 3 warnings from my software firewall, Kerio Personal Firewall (I have application blocking enabled), that verclsid.exe was trying to run.

    I manually allowed the application to run each time. The files to be deleted were mostly backup, *.bak, files.

    Are COM objects instantiated by Windows Explorer when deleting files?

    Thanks
  12. bktII
    Offline

    bktII Registered Member

    Additional information:

    Running Faronics System Cleaner, a standalone executable, and ToniArts EasyCleaner, an installed execuatable (as is Crap Cleaner), do not "kick off" verclsid.exe.

    The following link "Creating a Disk Cleanup Handler":

    http://msdn.microsoft.com/library/e...ell_int_extending/disk_cleanup.asp?frame=true

    includes the following statement "As with all COM objects, the handler object's globally unique identifier (GUID) and dynamic-link library (DLL) must be registered under the CLSID key in HKEY_CLASSES_ROOT."

    This variation in behavior may be indicative of the design/impementation choices made by the programmers responsible for these various cleanup tools?
  13. Upasaka
    Offline

    Upasaka Guest

    MICROSOFT are aware of the problem with KB908531 and have told users to remove this update,they are working on a replacement .
  14. earwig
    Offline

    earwig Registered Member

    Re: verclsid - MS Verify Class ID

    Can you tell me where you saw that Microsoft is aware of the problem and working on a replacement? I can not find this information anywhere on MS's site. Thank you.

  15. snapdragin
    Offline

    snapdragin Administrator

    Hi bktII,

    I've moved your thread from the Process Guard forum over into this forum (Other Security Issues) as the subject pertains to problems associated with the recent MS Security Update KB908531 (which introduced the new file verclsid.exe) causing problems with quite a few programs, and not PG specific.

    As Upasaka has mentioned, Microsoft is aware of the issue and hopefully will address it quickly.

    There is also an on-going thread at DSLR that you can follow, where other's have reported issues with this update along with adding comments on possible workarounds.

    Avoiding that particular update (KB908531) for the time being, or if you have already installed it and having issues, then uninstalling it via the Add/Remove applet seems to be the way to go for now.

    Regards,

    snap
  16. bktII
    Offline

    bktII Registered Member

    Snap,

    Thank you for the note. You are quite right to move the thread as it has indeed drifted away from ProcessGuard.

    Unlike others, I am having no particular problems yet with the update; just some behavior that I am unable to figure out (due to my somewhat paranoid nature). As I use Opera, Firefox and OffByOne for internet browsing, Thunderbird for email and vlc media player for streaming audio, I have had no bad experiences with anything after the update; yet. Also, I have been spending a lot of time in the Linux world (Ubuntu and Fedora) the last 2-3 months so I haven't completely exercised all of my Windows applications after the update and probably will not anytime soon. Waiting for Microsoft's next patch will be fine.

    I like your avatar!

    bktII

    P.S. I have been monitoring other posts and threads outside of Wilders and a number of people have said that it was ProcessGuard that first brought their attention to verclsid.exe. This speaks very highly of the folks at DiamondCS as well as the Wilders ProcessGuard forum. Keep up the good work!
  17. Upasaka
    Offline

    Upasaka Guest

  18. Upasaka
    Offline

    Upasaka Guest

    Well the DSLR thread is an interesting read.

    Removing HP software does appear to "FIX" the problem HOWEVER there are just as many people posting that DO NOT have HP software and are having major problems.

    Paint shop Pro ,Acronis and other software are also affected as is VB6.

    My sons machine was affected so badly he could not use it as were my neighbours 3 machines, none of these have any HP software .
  19. pan Jan
    Offline

    pan Jan Registered Member

    I had problems with context menu on my desktop after klick on right mouse button to desktop.
    The context menu was not activated.
    After uninstalling service pack with number KB908531 from my operating system all functions are O.K. now .

    pan Jan
  20. fredra
    Offline

    fredra Registered Member

  21. aigle
    Offline

    aigle Registered Member

    BTW, i have got this update and no significant problem so far. I have Toshiba satellite M70.
    Running Antivir and ZA Pro.
  22. planetkeeper
    Offline

    planetkeeper Registered Member

    Hi Snap and all;

    removing KB908531 actually only removes the installed programs identifier. PROCESSGUARD still flags it as I clicked BLOCK ALWAYS and it just keeps trying to load after removing the program. You have to do a verclsid.exe search, delete the four files and the prefetch identifier plus remove it from PROCESSGUARD.

    pk
  23. ronjor
    Offline

    ronjor Global Moderator

    Microsoft Patch Causing Lockups, Crashes [Link is slow to load]

    Story
  24. ronjor
    Offline

    ronjor Global Moderator

    Story
  25. bktII
    Offline

    bktII Registered Member

    Wow!

    "It also downplayed the difficulties. "Our information at this time leads us to believe that this is having little to no impact on corporate networks," wrote Mike Reavey, operations manager of the Microsoft Security Response Center, on the group's blog.

    I guess home users don't matter?!

    "To correct the conflict, Microsoft only offered a workaround that required users to dive into the Windows registry, then add an entry there. If the registry becomes corrupted or is improperly edited, the affected PC may not boot into Windows.

    I would guess that most home users would not be comforable diving into the Windows registry. It is something that I do not take lightly. Myself, I would just restore the partition if I could not get back in; but most home users are not likely set up to do this.

    "Microsoft blamed the problems on Hewlett-Packard software for scanners, cameras, and printers, but also said that Sunbelt Software's Kerio Personal Firewall prevented a recrafted Verclsid.exe file from executing.

    HP is a MS "partner". You get MS Windows with a PC by default. Kerio Personal Firewall only works on Windows, has been around for a long time and has a reasonably large user base.

    Seems like MS needs to concentrate their efforts on software quality assurance for their OSs and applications. They should leave security software (i.e., firewalls, antivirus, antispyware) to the experts. They are spread way too thin.
Thread Status:
Not open for further replies.