A Coincidence???

Discussion in 'ProcessGuard' started by snowfire, Mar 20, 2005.

Thread Status:
Not open for further replies.
  1. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    Hello All,

    I have winXP sp2, PG 3.150 Full Version and additional security layers.

    I would like to relate something that I will call a COINCIDENCE!!! In an attempt to stay as objective as possible (yea, right). And ask...what is v5stats.windowsupdate.microsoft.com? And why would svchost.exe (one of them!!) need to go there? I have IE v6.(locked down)

    I run Firefox and NEVER use IE. One only needs IE to update if one goes to the Microsoft Update Website. In the past microsoft rarely respected my wish to not auto-update (silently...no less). That is...until I brought some "other" security on board.

    Well...I updated windows several days ago. I had to go into several programs and re-enable wuauclt.exe (no big deal). Once the update I WANTED (KB887742) was done I went back and disabled wuauclt.exe where necessary including Windows Security Center.
    Win Security Center (microsoft) has choosen to not recognize my decision...Oh, yes...auto-updates "is" turned off...but the funny thing is its still running and on automatic!!!

    Since updating wuauclt.exe has tried to load on start-up. rundll32.exe
    (which I have at "permit Once" in PG 'cause I want to learn what starts and why) has started during boot. In "Security" tab it says "unable to ask user". wuauclt.exe (was) set to "permit once"...since after updating ( at first boot up) wuauclt tried to start (even though it is TURNED-OFF) I set it to "deny always". After that wuauclt would try to start, rundll32.exe would indicate it was unable to ask user, and (then) several other windows processes: alg.exe, dwwin.exe, restrui.exe, dfrgntfs.exe, control.exe and wmiprvse.exe would indicate that they were unable to ask user. Not all at once...first it was rundd32.exe then the above started...one at one boot , two more at another boot etc. In PG "Alerts" would tell me that wuauclt.exe was blocked. This was happening at startup. THIS has never happened before.

    Today...I didn't realize right away that PG was stuck in "initializing"...this hasn't happened for some time now. I had to shut down and restart. When I re-started PG initialized properly. In "Alerts" it showed that wuauclt.exe was blocked. Since updating windows rundll32.exe, for the first time, did not indicate that it "could not ask user"! Same for the above mentioned processes! I went to Outpost to see what was blocked-what was not before I shut-down to hastily!


    This is from Outpost "Allowed Connections". The time during which PG was stuck in "initializing".

    5:04:51 PM svchost.exe OUT TCP v5stats.windowsupdate.microsoft.com HTTP HTTP connection

    Below is the relevent log file from PG !!AFTER I re-started once I realized PG had NOT initialized!! I have no log for the startup when PG was not initialized.

    Sun 20 - 17:35:14 [EXECUTION] "c:\windows\system32\wuauclt.exe" was blocked from running
    [EXECUTION] Started by "c:\windows\system32\svchost.exe" [1392]
    [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[570]susdsdb5cf744826a4b49b8c9ac7dce8b9f0c ]

    After re-starting and PG initialized rundll32.exe (apparently) no longer needed to start and, for the first time since updating, I did not reciever "could not ask user" message in PG "Security" tab.

    Now...am I making a mountain out of a mole hill? Or did windows manage to circumvent PG? Please tell me I am wrong!!!!

    Any input will be helpful
    snowfire
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi snowfire,

    Concerning automatic updates, is the Automatic Updates service set to manual in your Services control panel (go Start/Run, type and execute services.msc)? I believe the service remains set to automatic even if you turn off Automatic Updates using the Control Panel icon/extension.

    Nick
     
  3. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    Hi Nick, it was set to manual until I updated. Then it remained in auto. I have since (tonite) had to reset it in Reg Run Gold this time to "disable".
    WinPatrol tells me it is still running but disabled finally!?
     
  4. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I only do Windows Update manually, so I set the Automatic Updates service to automatic "temporarily", do the update, and then set it back to manual. I remember a one or two updates that did reset the service to automatic, but RegRun (Gold) alerted me.

    Nick
     
  5. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    That is how I do updates. And I am sure I had it set to manual in RR Gold (NT Services)...but it was set at auto!!! I recieved no alert. It was set to manual in Winpatrol...it was changed to auto...no alert. I, too, haven't had this happen in a while. It is now blocked in OP, disabled in RR, "Deny Always" in PG. What bothers me is that it seems windows was able to change settings while PG was stuck in "initializing". Is there a way to get PG to load before windows processes? (after the bare minimum, of course!)

    snowfire
     
    Last edited: Mar 21, 2005
  6. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi snowfire,

    The update service was reset (using a registry change) before you rebooted your system. PG does not see the reset. It will only see wuauclt.exe trying to execute when your system loads, and then block it. While playing around with it, I did notice that the Automatic Updates service will start and run even if PG blocks wuauclt.exe from executing. Try starting the service, but block wuauclt.exe with PG, and you will see that the service starts and continues to run. The service does try to restart wuauclt.exe several times, which may or may not be causing a problem for PG at startup.

    I don't use WinPatrol but, depending on your RR settings, RR may ignore the change. Do you have "Check system when shutting down computer" enabled in your Global Options/On Shutdown tab?

    Nick
     
  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I ran a test with Automatic Updates set to automatic and wuauclt.exe set to Deny Always, and saw no problems with PG initializing at startup. The Automatic Updates service started and continued to run. PG's logs showed that wuauclt.exe was blocked from executing twice.

    Nick
     
  8. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    Thanks Nick,

    Yes... now that you mention it...RR did kick in on shut-down after I updated. It works beautifully...the user (me) on the other hand needs to be more careful. More then likely the reg change in question was amongst the handful of changes that triggered RR on shut-down.

    This still doesn't address the fact that wuauclt.exe was able to connect while PG was "stuck" in "Initializing". I believe that if PG wasn't "stuck" wuauclt would not have been able to connect. Am I wrong? wuauclt could not connect on multiple attempts until PG got stuck in "Initializing"!! And THAT is the COINCIDENCE I mentioned!!

    Several additions would be useful in the next version: A real-time notification when PG is initializing on start-up (tray icon color?); and some kind of event log in PG when it is stuck (I don't know if that is even possible!)...but it would be handy.

    snowfire
     
  9. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    When I get a chance, I will test again with OP (using it here as well) set to block wuauclt.exe. Up to now I have had wuauclt.exe permitted as a partially allowed application.

    Nick
     
  10. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    wuauclt was and had been in OP's Partially Allowed until it finnally managed to connect when PG got stuck on start-up. I have since put it in the Block list. BTW...this morning rundll32 was, once again, called upon and PG was "unable to ask user"...though nothing unexpected was allowed to connect...nor was wuauclt blocked as best as I can tell. I really need to throughly understand all the svchosts that run around in windows. It's time to go back to Black Vipers website!! http://www.blackviper.com/WinXP/servicecfg.htm

    Your attention and help is truelly appreciated...don't stop!!!

    snowfire
     
  11. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I tried every which way to get wuauclt.exe to bypass PG and connect out at startup: the service was set to auto, Automatic Updates enabled via control panel, wuauclt.exe set to permit once in PG, and wuauclt.exe blocked with reporting enabled in OP. No luck; PG behaved normally and prompted me twice that wuauclt.exe was attempting to execute.

    Strangely (and unrelated to the PG issue), no wuauclt.exe alerts from OP or logged events when Automatic Updates worked as it should and asked if I wanted to install an available update.

    Nick
     
  12. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    Hey! Nick,

    That is strange!
    But it seems that windows (microsoft) when "given the chance" attempts to assume ownership of your computer to some degree...I've done what I can do (again) wuauclt is disabled, denied, and blocked everywhere I can think of...since runndll32 has begun (again) to be called upon during start-up...I am waiting to see when (and if) PG fails to initialize on start-up!!! And I'll be watching OP more closely, too!

    Keep me Updated...Thanks!
    snowfire
     
  13. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    You're welcome, snowfire. In fact, I did both a manual Windows Update, as I normally do, and an automatic update, with no alerts from OP. I will leave it that way and see if something breaks.

    Nick
     
  14. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    To manually download an update, visit the Microsoft Security Bulletins site instead. You don't have to use IE, don't have to enable ActiveX and don't have to worry about MS gathering and retaining data on your system configuration.
     
  15. Arup

    Arup Guest

    Thanks for the link, used to have it but somehow lost it.
     
  16. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    Morning Everyone,

    Nick...
    PG failed to initialize on boot. Had to restart...then it was fine. According to OP nothing unexpected was sent or recieved.

    Paranoid2000...
    Thanks for that link!!! Now I won't have to check all my settings after updating!!! Yea Right!! I am going to roll-backmy sys prior to updating (after uninstalling it). To see if rundll32.exe is "unable to ask user" on startup and PG fails to initialize. Then I will update with the link you provided.

    Thanks Again
    snowfire
     
    Last edited: Mar 26, 2005
  17. wayne_b

    wayne_b Registered Member

    Joined:
    May 29, 2004
    Posts:
    56
    Would it still be true after April 2005?

    Microsoft is going to require 'Key Validation' before downloading; this would require ActiveX from my understanding?

    -wayne
     
  18. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    If you check that page, there is no mention of any authenticity/verification checks, while such checks have been mentioned on other (non-security) downloads. Given that it lists security patches only, Microsoft would be doing itself few favours if it denied access to these for any reason and owners of pirated versions of Windows have always been allowed access to these fixes.
     
  19. Mephisto

    Mephisto Guest

    Personally as a person who forked over the money for XP, i hope they do stop allowing pirated copy's to update ... These losers that steal software are the reason why legitimate customers have to pay so much to purchase their software.

    I would gladly take my chances on the net surfing with systems that are unpatched ... (it won't affect my patched system) the theives deserve to go unpatched and actually should be tossed in their county jail.
     
  20. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Patched or not, you can still be affected by unpatched systems being used as spam-sending zombies or DDoS clients. The current setup where illegitimate copies can access security updates (but nothing else) is, IMHO, the best option for the Internet community since it reduces the pool of exploitable systems.
    Ever try buying a legitimate copy of Windows XP in China? You can get copies in supermarkets with the hologram and all the other "authenticity" markers but it is still pirated - which purchasers find out only after going online. Part of the problem is that a "real" copy costs more than what many people can earn in a month...
     
  21. wayne_b

    wayne_b Registered Member

    Joined:
    May 29, 2004
    Posts:
    56
    Ok, I thought "genuine Windows validation" was going to be mandatory on all downloads after April as it is currently an option at the moment.

    Validation Link

    -wayne
     
    Last edited: Mar 25, 2005
  22. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    Hi!! All,

    Since my last post PG failed to Intialize one other time...it has been fine otherwise. rundll32.exe is still being called upon by something...I now believe it happens when regrun2.exe (RegRun's Advanced Startup Manager) kicks in...though I am positive this did not occur before I first posted this issue. I will post at Greatis Forum for info. Since updating windows svchost.exe (-K imgsvc and -K netsvcs...repectively) were the the first to load on startup. Also, Telnet.exe, CONF.exe, SESSMGR.exe, and MOBSYNC.exe were added to Outposts' "Partially Allowed" list. They are no longer there.
    And now only svchost.exe -k imgsvc is loading.

    And just two other things...that someone might have some insight on:

    1)
    svchost.exe (PID 1552) tries to start defrag.exe often. I have googled, gone to Precess Library, DLL Help Database and a couple other places...but I can't get a clear idea about defrag.exe. I am able to defrag my sys with no problems.
    2) While uninstalling AntiVir something called delus.exe tried to set a global hook. My info search was mostly bad...maliciousware! PG alerted me to the attempt. When I went to Run> regedit...to search nothing was found. When I went to regedit through RegRun Gold it found references to it. I deleted them. Spybot only came up with MRU's (usage logs) delus.exe was in every one of them. All MRU's have been deleted...though windows was abit stubborn over a couple...but I think they are gone. WasteBin is cleaned out and all restore points have been deleted. The reason I uninstalled AntiVir is because it was running against my settings. It was only used as an on-demand scanner. Also, it was configured for manual updates but would try to update itself anyway.

    It is wierd...ever since Ad-Aware SE Pro went strange I have had one problem after another. I am not saying that they are connected it was simply the first in a line of problems. I really liked Ad-Aware...now I am afraid to use it!

    Thanks
    snowfire
     
  23. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi snowfire

    Concerning delus.exe, it is part of the AntiVir PE installer package and appears to involve itself in the uninstall routine. Even though it tried to set a Global Hook, it should be harmless.

    Nick
     

    Attached Files:

  24. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    Thanks Nick,
    It deleted easily enough! But why the global hook install? That bothered me.

    snowfire
     
  25. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Could be related to file-handling during the cleanup that follows the uninstall. I have several legitimate apps that use Global Hooks, but have yet to see that blocking them breaks any functionality.

    Nick
     
    Last edited: Mar 26, 2005
Thread Status:
Not open for further replies.