Discussion in 'ProcessGuard' started by paperinik3, Feb 3, 2006.
At every boot rundll32.exe wants the privilege to install hooks.
Should I give in ?
What does the command line say? Is it from a trusted app?
thank you tonyjl, in the protection tab it says only: "c:\winnt\system32".
That just says where rundll32 is located.
I mean,when you get the alerts,(the actual pop-up) click on 'more info',it should give more details about what is using rundll32 to install hooks:-app path and name,cmd line etc. Next time you get the alert,jot down the info given and then post back.
This is very curious...So: I have rebooted, got the alert "at 10.08.04 rundll.exe was blocked from creating a global GetMessage hook", went to the logs and - surprise! there was no trace of this block. All the other blocks were logged (I have, for instance, put a block on mobsync.exe) but not only did I not find the rundll32.exe block but THERE IS NO ENTRY at all between 10.08.01 and 10.08.09 !
What does this mean ?
I would run HijackThis and take a look at the O4 entries to see if that gave any clues as to what wanted to run rundll32.exe. An example is given in the log here: http://forums.techguy.org/security/435855-hjt-log.html (check out the 1st and 3rd O4 entries).
You can probably get the same info from using msconfig and the startup tab but the msconfig window makes viewing the details difficult.
Hijackthis tells me that the only application which wants to run rundll32.exe at startup is Start Pwr Monitor which is " IBM'S PROPRIETARY "battery maximizer" and power monitoring software for laptops" - so , my machine being an IBM Thinkpad, I suppose it's allright to let it run.
Thank you very much for your help SpikeyB.
BUT - WHY IS THIS EVENT NEVER LOGGED
Separate names with a comma.