Blocking something at shutdown

Discussion in 'Ghost Security Suite (GSS)' started by Tatersalad, Dec 9, 2005.

Thread Status:
Not open for further replies.
  1. Tatersalad

    Tatersalad Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    76
    Whenever I restart an AD window flashes at shutdown. It’s two fast to see what it’s blocking is there anyway to find out and allow it?
     
  2. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Tatersalad

    I have the same problem with W2k which causes a Very Slow shut down, is W2k your OS?

    My is [was] so slow I only use the sleep button on my KB to shut it down. [gone back or should I say forward to using my XP OS]

    I tried all sort of allows but could not fix it.

    If you find answer to the problem, please post it back?

    Take Care,
    TheQuest :cool:
     
  3. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi guys,do you have c:\windows\system32\shutdown.exe in your list? (i'm just guessing here!)
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hopefully the next beta will include some sort of to disk logging which will allow one to see such alerts which are currently lost during shutdown.

    Pilli
     
  5. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Pilli

    That what it needs Pilli.

    I was going to try and run PG with it to see what its logs would reveal about it, but on second thoughts decided that they might knock heads to hard if i had done so. :)

    Take Care,
    TheQuest :cool:
     
  6. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430

    Attached Files:

  7. nameless1

    nameless1 Guest

    My guess is that it is either WINLOGON.EXE or USERINIT.EXE trying to launch an application, as part of the normal shutdown process (stress on normal to emphasize that it's nothing that should be worried about or blocked).

    To check, you could make sure that WINLOGON.EXE and USERINIT.EXE are present in AppDefend's list, and that each has permission to Start Applications. Then see if AppDefend puts up a notice during shutdown.
     
  8. nameless1

    nameless1 Guest

    I forgot to mention that both WINLOGON.EXE and USERINIT.EXE reside in %SystemRoot%\system32 (usually C:\WINDOWS\system32).

    FYI, in future updates, Jason is going to give USERINIT.EXE permission to Start Applications by default, but right now, it is denied by default:

    https://www.wilderssecurity.com/showthread.php?t=109508
     
  9. nameless1

    nameless1 Guest

    Now that I think about it a little bit more, I think I'm probably wrong. If AppDefend is still running (and thus able to put up an alert), winlogon.exe and userinit.exe probably will not have done anything yet. Sorry.
     
  10. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I grabbed this frame (from a VMware movie capture) of the AD alert when W2K shuts down. Creating an AD rule for c:\winnt\system32\smss.exe, and giving it permission to Terminate, will eliminate both the alert and the slow shutdown.

    Nick
     

    Attached Files:

  11. Tatersalad

    Tatersalad Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    76
    No you were right, at least for me it was winlogon.exe. Not sure specifically what it’s trying to do but adding the app and allowing everything does the trick.
     
  12. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, nisk s

    That was the one smss.exe on my sys, Thank you very much nick s.

    Could you tell me what Mware movie capture is please?

    Once again thank you.

    Take Care,
    TheQuest :cool:
     
  13. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    I don't know if you are familiar with Microsoft VirtualPC.

    But VMware workstation is sort of the same thing except it has much more features. One of these features is the ability to record your screen while you're in your virtual workstation. Sort of like a screenshot, except it actually records in video what happens on your screen (like moving the mouse and working in an application). It's good for testing software before you install it on your computer. It's great for software developers as well.

    http://www.vmware.com/products/ws/

    btw, smss.exe doesn't terminate anything on my computer. I don't ever get any shutdown problems like you guys... wonder why... o_O
     
  14. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, [suave]

    Thank you for the answer and the link.

    Glad you did not think I was asking about funny movies, because of my typo Mware. ;)

    Nice to hear you have no shutdown problems [neither do I now :D] but as to why not, well it is Windows we are talking about so your guess is as good as any bodies. :doubt:

    Take Care,
    TheQuest :cool:
     
  15. nameless1

    nameless1 Guest

    My guess is that whether or not you run into problems during shut down depends on your AppDefend configuration (i.e. whether or not you have modified the default rules, and/or added your own), and what software you have installed. Some software self-terminates very quickly at shut down, and some software takes longer to close. Maybe the added delay introduced by some software is what can cause problems.
     
  16. [suave]

    [suave] Registered Member

    Joined:
    Apr 5, 2005
    Posts:
    218
    Yeah but in his screenshot it shows smss.exe trying to terminate gss.exe.

    On my computer, smss.exe doesn't terminate anything... ever. And it's not my AppDefend configuration. I have it set to Ask me anytime a process tries to terminate another one. So if smss.exe was to terminate anything, I should be prompted about it.

    The whole point here is that I never get any prompt. Which means that either smss.exe is slipping through AD somehow, or my computer is diiferent in some way.

    I dunno... is it normal for smss.exe to terminate processes at shutdown?
     
  17. nameless1

    nameless1 Guest

    It could be that on your system, GSS.EXE terminates on its own before any action needs to be taken. That's all I was saying.

    I thought that WINLOGON.EXE is what did most or all of the shut down handling. I'm not sure what's going on with SMSS.EXE.
     
Thread Status:
Not open for further replies.