IE global hooks (never wanted them before) why now ?

Discussion in 'ProcessGuard' started by tech-addict, Jul 16, 2005.

Thread Status:
Not open for further replies.
  1. tech-addict

    tech-addict Registered Member

    Joined:
    Dec 21, 2003
    Posts:
    71
    IE has never wanted these hooks before, (registered PG user since version 1.x) Suddenly out of nowhere it wants them and without out them, IE starts crashing ? Suspicious :doubt:
    Nothing really has changed on my PC in the last several months.
    I dont use IE very often, only on sites that I know should be safe. :cool: Otherwise I'm using firefox most of the time.

    Code:
    Sat 16 - 17:22:46 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
                      [EXECUTION] Started by "c:\windows\explorer.exe" [1308]
                      [EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe"  ]
    Sat 16 - 17:27:46 [GLOBAL HOOK]  [3488] was blocked from creating a global MSGFilter hook
    Sat 16 - 17:29:08 [EXECUTION] "c:\windows\system32\mobsync.exe" was allowed to run
                      [EXECUTION] Started by "c:\windows\system32\svchost.exe" [1184]
                      [EXECUTION] Commandline - [ mobsync.exe -embedding ]
    Sat 16 - 17:32:47 [EXECUTION] "c:\windows\system32\taskmgr.exe" was allowed to run
                      [EXECUTION] Started by "c:\windows\explorer.exe" [1308]
                      [EXECUTION] Commandline - [ c:\windows\system32\taskmgr.exe ]
    Sat 16 - 17:46:14 [EXECUTION] "c:\windows\system32\wuauclt.exe" was allowed to run
                      [EXECUTION] Started by "c:\windows\system32\svchost.exe" [1360]
                      [EXECUTION] Commandline - [ "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[550]susds74636b09bba2334591e027934a3ac6b4 ]
    Sat 16 - 17:49:56 [EXECUTION] "c:\program files\nsclean\boclean\boc4upd.exe" was allowed to run
                      [EXECUTION] Started by "c:\progra~1\nsclean\boclean\boc412.exe" [512]
                      [EXECUTION] Commandline - [ c:\progra~1\nsclean\boclean\boc4upd.exe /bocauto /silent ]
    Sat 16 - 18:00:01 [EXECUTION] "c:\program files\common files\kav shared files\avpupd.exe" was allowed to run
                      [EXECUTION] Started by "c:\program files\kaspersky lab\kaspersky anti-virus personal pro\avpcc.exe" [2092]
                      [EXECUTION] Commandline - [ "c:\program files\common files\kav shared files\avpupd.exe" /with_avpcc /ipcservname=avpcc_ipc_serv_name_000002 ]
    Sat 16 - 18:07:58 [GLOBAL HOOK]  [3488] was blocked from creating a global MSGFilter hook
    Sat 16 - 18:09:17 [EXECUTION] "c:\program files\internet explorer\iedw.exe" was allowed to run
                      [EXECUTION] Started by "c:\program files\internet explorer\iexplore.exe" [3488]
                      [EXECUTION] Commandline - [ "c:\program files\internet explorer\iedw.exe" -h 728 ]
    Sat 16 - 18:09:23 [EXECUTION] "c:\windows\system32\dwwin.exe" was allowed to run
                      [EXECUTION] Started by "c:\program files\internet explorer\iexplore.exe" [3488]
                      [EXECUTION] Commandline - [ c:\windows\system32\dwwin.exe -x -s 1420 ]
    Sat 16 - 18:09:43 [EXECUTION] "c:\windows\system32\drwtsn32.exe" was allowed to run
                      [EXECUTION] Started by "c:\program files\internet explorer\iexplore.exe" [3488]
                      [EXECUTION] Commandline - [ c:\windows\system32\drwtsn32 -p 3488 -e 980 -g ]
    Sat 16 - 18:16:30 [GLOBAL HOOK]  [2744] was blocked from creating a global MSGFilter hook
    Sat 16 - 18:17:20 [EXECUTION] "c:\program files\internet explorer\iexplore.exe" was allowed to run
                      [EXECUTION] Started by "c:\windows\explorer.exe" [1308]
                      [EXECUTION] Commandline - [ "c:\program files\internet explorer\iexplore.exe"  ]
    Sat 16 - 18:17:28 [GLOBAL HOOK]  [3444] was blocked from creating a global MSGFilter hook
    Sat 16 - 18:27:11 [EXECUTION] "c:\windows\system32\notepad.exe" was allowed to run
                      [EXECUTION] Started by "c:\windows\explorer.exe" [1308]
                      [EXECUTION] Commandline - [ "c:\windows\system32\notepad.exe" c:\program files\processguard\logs\pglog_07_2005.txt ]
    
    Now you're probably wondering why IE has 3 PID's (3488, 2744, 3444) thats because I had more than one instance of it open (6 total), the one's that crashed (global hooks denied) were sitting on "relatively respectable" websites one being hxxp://support.radioshack.com/
    another was eBay, the other one was an item description page on eBay.

    So I don't think those sites are trying something underhanded, but you never know.. their site could be compromised by an outside entity :ninja:

    PC activity "possibly related" at time that hook requests started.
    Time log entry of: Sat 16 - 17:29:08 was when I was saving a favorite to be viewed offline (tech info at radioshack) Now that is something I very rarely do, and the last time I did it (several months ago) I didn't remember mobsync.exe starting, so I opened task manager to take a look at what was going on. (mobsync.exe is normal, I remembered after looking at taskman)
    Then by the looks of it, my system wanted to check for updates (inopportune time to do that huh' :p ) Shortly thereafter more global hook requests (I always deny, having never once allowed hooks for anything, NEVER.) No problems before with denying them on anything.

    The global MSGFilter is what worries me, possibly something trying to intercept (log then pass on / modify on the fly) messages the OS uses to carry out functions? or... ?

    OK, I tried to provide as much info as I could about this incident, hopefully someone can shed some light on this situation for me.

    Well does anything sound / look suspicious to any of you ?
    TIA ;)
     
  2. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, tech-addict

    PG gives IE global hooks by default, [on install] as IE is so integrated in to the OS [well part of the OS] I would think it need them.

    Take Care,
    TheQuest :cool:
     
  3. tech-addict

    tech-addict Registered Member

    Joined:
    Dec 21, 2003
    Posts:
    71
    Ok, well it never came up before and I didn't change any default permissions.
    Thanks for the info. ;)
     
  4. rickontheweb

    rickontheweb Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    129
    IE used to want to set a global mouse hook. But now it appears it wants to set a global MSGfilter hook instead. I don't know when this changed, but I noticed the message also, so I think it's normal.

    On my machine if I don't allow it to set global hooks (and I don't), I'll get the PG message you mentioned when I click on and then slide sideways over the browser menu items (try it). If you don't allow it to set this hook, you'll have to click on each menu item to get the next menu drop down to appear instead of being able to slide sideways on the menus and have them open automatically as you slide back and forth. I don't know what else preventing this hook does since I don't use IE much, except to inspect local html code for display issues. I download patches instead of using windows update service/site so IE sits pretty idle here.

    But I think IE needs to be able to set hooks (it obviously wants to anyway), I used to ignore it, but things may have changed.

    Hope it helps.
     
Thread Status:
Not open for further replies.