msiexec.exe wanting full access

Discussion in 'ProcessGuard' started by hojtsy, Feb 29, 2004.

Thread Status:
Not open for further replies.
  1. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    The file
    C:\winnt\system32\msiexec.exe
    tries to gain write,terminate,set info, suspend access on each of my processes. Is this normal?

    If it supposed to do this, then this should be included in the default config of PG.

    regards,
    hojtsy
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    It is a Windows Installer Component that is used to install new programs that use Windows Installer package files (MSI).

    I have just tried running the msiexec.exe without any parameters & get absolutely no logs in PG, having said that it may depend upon what other programmes you have on your list as to what msiexec.exe is trying to see.

    Can you copy the window log and post it please.
     
  3. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    The window log copy-paste what you have written in an other topic works, but I can not copy more then what fits a screen. :-((( So I am copying the file log:

    29 Feb 09:36:37 - Process Guard Protection is ACTIVE
    29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\smss.exe [224]
    29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\csrss.exe [192]
    29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\winlogon.exe [160]
    29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\services.exe [248]
    29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\lsass.exe [260]
    29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\svchost.exe [444]
    29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\svchost.exe [524]
    29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\navnt\rtvscan.exe [552]
    29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\kerio\personal firewall\persfw.exe [576]
    29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\processguard\pg_msgprot.exe [596]
    29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\mstask.exe [688]
    29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\wbem\winmgmt.exe [784]
    29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\explorer.exe [1080]
    29 Feb 09:56:08 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\ati technologies\ati control panel\atiptaxx.exe [1216]
    29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\navnt\vptray.exe [1244]
    29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\tds3\tds-3.exe [1328]
    29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\internat.exe [1348]
    29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\proxomitron\proxomitron.exe [1384]
    29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\processguard\procguard.exe [1444]
    29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\smss.exe [224]
    29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\csrss.exe [192]
    29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\winlogon.exe [160]
    29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\services.exe [248]
    29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\lsass.exe [260]
    29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\svchost.exe [444]
    29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\svchost.exe [524]
    29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\navnt\rtvscan.exe [552]
    29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\kerio\personal firewall\persfw.exe [576]
    29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\processguard\pg_msgprot.exe [596]
    29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\mstask.exe [688]
    29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\wbem\winmgmt.exe [784]
    29 Feb 09:56:09 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\explorer.exe [1080]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\ati technologies\ati control panel\atiptaxx.exe [1216]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\navnt\vptray.exe [1244]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\tds3\tds-3.exe [1328]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\internat.exe [1348]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\proxomitron\proxomitron.exe [1384]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\processguard\procguard.exe [1444]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\smss.exe [224]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\csrss.exe [192]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\winlogon.exe [160]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\services.exe [248]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\lsass.exe [260]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\svchost.exe [444]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\svchost.exe [524]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\navnt\rtvscan.exe [552]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\kerio\personal firewall\persfw.exe [576]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\processguard\pg_msgprot.exe [596]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\mstask.exe [688]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\wbem\winmgmt.exe [784]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\explorer.exe [1080]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\ati technologies\ati control panel\atiptaxx.exe [1216]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\navnt\vptray.exe [1244]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\tds3\tds-3.exe [1328]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\internat.exe [1348]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\proxomitron\proxomitron.exe [1384]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\processguard\procguard.exe [1444]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\smss.exe [224]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\csrss.exe [192]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\winlogon.exe [160]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\services.exe [248]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\lsass.exe [260]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\svchost.exe [444]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\svchost.exe [524]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\navnt\rtvscan.exe [552]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\kerio\personal firewall\persfw.exe [576]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\processguard\pg_msgprot.exe [596]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\mstask.exe [688]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\wbem\winmgmt.exe [784]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\explorer.exe [1080]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\ati technologies\ati control panel\atiptaxx.exe [1216]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\navnt\vptray.exe [1244]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\tds3\tds-3.exe [1328]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\winnt\system32\internat.exe [1348]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\proxomitron\proxomitron.exe [1384]
    29 Feb 09:56:10 - [P] c:\winnt\system32\msiexec.exe [996] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\program files\processguard\procguard.exe [1444]


    I have all these processes protected with PG 1.300 full version. I was installing Adobe Acrobat when this happended.

    regards,
    hojtsy
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Can you also post your protection list, use the "Save protection list" menu item under "Protection"

    This may help us analyse the cause - Thanks
     
  5. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    I don't think the protection list will help, but anyway here it is...
     

    Attached Files:

  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I'll take a a stab at this but it could be when installing acrobat actual installs quite deep into the system. You can either add msiexec to the PG list or, providing Acrobat is working correctly, ignore it.

    Personally I have had no logs generated from msiexec.exe and ther are no other reports here or on the beta forum. So to answer your question "Should it be added to the default list" probably not. You can, of course, add any trusted programme.

    As PG is a very new and powerful tool in our security set ups it will take a while for a database of preferred settings to be compiled, any feedback is always welcome regarding PG's behaviour.

    Thanks & HTH. Pilli
     
  7. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    MSIEXEC.exe will also cause PG 1.3 to bark on certain updates of Microsoft Office 2003. On my system (XP-XP1 Home) with Office 2003, MSIEXEC.exe is activated each time I go to MS Office update site and do a scan for needed updates. For reasons I have yet to determine, MSIEXEC.exe will stay in memory even after exiting the MS Office Update site. I have to manually kill it.

    Personally, I have added MSIEXEC.exe to PG with READ, WRITE, TERMINATE, SUSPEND "ALLOWS", because a liveupdate of Office 2003 was blocked by PG 1.3 and I had to go back and install it manually.
     
  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    no log from here too, can i know which OS do you have and what is the MD5 fingerprint of your file ?
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    HI siliconman01, That is interesting, I have version 1.320 beta and as you can see from the screenshot PG never murmered.

    Office 2003 now with Visio update. :)

    XP Pro SP1 + all patches AMD 2200+ cpu
     

    Attached Files:

  10. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Windows 2000 sp4
    file: C:\WINNT\system32\msiexec.exe
    size: 64,512 bytes
    md5: ca1900f0ba173b76ef752b467075154b
    crc32: 41f3f03c
     
  11. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    XP - SP1 (all updates)

    MD5 - 038F161E1FF865FD35A308C851BA51FE
     
  12. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    The Office 2003 update that caused me problems was an Outlook 2003 update. I keep Outlook active and minimized in the systray, so I feel sure MSIEXEC.exe needed to terminate Outlook prior to the installing the update.

    As a side issue, does your MSIEXEC.exe stay in memory if you do an MS Update scan and find no updates needed.?
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    No, I do not.
    I wonder if it might be being held open by windows update? I have Autoupdates switched off for windows.
     
  14. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    Hmmm...interesting. I have autoupdates turned off as well.
     
Thread Status:
Not open for further replies.