PG - ctfmon.exe - global hooks Question?

Discussion in 'ProcessGuard' started by dog, Apr 29, 2004.

Thread Status:
Not open for further replies.
  1. dog

    dog Guest

    Hi All, :)

    My question is re: ctfmon.exe and PG ... log shows ctfmon.exe being blocked as follows :

    29 Apr 20:10:19 - [HOOK] c:\windows\system32\ctfmon.exe [612] was blocked from creating a global Shell hook [0000000A][00000000]
    29 Apr 20:10:19 - [HOOK] c:\windows\system32\ctfmon.exe [612] was blocked from creating a global GetMessage hook [00000003][00000000]
    29 Apr 20:10:19 - [HOOK] c:\windows\system32\ctfmon.exe [612] was blocked from creating a global CBT hook [00000005][00000000]

    Should I config to allow these hooks? Or do I have something protected I shouldn't have ... I have change it for now; to allow the hooks for this process in the options drop down box in the bottom right by check off that box ... but is that correct? I googled ctfmon.exe to find out more about the process ... (description below) ... and figure it was OK.

    ctfmon - ctfmon.exe - Process Information
    Process File: ctfmon or ctfmon.exe
    Process Name: Alternative User Input Services
    Description: A service that handles the Alternative User Input Text Processor (TIP) and the Microsoft Office Language Bar. It provides text input support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.
    Company: Microsoft Corp.
    System Process: Yes
    Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
    Common Errors: N/A


    Thanks in advance for the help.

    dog - *puppy*
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Blocking global hooks is for advanced users, and is experimental. I personally dont recommend the average user touch this setting :)

    YES - You should allow this to create a hook, since you know what the program is.. especially a system file
     
  3. dog

    dog Guest

    Thanks Gavin ...

    I like experimental ... lol ... running into problems and learning the what, how and why ... will only help me improve my abilities and knowledge. Besides I got you wonderful DCS and Wilders folks to bail me out ... and teach me those what, hows, and whys. It's the Learning I enjoy and appreciate most. :) There's no learning experience like messing up.

    If I run into any big problems ... I'll do as you suggested.

    Thanks for both the answer and advice. :)

    dog - *puppy*
     
  4. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Hi dog

    I believe ctfmon.exe comes along with both XP and Office XP.
    I had no problem with it when I just had Windows XP because I disabled it on start up. It stayed disabled, was no problem and I virtually forgot about it.

    However I recently installed Office XP Pro and ctfmon.exe was a real PITA. After every reboot, on opening IE (which I only use for Windows updates) and Outlook, DCS's RegProt would pop up and ask permission to allow change in reg key. This was extremely irritating. It would not stay disabled on startup and kept reappearing.

    Did some research and discovered that ctfmon.exe is only used by the Windows Speech and text service which I do not use. Did a bit of googling and discovered how to stop it running altogether, which I have done. This way there is no need to bother PG with its unwelcome presence. Microsoft Knowlege Base Article 282599 refers and will tell you exactly how to completely disable it. ;)

    HTH
     
    Last edited: Apr 30, 2004
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,050
    hi Oremina

    Thanks for posting this. I found the same thing. ctfmon is a pita, and I also found it kept popping up. Glad you found that article.

    Pete
     
  6. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    722
    Location:
    Toronto
    I've had
    4. Block Global Hooks checked
    right from the beginning and haven't noticed any problems.
     
  7. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    722
    Location:
    Toronto
    and if there's a trusted program the really needs Global Hooks, change it's Options to
    Allow Global Hooks - checked
     
  8. Oremina

    Oremina Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    209
    Location:
    England
    Hi JW Clements

    Thanks for your input.
    Appreciate what you're saying.. but.. there have been quite a few threads on the forum about various apps that react adversely to the GPO Block Global Hooks.

    In my own case BOClean 4.11 would not fire up on boot/reboot for a good 50% plus of the time. However, there have been various other threads where other apps didn't like Block Global Hooks. It is a known problem and will hopefully be sorted by the next version of PG.

    Plus, in this very thread, Gavin himself mentions (not for the first time) that Block Global Hooks is pretty much experimental and not for the average user (me)... more for experts, which I certainly am not!!

    Pro tem, I run PG with the first three GPO's ticked and have no problems with any app, but I will leave the Global Hooks one for the future when there has been a little "sorting out" on it.

    However, to bring this back on topic (ctfmon.exe), unless you use windows speech/text service, IMHO the best thing is to get rid of it for good!!

    Regards


    :)
     
    Last edited: May 1, 2004
  9. Pigitus

    Pigitus Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    97
    Location:
    USA
    Dog and all,

    Ctfmon.exe is necessary for those who use other languages in addition to English on an English version of MS Office. But rather than be called when the actual language is used, it's Microsoft bloating way to load stuffs just in case.

    To have PG deal with hooks was a brilliant idea (among others) from DiamondCS. This option makes life more difficult for Trojans who want to communicate their loots to their owners. As many powerful tools, it may cause tripping. However, Gavin, I hope you're not going to get rid of this parameter: just warn users with a small note next to the Hooks option.

    I often use a second monitor to just display the PE log. As I see trouble like these hook denials, I follow Gavin's idea that if a system file wants a hook, accommodate that program. However, I'd like to point out that some programs react in a funny way to PG. While Sidekick 98 got happy as soon as it got hook permission, this permission was not enough for Quicken 2001. The password Window for Quicken's data file would not proceed gracefully and I have to disactivate PG to get Quicken going. There are other programs that don't work when PG is active.

    Is it PG which needs improving or is it Quicken 2001 and some others that don't know how to behave properly in tight spaces (though Quicken seems better written than the average program)?

    Pigitus
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,050
    This is strange. I don't use quicken, but I am using Quickbooks 2004. I ordinarily don't password protect it, but I just tried it and had no problems. I am using PG and have all protections applied. Do you have the Closed Message Handling Option on for Quicken. That could possibly cause a problem. Also note that you are using Quicken 2001. They are up to 2004 which could have lots of improvements as well as lots of new "features"
     
  11. Pigitus

    Pigitus Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    97
    Location:
    USA
    Peter2150,

    Thanks for your suggestion about turning on "Close Message Handling". Actually, further testing of this problem revealed this:

    1. Even when all 3 PG option flags are checked for Quicken, it refuses to open on a desktop (600MHz, 512MB)

    2. The same Quicken runs fine with just one PG option flag checked (global hooks) on a laptop (2.2 GHz, 512MB).

    Global PG options were the same on both machines and local PG options were the same for the 2 Quicken EXE files.

    Did you say "strange"? But I am not seriously submitting this puzzle to anyone any further, except for this: the machine that refused to run Quicken under active PG is also the one that kicked PG off once, with all the protected programs kicked out. But since I reinstalled PG on that machine, PG has been running well. I hope this serves as some sort of clue to DCS.
     
Thread Status:
Not open for further replies.