Windows Processes Not Logging!!

Discussion in 'ProcessGuard' started by snowfire, Mar 28, 2005.

Thread Status:
Not open for further replies.
  1. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    Morning!! All,

    I have windows xp sp2. Windows was up to date but I had to uninstall kb887742. It brought my sys to a crawl, memory leaking everywhere...and (though I don't know if it is related) all system startup processes: services.exe, winlogon.exe, userinit.exe, explorer.exe, rundll32.exe...rarely show in "Alerts", "View Logs", nor (when all were in the "Security") were/are they reporting "Last Run" times. Prior to updating Windows sys services were routinely logged and routinely reported "last Run Time", except rundll32 and then a few others (see below). What follows was my routine startup sequence.

    (>=starts):
    service>sometimes a svchost file then later imapi
    winlogon>userinit
    userinit>explorer
    explorer>rundll32
    explorer>the rest of MY programs.

    NOW...
    After startup...no sys processes in Security Tab indicate "Last Run Time". All my apps indicate "last Run Time". Prior to windows update windows processes did indicate when they were last run. Then for some reason PG started having trouble intializing and rundll32 started not being able to "...ask user on startup. After I updated...the number of sys processes (entered in PG) that were "unable to ask user" began to increase. And the above startup seguence is no longer indicated in the "Alerts Tab" (they use to be) nor is it entered into the "Log Files" (they use to be). Uninstalling kb887742 has made no difference in the above issue. (though cpu usage is back to normal).

    I have uninstalled and re-installed PG ( with everything shut-down and disconnected from the net). On my first reboot (or second?) the above "normal" start-up sequence was there. After subsequent reboots...that start sequence is gone again. "Last Run Time" was still not functioning for sys processes!

    Unfortunately, I just now (this morning) read the install/uninstall guide. So I suppose I will be told to do it all over again...this time following the guide. So I will do that now...and report back.

    Any help will be very appreciated.
    snowfire
     
    Last edited: Mar 28, 2005
  2. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    Hi! All,

    I am sorry but this topic should have been an added post to "A Coincidence...". https://www.wilderssecurity.com/showthread.php?t=71782

    Well, anyway...it did not work!!! Whyo_O? I have the full version. And one of the things I really liked was being able to keep tabs on Windows. I did three uninstalls in safe mode...and made sure files mentioned in the guide were gone. Since no one else is having this problem...I assume that I have done something wrong!!! But what...for the life of me I can't figure what I may have done. I did recently disable able some services:
    Fax, error reporting service, computer browser, win auto-updates. And alg.exe...which is DISABLED!! but insists on adding itself to OP "partially allowed" list then adds additional duplicate rules allowing itself net connection. I was going to REALLY go through services using Black Vipers config. guide and set up alternate configs. But I need PG working right first!!!

    Can someone please help!!!!o_O?
    snowfire
     
    Last edited: Mar 28, 2005
  3. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi snowfire,

    I am pretty sure that OP's rule for alg.exe is added by default when you install OP. I leave the ALG service set to manual and it never starts. It is absent from PG's security list, so I know it has never executed.

    Have you tried giving rundll32.exe permission to always run? I believe it is required by RegRun if you use Secure Start. I would also give those executables with the "unable to ask user" comment the same "Permit Always" setting.

    Nick

    Edit: a better approach might be to disable RegRun's protections and do another fresh install of PG.
     
    Last edited: Mar 28, 2005
  4. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    Hi! Nick,

    alg.exe is excess windows baggage. It is disabled in services properly via services.msc. It should not be behaving in this manner at all.
    rundll32.exe starts regrun2.exe (RegRun Advanced Startup Manager) so that particular issue is now understood...I've posted over at Greatis to get info on that situation.

    I should not have to adjust my expections of a program when it changes from what (according to PG logs) and my own usage was "normal" behavior. "Permit Once" provides the opportunity to not only monitor the activity of programs a user has installed but to watch (and learn) what windows processes start, when they start, how they start, and why they start.
    I refuse to settle for reduced functionality simply because I screwed up somehow or windows or something or (someone?) has decided that I should not have that functionality.

    I am getting frustrated...If I seem short-fused I am!!! And I am sorry.
    Everything in-house and on-line tells me that my sys is clean: no viruses, no worms, no trojans, no nasty rootkits, no hacker take-overs...and yet something is not right. If I screwed up I need to know. If Windows (Microsoft) is ****ing with my machine I definately want to know.

    Please don't take my rantings personal...you are a great help!!! I am just so damn frustrated right now. I really need to take a break from this and go make some jewelry, or something.
    Don't give up on me. OK!!?

    snowfire
     
  5. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Zero chance of that happening ;).

    Nick
     
  6. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    Hi!! All,

    Nick...when I started up my machine this evening I got: ( I logged in normally)

    (>=started)
    logonui.exe started ( indicated in Security Tab only )
    winlogon>userinit
    userinit > explorer
    explorer > rundll32
    rundll32 > regrun2
    explorer > everything else

    I have seen logonui on occasion do this. It is Microsoft Windows XP "user switching screen". "Fast User Switching" is enabled (manual). I have never knowing used that function. When I uninstalled PG in Safe-Mode ( I've never used safe mode until now) there were two accounts: Administrator and Mine. I have full admin rights (I know...not good. It is something I am going to take care of very soon). I am hoping that this is normal!!!.
    Also, logonui, userinit, explorer and rundll32 were "unable to ask user".
    Lastly, the Log start times and Security start times are different (earlier then) the the "last run times" in the Alert Tab for the above precesses by an average of 3 min.!!! Secure Start only runs for 30 secs if I let it. These are the times:

    Name-------------Log------------Security Tab---------Alert Tab

    logonui.exe___ not there______ 21:31:27_______ not there
    winlogon.exe started userinit but not otherwise indicated
    userinit.exe___21:34:52_______21:34:52________21:37:32
    explorer.exe__21:34:53_______21:34:53________21:37:32
    rundll32.exe__21:34:55_______21:34:54_________21:37:32

    regrun2.exe__21:35:00______(it was triggered)*___21:37:32

    Everything else starting:
    Log: 21:36:06 (with times increasing by secs.)
    Security Tab: 21:36:06 (times increasing by secs.)
    Alerts Tab: 21:37:32 (same time all progs)

    *by a known unwanted/stubborn start-up program...not a problem.

    Does this tell you anything? Are the differing start/run times normal? And what is with logonui.exe? Have I been hacked? I am not a techie so my imagination has plenty of room to roam... like...is someone using or trying to use my machine. OP shows no unusual traffic even with alg.exe playing games.

    alg.exe is really pissing me off...what would happen if I renamed the damn thing so it can't be found? Quite awhile ago I started unplugging from the net when I shut-down (I have wireless DSL) mainly because of Microsoft!

    Oh! well...I'll see what happens when I start next!!

    Ever Graftful for Your Gracious Help
    snowfire
     
    Last edited: Mar 29, 2005
  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi snowfire,

    The "Administrator" account is only available/viewable in Safe Mode. It is available in Normal Mode only if no other admin accounts exist. (I would password-protect it in case it is not).

    On my systems, logonui.exe executes on shutdown, not at startup. That may be due to some long-forgotten tweak. I also have Fast User Switching set to manual and Offline Files enabled. Enabling Offline Files does disable Fast User Switching.

    The difference in time between the Alerts window and the last-run time in the Security tab is a result of the PG GUI, procguard.exe, "catching up" with events that happened before it started. After procguard.exe executes, the times shown in the Alert windows start to increment. The last-run times are in sync with the raw PG logs.

    As far as ALG goes, take a look at this thread: Outpost Pro 2.5 + ALG.exe. Apparently the rule is automatically set by Outpost, and not triggered by an actual event. Renaming the executable might make Windows File Protection unhappy. I would not do it.

    Nick
     

    Attached Files:

  8. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    Hey!! Nick,

    Start-ups have been normal in PG so far...and no logonui.exe!
    Thanks for clarifying the " start/run time" issue. As far as the "unable to ask user" I'll just ride with that...Alerts do work and process/program startups are listed.

    According to the PG install guide while in "learning mode" PG is supposed give itself what permissions it requires...all I did was give all the ProcessGuard .exe in PG all the "other options for applications" except "secure message handling". That's it...that is all I did.

    Thanks for the Outpost link concerning OP...I did not see it!! I am going to let that ride for now, too. There is no odd or unexpected traffic in or out. And Shields Up tests show that my machine is totally stealthed...no ports hanging their butts out for all to see.

    If everything remains normal at this point I will be pleased...but this past month I have said that too many times only to have my sys go strange on me in a day or so. I'll take care of protecting Admin if it isn't already. I know it is not wise to be a regular user with Admin rights...just to surf the net. I did not know that there was an additional account...how could I miss something so basic yet so important?? :rolleyes: THANKS!

    snowfire
     
  9. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    Hi!! Everyone,

    Why would "not" being connected to the net on start-up make a difference in my start-up seguence as indicated in PG?

    When I started up this morning "connected"...(once again) there was no indication that userinit, explorer, or rundll32 started anywhere even in security tab. And there was no "unable to ask user" this time.

    logonui.exe did start but was indicated in security tab only and no where else.

    So...I unplugged from the net and rebooted the above happened...except there was no indication that logonui started anywhere this time. (not counting the shut-down sequence prior to reboot...as it should be).

    I remained unplugged from the net shut-down completely and rebooted after a few mins...the normal start-up sequence was back and indicated in all the appropriate places with "unable to ask user".

    logonui did not start according to PG.

    I found this while googling logonui.exe:

    http://archives.neohapsis.com/archives/vuln-dev/2001-q4/0895.html

    I have not knowing downloaded any third-party logon screens.

    Any suggestions? Constructive critique...why is this happening?

    snowfire
     
    Last edited: Mar 30, 2005
  10. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    Hey! Nick,

    Dmitry, the author of RegRun Security Suite, has said that rundll32.exe is not required to start regrun2.

    The only "Last Run" times that are in sync with the raw logs are the programs that I have installed. Absolutely NO windows processes are registering in last run anymore except at start-up...and I am intentionally triggering win .exe files.

    Here is a small triumph...so far. I changed alg.exe rules. I left TCP, but changed the directions and changed the local port from FTP to AOL 4. LOL...I don't have AOL 4. HEHEHE. So far alg has not changed the rules, added duplicate rules, or added a duplicate of itself in the OP partially allowed list!!! See what happens at restart.

    snowfire
     
  11. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi snowfire,

    Thanks for the update on rundll32.exe and RegRun. I will try setting rundll32.exe to Permit Once and see what happens.

    The only system executables in my last run list (since booting this morning) are userinit.exe, svchost.exe, and explorer.exe. The raw logs, on the other hand, shows these:

    Thu 31 - 08:06:13 [EXECUTION] "c:\windows\system32\svchost.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\services.exe" [1168]
    [EXECUTION] Commandline - [ c:\windows\system32\svchost.exe -k imgsvc ]

    Thu 31 - 08:09:02 [EXECUTION] "c:\windows\system32\userinit.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\winlogon.exe" [1092]
    [EXECUTION] Commandline - [ c:\windows\system32\userinit.exe ]

    Thu 31 - 08:09:02 [EXECUTION] "c:\windows\explorer.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\userinit.exe" [1280]
    [EXECUTION] Commandline - [ c:\windows\explorer.exe ]

    The system executables in bold don't show up in either the Alerts window or in the Security List.

    Nick
     
  12. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    :D Hi!! Nick,

    winlogon.exe and services.exe were in Security Tab as "permit always" and there was a time when they indicated "last Run" but they stopped reporting along with the others mentioned. They were also in the raw logs as "winlogon started userinit" and "services.exe started...svchost, alg, etc. They are back in the raw logs as of today!! 'cause.......
    I have good news...cross my fingers, your fingers and anybody with some spare fingers to cross...everything is back to normal!!

    I went into safe mode and gave the Admin acct a password and changed mine. Then I ran all my scans...clean. I did notice some things while in the admin acct. Lo and behold...there was the IE icon! Which had disappeared along with the .exe file from my user acct. I checked its properties and some were not the same as in my acct. Maybe that is normal but I changed them. I checked services and those setting were identical to my acct. Interestingly I was denied access to c:\Documente and Settings\owner....is that normal? I have
    access when in my acct.

    On restart, after startup my sys hung up. I couldn't even shut-down.
    (this was after I plugged back into the net). I had to kill the power.
    I am not sure why this happened. But I also discovered that the new UnHackMe v2 for which I just today received the new unlock key conflicts with PG. This version has an active (resident) rootkit monitor. Do not put it under PG protection...or it won't work even if it says its active. In Process Explorer I could see that it was not scannig at all.
    And, no, this was not an issue before. Unhackme was not active for 4 or 5 days...and before that it was an on-demand only program and never had a problem. This UnHackMe is abit more robust.
    I don't think Windows likes it much eighter!! (for different reasons maybe!!). It won't let it install a shell notification icon. So I have to leave it minimized in the sys tray...it is actively monitoring...that's what counts.

    And rundll32.exe no longer starts regrun2.exe. And, interestingly, it does not start at sys start-up!!!? Only when it is called upon...and it indicates "last run", too!!

    Go Figure!!...

    alg.exe is back!! LOL

    snowfire
     
  13. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi snowfire,

    Just took a good look at the PG logging on my other desktop. The only obvious thing is svchost.exe has a last run date of March 24 and does not show up in the raw log (as it does in my previous post)...

    On the administrator access thing, do you have Simple File Sharing enabled (open My Computer, go Tools/Folder Options/View)? If you do, you may have enabled the "Make this folder private so that only I have access to it" feature that is available for your user folders. Just a guess...

    I will play with the UnHackMe monitor and see what I can find.

    Nick
     
  14. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    Hi! Everyone,

    What follows is my post over at Greatis (RegRun Security Suite and UnHackMe). It is relevent here. And hopefully this is a final resolution. I am not an expert so I stumble along. If it weren't for the help I (and all of us) get at this and other forums__ "THANKS EVERYONE"__ I would have fallen flat on my face. There is another thread here discussing the possibility that PG has been compromised. In such a fluid environment as the net the only 100% assurances one can get is to not be on the net, or work CD's, or watch DVD's.

    PG is a powerful yet deceptively simple program. And does its job very well. There was a very good suggestion made on that other thread:
    BE CAREFULL about what programs you put under PG's Protection and what Permissions you give them!!! If you put the fox in the hen house it WILL eat all the chickens...unless the fox is caged...or kept out. This goes for windows processes as well...

    And Nick, I do believe I've resolved my issues here.



    ____Greatis Post______________________________________
    It looks like I've straightened things out. UnHackMe is fine in PG. But first...at start-up this morning:

    1) rundll32.dll decided to start regrun2 at boot again. And UnHackMe just "simply" stopped monitoring.

    2) Spybot warned about a reg value change: From "c:\...UnHackMe.exe" to "c:\...unhackme.exe". When I clicked accept the first time I got that warning...Unhack wouldn't/couldn't load. The Spybot warning didn't start happening when I first had trouble getting UnHackMe to load and monitor. And IF memory serves me right...it wasn't until I "denied" rundll32.exe in Security Tab...but on this I am not absolutely sure.

    3) I rebooted...same situation. Except, this time, I denied the change in Spybot. UnHack loaded with icon in notifcation tray and was actively monitoring.

    4) So...I rebooted and when I got the Sprybot warning I clicked "always remember"..."deny". And...I removed rundll32 from Security Tab...on restart it added itself back again (rundll32 does not need to start at boot). So...I removed it from the Protection Tab. And re-added UnHack.exe and Hackmon to PG Protection Tab.

    5) After several reboots Unhack flawlessly loads ( the multiple instances of UnHack in Alerts Tab were reflecting the few times that I managed to get Unhack to monitor) with icon in tray. AND rundll32 no longer starts regrun2 on boot. I know I have said that before...but this time I went through at least 5 reboots and rundll32 is (so far) staying out of my start-up and UnHack loads.

    6) I went back into safe mode double checked all Internet settings in both accounts. Some of them had been changed back from my preferences! Then I went into services.msc and applied BlackVipers "safe" and (a few) "power user" configurations for windows services (including shutting down Windows Security Center). I also cleaned everything I could...temp Internet files, etc; defragged, cleaned disk, ran scans and then did a CHKDSK.
    I also changed the passwords (again).

    7) I then rebooted into reg mode: FileMap informed me that setupact.log (I have to find out what it is...won't quarantine...in use by a process...probably innocent. Might have something to do with changing passwords.
    Checked everything...created a restore and deleted all the rest. Then created another restore and deleted the other one...just for the hell of it.

    Plugged into the net. Windows informs me that I may have no connection or only a limited connection and suggests that I click this button and let windows fix it. I ignored the warning and closed the box...and here I am telling you all of this over a nonexistant or impaired connection. Everything works fine. I think it is time to get rid of that little connection icon. But I'll wait to see if windows eventually throws a fit.

    9) From now on I will unplug from the net before I shut-down or don't require it for awhile and plug-in when I am ready...'cause it seemed that things would revert if I did otherwise. I don't know why...unresolved.

    I hope that this is the last of this. I honestly don't know what was related to what: PG... rundll32...regrun2...UnHackMe. All I do know for sure is that: 1) rundll32 does not need to start at boot:resolved. 2) rundll32 has no legitimate reason for starting regrun2 at boot or any time:resolved. 3) something was preventing UnHackme from loading (any suggestions?):resolved.

    Did I do anything wrong...YES! Not with my programs (believe it or not) but with windows processes. I am much more lean'n mean now!

    snowfire
     
    Last edited: Apr 2, 2005
  15. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780

    Hi there snowfire.

    If you go into start-settings-control panel and dbl click the Windows Security Center icon, on the left hand side there`s a spot to change the way the Security Center alerts me. This should fix your connection problem.
     
  16. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi snowfire,

    Do you have RegRun's Secure Start enabled? When I enable it, the following RunOnceEx entries are created:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
    "Flags"=dword:00000080
    "Title"="RegRun II Secure Start"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\@Regrun2]
    @="RegRun II Secure Start"
    "1"="C:\\PROGRA~1\\Greatis\\REGRUN~1\\regrun2.exe /w"


    This is what PG logs when I boot with Secure Start enabled:

    Fri 01 - 10:22:14 [EXECUTION] "c:\windows\system32\rundll32.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\explorer.exe" [676]
    [EXECUTION] Commandline - [ c:\windows\system32\rundll32.exe c:\windows\system32\iernonce.dll,runonceexprocess ]

    Fri 01 - 10:22:15 [EXECUTION] "c:\program files\greatis\regrunsuite\regrun2.exe" was allowed to run
    [EXECUTION] Started by "c:\windows\system32\rundll32.exe" [712]

    [EXECUTION] Commandline - [ "c:\progra~1\greatis\regrun~1\regrun2.exe" /w ]


    When I disable Secure Start, the registry entries are deleted and both rundll32.exe and regrun2.exe no longer execute at startup.

    Nick
     
  17. snowfire

    snowfire Registered Member

    Joined:
    Feb 12, 2005
    Posts:
    38
    Hey!! Beetlejuice69,

    I finally remembered that I had to not only disable Security Center in Services but (also) go into Security Center and make that change you mentioned. Thanks for the reply.

    Hi! Nick,

    All I know for sure is that regrun2.exe (RegRun Start Control) does not require rundll32.exe according to Dmitry, its developer. I do have secure start (RegRun II Secure start/@regrun2) enabled and functioning. Secure Start should load before windows shell. Where as onsecure.exe is support for secure start. It's confusing. But I intend to understand exactly what needs to start, when it needs to start and why!

    My issue's were not actually resolved...but I won't go into it. It is posted at Greatis Forum under "UnHackMe: Other Issues". Just suffice it to say that I have explorer.exe and rundll32.exe in PG Protection Tab WITH NO MODIFY RIGHTS!! This is reminiscent of Ad-Aware...NO!! Now everything loads with no problems whether I am connected to the net or not. Granted rundll32.exe is still starting regrun2.exe but it or explorer.exe or whatever...has yet to mess with my start-up after multiple boots connected and disconnected from the net. Hopefully this fix will stick. And I have not yet encountered any ill effects from removing rundll32 and explorer right to modify. Thanks to PG...I can do that.
    I still feel, however, that I have fixed (?) symptoms...not the cause(s).

    snowfire
     
Thread Status:
Not open for further replies.