JeremyNicoll

Member
  • Content Count

    1767
  • Joined

  • Last visited

  • Days Won

    26

Posts posted by JeremyNicoll


  1. XP Pro SP3 etc  

     

    My Security Event log shows typically between 2 and 6 event log records per second, all created - it seems - by the Windows Firewall.  Examples are

     

    ----------

    Event Type:    Failure Audit
    Event Source:    Security
    Event Category:    Detailed Tracking
    Event ID:    861
    Date:        10/07/2013
    Time:        11:01:26
    User:        NT AUTHORITY\NETWORK SERVICE
    Computer:    DELL-650
    Description:
    The Windows Firewall has detected an application listening for incoming traffic.
     
    Name: -
    Path: C:\WINDOWS\system32\svchost.exe
    Process identifier: 1124
    User account: NETWORK SERVICE
    User domain: NT AUTHORITY
    Service: Yes
    RPC server: No
    IP version: IPv4
    IP protocol: UDP
    Port number: 52814
    Allowed: No
    User notified: No

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    ----------

     

    Looking at a few seconds' worth, these are all for the same pid.  Just at the moment, pid 1124  is executing

     

      C:\WINDOWS\System32\svchost.exe -k NetworkService

     

    SysInternals' ProcExp tell me that this is running: dnsrslvr.dll - I assume that's the DNS resolver.

     

    This event is described as a "Failure Audit" and I also see "Allowed: No"  - which strongly suggests Windows Firewall blocked something.  Why is Windows Firewall doing anything at all?    On this system OA started at boot, which was approx 10:15.

     

     

     

    Much less often - once per minute I see

     

    ----------

    Event Type:    Success Audit
    Event Source:    Security
    Event Category:    Detailed Tracking
    Event ID:    861
    Date:        10/07/2013
    Time:        11:03:01
    User:        DELL-650\Administrator
    Computer:    DELL-650
    Description:
    The Windows Firewall has detected an application listening for incoming traffic.
     
    Name: AboutTime cient/server
    Path: C:\Program Files\~L-folder\Lutus,Paul\AboutTime\AboutTime.exe
    Process identifier: 2260
    User account: Administrator
    User domain: DELL-650
    Service: No
    RPC server: No
    IP version: IPv4
    IP protocol: UDP
    Port number: 1658
    Allowed: Yes
    User notified: No

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    ----------

     

    - which is caused by a once-per-minute NNTP time check being executed by: C:\Program Files\~L-folder\Lutus,Paul\AboutTime\AboutTime.exe

     ... but I still don't understand why Windows Firewall is reporting this.   AboutTime was started at 1042 - well after the system was booted, and certainly well after OA started at 10:15.

     

     

     

     

     


  2. I hope you read this first...   I think you can ignore the stuff I posted above.   I installed the demo version.  It demonstrates teh problem too.

     

    Specifically, what I did was:

      - backed up my existing install, exported the registry keys that describe my app, renamed the folder my real version is in

         and renamed the registry key hierarchy that my real version uses

      - ran installer for demo version and accepted all defaults

      - ran demo version from Start - Programs shortcut and checked I really was using V1.6.1 - yes

      - initial experiments to have the demo open files faield for me, until I found

        HKEY_CLASSES_ROOT\Applications\KEDITW32.exe\shell\open\command

        which still pointed at the sidelined executable - changed that to point at the demo one.

     

    Now I can edit a specific file with the demo app ok; used Open With to set the demo version as the app of choice for

    both .txt and .txtplain files - it works fine for single files I double-click.

     

    I then selected a pair of .txt files in WE, r-clicked the slection and chose "Open".  Only one file opened and OA's log said:

     

    Created:      08/07/2013 13:27:10
    Summary:      Program Guard: kernel event
    Description:  OADriver: PostMessage, 152 -> 640, Msg: 2034/7f2 - Deny (watched)
    Event type:   Kernel event(26)
    Event action: None(1)
    Processes:
      PID:     152    Name: KEDITW32.exe
      PID:     640    Name: KEDITW32.exe

     

    I tehn shut kedit and tried fairly rapidly double-clicking a whole set of individual .txt files one after another.

    The first time, I clciked 6 of them, and 1 faield to load.

     

    I did this again with 12 files - 8 loaded and OA reported 4 kernel events.


  3. Despite taking nvsvc32.exe out of startup the stalls have continued, though their natiure might have changed.  I started running SysInternals' ProcessExplorer instead of MS's task maanger, trying to get more info about what the system is doing...  But at the point where the system is stalled - when I'd previously noted that normal startup actions weren't completing with visible results, but their processes were listed by TM... I'm finding that PE is only partially starting.  Its window frame & furniture are being drawn but neither its window background nor meaningful dtaa are being drawn.  maybe that implicates the nvidia drivers still?

     

    If, as Fabian suggested, something is triggering lots of behaviour blocker events, would one not expect these events to be logged somewhere?  

     

    In EAM's Guard - Behaviour Blocker tab, I have all options ticked.  

     

    If the problem does lie somewhere in the nvidia drivers, I find it hard to believe that they wouldn't continue to cause a problem for the whole time the machine is up.

     

     

    Fabian also said "and look for anything that you have configured to start automatically."   - Which types of things started automatically are significant here?  

     

     

    I just looked at OA's definitions related to Process Explorer.  It's Trusted/Normal in the Programs list, though I noticed that 'PROCEXP152.SYS' was listed as Unknown/Normal, and I've changed that to Trusted/Normal.  OA's log shows some kernel events each time PE starts; I think it's bits of OA being protected from PE's gaze, and since PE itself seems to start fine after its initial start has stalled, maybe irrelevant.    Maybe PE's initial start - when presumably the PROCEXP152.SYS driver gets loaded will work differently (ie better) now that I've marked that Trusted too. 


  4. Hi.  Thank-you for all the effort you're making.   OA is 6.0.0.1736 without betas enabled; EAM is 8.0.0.10 without betas enabled.

     

    Kedit is a hugely configurable beast.  Normally I ran it in "instance single" mode , that is the app would try to ensure only one version was active (by passing messages about new edit activity to an existing running copy), and that's the problem scenario.  The vendor has suggested a workaround "set instance multiple" which allows many instances of the app to run.  This is much less convenient as I get zillions of edit windows all over the screen but at least an edit window does open reliably when I click on a file.

     

    In your test version, issue the command "q instance" from the command line; I expect it will say "instance single" as I think that's the default.  If by any chance you've somehow got 'multiple' set, change it with "set instance single".  That config value gets saved in the registry (which is unusual for the app) so the app can access it when starting an instance.

     

    In your experiments, are you repeatedly trying to edit multiple files - either by selecting multiples in an Windows Explorer window, right-clicking and choosing the default 'Edit' option or an explicit "Edit with Kedit" which you'd need to define with

     

       HKEY_CLASSES_ROOT\*\shell\Edit with Kedit\command

           (Default)   REG_SZ   "C:\Program Files\~M-folder\MansfieldSoftware\KEDITW16\KEDITW32.exe" "%1"

     

     

    ... or by double-clicking files when your single instance of kedit is already running (so it will add another file to its 'ring' of active files - not a tabbed interface but broadly equivalent), or by right-clicking and choosing 'Edit with Kedit' those separate files...  (If an instance of kedit has more than one file in its ring of files, the "Files=n" count in the statusline at the foot of the screen will show that - though you won't necessarlily have a statusline yet, we'll come to that).  Also there will be two toolbar icons with clockwise and anti-clockwise square rings of arrows un-greyed, enabling one to travel back & forth around the ring of files.  Also "q ring" will list the files currently loaded.

     

     

    Kedit will look in a specific directory for macros (scripted commands), and in particular for a file called winprof.kex which will (if set up to do so) be executed at the startup of the kedit app, or possibly at the start of every edit of every file (which is what I have, so that changes I make in winprof.kex take immediate effect on files I next edit). Commands issued in winprof can affect the whole application 'ie be global', or be set per-file being edited, or per-view of any files being edited.  I'll attach my copy of winprof.kex so you can have the same setup active.  On second thoughts, as winprof calls some other macros and refers to other definition files I'll attack a zipped copy of the essential ones.

     

    So what do you do with these?

     

    Clearly kedit need to be told where to look for macros - a command issued from winprof.kex is no use, because it won't find winprof.kex unless it looks in the right place...  I have an option set  "set macropath jn_ked_macs"   and have defined JN_KED_MACS   in control panel - system - advanced - environment variables to point at the folder in which I keep kedit macros.  Unlike most 'set thing' commands which can just be issued from the commandline, this option needs set within the app and then the app needs to be told to write that option (only) to the registry.  So...   start kedit, select Option - Set Command....  then set Category to Macro; highlight the macropath item in the list of items underneath that.   Choose environment variable and define the name of the one you want to use for your macros folder.   Finally click 'Save Setting'.   Shut kedit, reopen it and check via "q macropath" in the commandline that the right option is being used.

     

    Put all the files that I'll attach (in a few minutes) in your macros directory.


  5. Thanks for such a quick reply.

     

    In EAM's whitelist I only have 6 entries, four being the recommended parts of OA.  The 5th entry, only added today, is for DbgView.exe.  The remaining one is C:\windows\system32\nvsvc32.exe  - which is something to do with nVidia. 

     

    I've a three monitor system driven by a pair of nVidia graphics cards (one card can drive a pair of very high-res screens, but I use it just to drive one central 24" screen).  The other card can drive up to 4 lower-res screens and is driving a pair of 19" screens.  When I installed their drivers there were some screen-control things that came too.  I really don't know which of the nv-prefix things are essentials.  Certainly nvsvc32.exe is listed under task manager.  The central screen can pivot from landscape to portrait mode, and the nvidia drivers can rotate the images on each screen separately. 

     

    There are other n-files.  OA lists several, all 'trusted' -

    C:\WINDOWS\system32\NvCpl.dll          - NVIDIA Display Properties Extension, 6.14.10.9136, (6.14.10.9136)
    C:\WINDOWS\system32\nview.dll
    C:\WINDOWS\system32\NvMcTray.dll    - NVIDIA Media Center Library, 6.14.10.9136, (6.14.10.9136)
    C:\WINDOWS\system32\nvsvc32.exe    - NVIDIA Driver Helper Service
    C:\WINDOWS\system32\nvwdmcpl.dll
    C:\WINDOWS\system32\nwiz.exe

     

    In msconfig's "Services" tab, there's a mention of NVIDIA DISPLAY DRIVER SERVICE, which is the nvsvc32.exe  according to CP - Admin Tools - Services.

     

    In msconfig's startup list there are several nvidia entries - NvCpl, nwiz, nvmctray

     

     

    I have two other XP machines, though only one of them is at this house and is being used often.  It has the same mix of applications on it (and nearly the same OA exclusions and EAM whitelist) , but none of the nvidia stuff.  It doesn't stall at logon.    The machine that does stall also has a shutdown problem, and often I get Windows' warnings for things that are refusing to close in the expected time span - and these seem to be for some kind of nvidia application - "TwinView Window" - which I guess is an invisible window that is representing an app intercepting keyboard shortcuts etc.  I did search nvidia forums a week or two ago and found a lot of people have had this closedown issue, but no sign that nvidia had taken any interest let alone fixed it.

     

    It doesn't seem to me that I can stop essential nvidia drivers etc from being present as I boot.  The issue must therefore be whether any of the Startup actions are unnecessary.   I googled; there seems to be some doubt what nvsvc32.exe actually does.  After you discount the rumours of it being malware and people (who don't have nvidia gfx cards) discovering they can get rid of it, I did find some reports that it really isn't needed for day-to-day use of nvida cards.  I've seen one suggestion that it's mainly used to help Windows install new gfx drivers, and another suggestion that it may actually be the cause of my TwinView shutdown isues.  So for now I've stopped it in CP - Admin Tools - Services, and changed it from Automatic to manual.  I've also unticked it in the msconfig - services tab.   Assuming that my machine still works, I'll update this thread in a few days with progress info.

     

    Thanks for your help.


  6. Going back to the .txt files issue:   I have renamed about 7500 .txt files, making them .txtplain  and associated those with Kedit, and reset the association of .txt to Notepad.   I've also changed umpteen programs that read or generated .txt files to use .txtplain instead.  Hopefully as time goes on I'll find the one's I've missed.   The renaming was done by a utility, but I had to be careful where I pointed it as clearly I dd not want to rename any .txt file that's inside anyone else's application, or gets read/written by other people's applications.  


  7. Win XP Pro SP3, uptodate fixes.  Intel Xeon 2 cpus, hyperthreading. 

     

    I first noticed this problem 2-3 weeks ago, and it occurs on maybe 2/3 boots of this machine.  Having v8 installed has made no difference.

     

    Symptom is that after I login to the Windows desktop, I see usual startup apps (like Dropbox) start, plus Task Manager (which happens because of a user startup folder shortcut).  Some of the other startup actions are to display various 'ToDo' lists onscreen, using my text editor, and start the Network Connections control panel applet.  I see from TM that eg Keditw32.exe is running, but consuming no cpu and no dialog panels arrive on screen.  CP's NC display does not open. 

     

    Meantime, a2service.exe is 25% cpu busy (ie one core) and it stays like that for many minutes with nothing else happening.  I have found that sometimes ending explorer.exe in TM and restarting it fixes the problem, but more often - and less disruptive - I have found that using EAM's systray menu to disable all guards, and enable them again a couple of seconds later brings the whole machine back to life.  As soon as this is done a2service.exe's cpu usage drops to 0% or near there.

     

    While these foreground activities fail to run, background stuff, eg Dropbox's indexing activities, or ooRexx execs I run under Scheduled Tasks all start and run ok.

     

    For a while I've had the impression that the precise timing of EAM gathering new malware sigs might be implicated in this and other slow boots.

     

    On 22 June I gathered as much info as I could.  I have an ooRexx exec that runs as soon as user login has happened (triggered from startup folder) and it recorded:

     

    20130622 07:17:49.109000 Executing: Actions_triggered_from_user's_Startup-Folder.rexh                                  
    20130622 07:17:49.109000   pid=3564 prio=NORMAL Create: 2013/06/22 7:17:47:218  Kernel: 0:00:00:265  User: 0:00:00:093
    20130622 07:17:49.109000   tid=3576 prio=NORMAL Create: 2013/06/22 7:17:47:265  Kernel: 0:00:00:281  User: 0:00:00:078
    20130622 07:17:49.109000                                                                                               
    20130622 07:17:49.109000 ending; began: 20130622 07:17:49.000000, logstart: 20130622 07:17:49.109000.                  
    20130622 07:17:49.109000 .                                                                                             
     

     

    Meanwhile EAM's update log contained:

     

    Update Started    Update Ended    Result    Type
    22/06/2013 01:48:19    22/06/2013 01:48:43    Update successful    Automatic update
    22/06/2013 00:53:19    22/06/2013 00:54:09    Update successful    Automatic update
    21/06/2013 23:58:19    21/06/2013 23:58:46    Update successful    Automatic update
    21/06/2013 23:03:20    21/06/2013 23:03:51    Update successful    Automatic update
    21/06/2013 22:08:20    21/06/2013 22:08:50    Update successful    Automatic update
    21/06/2013 21:13:20    21/06/2013 21:13:49    Update successful    Automatic update
    21/06/2013 20:18:21    21/06/2013 20:18:53    Update successful    Automatic update
    ...

    which appears to show that no update has occurred as the machine started - quite unusual.  But the tooltip text on the EAM systray icon said that the last update had occurred at "22/06/13 7:18"   - I wonder why the update log didn't show that?

     

    This was with eam 7.0.0.25
       emsisoft engine 3.0.0.581
       bitdefender 11.0.1.6  

     

    Now the EAM log showed:

     

    Emsisoft Anti-Malware - Version 7.0
    IDS log

    Date    PID    Source    Event    Behavior/Infection
    22/06/2013 07:37:00    3580    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:37:00    2404    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:37:00    3580    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:37:00    2404    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:36:01    948    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:36:01    3364    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:36:00    3364    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:36:00    948    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:35:00    3112    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:35:00    2760    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:35:00    3112    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:35:00    2760    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:34:05    2692    C:\Program Files\~L-folder\Lutus,Paul\AboutTime\AboutTime.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:34:00    1256    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:34:00    2772    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:34:00    1256    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:34:00    2772    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:24:01    1332    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:24:00    2224    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:24:00    1332    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:24:00    2224    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:23:01    808    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:23:00    3428    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:23:00    808    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:23:00    3428    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:22:01    3800    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:22:01    112    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:22:00    112    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:22:00    3800    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:21:01    1412    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:21:01    3516    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:21:00    1412    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:21:00    3516    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:20:01    2204    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:20:01    2148    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:20:00    2204    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:20:00    2148    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:18:19    1664    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:18:18    276    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:18:17    1368    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:18:17    1664    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:18:00    276    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:18:00    1368    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 07:17:48    3564    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 07:17:47    3564    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 01:53:00    1744    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 01:53:00    2152    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 01:53:00    1744    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 01:53:00    2152    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 01:52:00    3776    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 01:52:00    1984    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 01:52:00    3776    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 01:52:00    1984    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 01:51:00    3896    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 01:51:00    3548    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 01:51:00    3896    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 01:51:00    3548    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.NewProcess
    22/06/2013 01:50:00    3124    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware
    22/06/2013 01:50:00    2652    C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe    Allowed by rule    Behavior.Spyware  

     

    and you can see that nothing happened between 0724 and 0734 - when boot was stalled.  Incidentally I think it would be useful if there were entries written to the log when one intentionally disables/enables guards - which happened at 0734 to make the machine do something.

     

    OA's log:

     

    OA log
    Type,Date/Time,Action,Description,Misc
    Screen logger detected: rexxhide.exe,22/06/2013 07:33:00,Allowed,C:\My Dropbox\Programs-DL650\~open-source ooRexx V4-1-1\rexxhide.exe
    Program Guard: kernel event,22/06/2013 07:33:00,None,"OADriver: SendMessage, 2564 -> 436, Msg: 49420/c10c - Deny (watched)",2564 - rexxhide.exe 436 - csrss.exe
    Program Guard: kernel event,22/06/2013 07:24:56,None,"OADriver: OpenProcess, 2308 -> 2744 - Deny (protected)",2308 - rundll32.exe 2744 - oaui.exe
    Program Guard: kernel event,22/06/2013 07:24:56,None,"OADriver: CreateKey, PID: 2308, Act:  1, Idn: 0, Mask: \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum - Deny (rule)",2308 - rundll32.exe
    Program Guard: kernel event,22/06/2013 07:24:56,None,"OADriver: CreateKey, PID: 2308, Act:  1, Idn: 0, Mask: \REGISTRY\USER\S-1-5-21-507921405-838170752-682003330-500\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum - Deny (rule)",2308 - rundll32.exe
    Program Guard: kernel event,22/06/2013 07:17:45,None,"OADriver: OpenProcess, 2308 -> 2744 - Deny (protected)",2308 - rundll32.exe 2744 - oaui.exe
    Screen logger detected: nview.dll,22/06/2013 07:17:43,Allowed,C:\WINDOWS\system32\nview.dll
    Program Guard: kernel event,22/06/2013 07:17:43,None,"OADriver: SendMessage, 2308 -> 436, Msg: 49420/c10c - Deny (watched)",2308 - rundll32.exe 436 - csrss.exe
    Service started,22/06/2013 07:16:54,None,C:\Program Files\Online Armor\oasrv.exe
    System boot,22/06/2013 07:16:54,None,System boot at: 22/06/2013 07:16:07
    System shutdown,22/06/2013 01:53:32,None,System shutdown at: 22/06/2013 01:53:32

     

     

    There was nothing in Event Logs for Application or System, but Security log shows regularly scheduled rexx execs starting and ending
    every minute during the stalled period, then at 07:32:13

    Event Type:     Success Audit
    Event Source:   Security
    Event Category: Detailed Tracking
    Event ID:       593
    Date:           22/06/2013
    Time:           07:32:13
    User:           NT AUTHORITY\SYSTEM
    Computer:       DELL-650
    Description:
    A process has exited:
            Process ID:     1252
            Image File Name:        C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
            User Name:      DELL-650$
            Domain:         NET14MA
            Logon ID:               (0x0,0x3E7)  

     

    (I don't know what that was, or if it was relevant.)

     

     

     

    I also noticed the Security event log had quite a lot of events saying the Windows Firewall had noticed something or other - why's it in use when OA is up?   eg

    Event Type:     Failure Audit
    Event Source:   Security
    Event Category: Detailed Tracking
    Event ID:       861
    Date:           22/06/2013
    Time:           07:44:12
    User:           NT AUTHORITY\NETWORK SERVICE
    Computer:       DELL-650
    Description:
    The Windows Firewall has detected an application listening for incoming traffic.

    Name: -
    Path: C:\WINDOWS\system32\svchost.exe
    Process identifier: 1076
    User account: NETWORK SERVICE
    User domain: NT AUTHORITY
    Service: Yes
    RPC server: No
    IP version: IPv4
    IP protocol: UDP
    Port number: 52087
    Allowed: No
    User notified: No  

     

     

    None of that gave me any obvious clues.

     

     

    Today  when I had the system stall during boot, I tried bouncing explorer.exe again (just for a change) and that made no difference.  As usual, disabling guards did bring the machine to life.   I did notice that as well as a2service.exe being its usual 25% cpu busy, there was another .exe   SMSvcHost.exe also 20-25% busy; I don't know what that is...

     

    I decided to try to collect some trace info.  I've already got DebugView, so defined it in EAM's process whitelist.  I set the registry key that enables trace output.  Because this is a boot-time problem I started DbgView and set its Capture - Log Boot option so any output during boot would be buffered.

     

    The first time I rebooted after this, the boot did stall & disabling guard did wake it up.  But DbgView froze when I started it.

     

    The second time I rebooted, there was no stall, guards were still off, a2service.exe cpu use was low.  I enabled guards, reset the 'capture boot log' option and rebooted.

     

    On this third boot, there was no stall.

     

    I reset things and rebooted, and again - no stall.

     

    Each shutdown/reboot cycle takes me about 15 mins, especially if I'm making notes.  I can't predict when there's going to be a stall and when there won't be, and I've not been able to get DebugView buffered output in any stall situation (though I have seen it for boots that have had no problem). 

     

    I've spent enough time on this today - have to do something else now - do you have any suggestions for how I might find out why a2service.exe sometimes goes mad as I boot?

     

     

     

     

     

     

     

     


      

     

     

     

          

     

     

     

     


  8. Certainly with Kedit, you can find various commands in the GUI, but no-one who knows the editor would ever both opening a dialog pane clicking on various fields and buttons to do something when, say they could press Home (to get the caret on the command line) then type: c/this value/that value/ 6 *         to change this value to that value every time it occurs (*) on this line and the next 5.  Or eg to make a change on all lines up to the one with "Piggle" on it:   c/a/b/ /Piggle/      There are loads of commands whose syntax and options you need to learn, but having done that - in 1982-3 for Xedit and thus Kedit, one can do it without thinking.  And you don't need to take your hands off the keyboard.   Macros (written in Kexx) can be run from the commandline too, so for eg to run my 'ttwunate.kex' macro I'd type: ttwunate tidy   or ttwunate edit   on the command line.  This macro reformats a CSV telephone bill downloaded from 18185.com; most times I run it I need to add more code to the macro, so ttwunate edit  opens the macro source in the editor, while ttwunate tidy  performs the tidying process.  I've used GUI text editors with macros before but generally to start a specific macro you have either to call up the macros list and pick one off a menu, or associate a keypress with it.  It's far quicker just to type one's name followed by whatever parms you need.  GUI macros tend to start then present a dialog box. There's a command history (like in consoles) on the command line so you can quickly bring back a previously entered line and reuse it.

     

    A major feature is the "all" command; if you're editing a file with - perhaps - millions of lines (eg a log file) - all /something or other/   will hide from display lines that do not include that text.  You can then hide more of them by eg   less /this string/  or bring back some with   more /this is interesting/     You end up with only the lines you're interested in being displayed.  Subsequent commands, eg a c/a/b/ act only on the visible lines.  You get the whole lot back by: all.    So for example to get a list of procedure definitions you only need   all/def proc/  etc.   It's not quite the same as folding though it has some aspects in common.   You ca also work on restricted ranges of lines or only certain columns within a line quite easily.  The display doesn't need to show columns 1-n of each line eitehr, you can set it eg to show cols 1-10 then 70-83 then 12-15 then 1-10 again... if that suits you.  Hiding columns is a good way of preventing accidental changes to their data and it also means that you can work on data that's widely spaced across a line eg cols 1-30 and 903-945 keeping both in-view.  


  9. The emulated mainframe editors - Kedit, THE 'The Hessling Editor', SPF/SE etc all mimic the record/line based data layout rather than the pc/unix approach which tends to be stream-based.  It's a different way of thinking.   They also all have a command line on them (I think a bit like Emacs) where one can directly type instructions to the editor (and eg to Windows' command shell)  They also have a 'prefix area' which allows commands which will affect lines or groups of lines in a file to be typed opposite the lines concerned.   The macros/scripts which one can write are (for some of these products) identical to the same macros that run under z/VM or z/OS.  SPF/SE's predecessor SPF/PC (not supported past year 2000) didn't just mimic the IBM ISPF editor, but the whole programming environment (sort of like an IDE).   Both of the IBM mainframe editors - Xedit & ispf edit are extremely versatile; it takes most people many months to learn how to use them to full effect, even before they start programming their own macros - and bear in mind that's been possible for maybe 35 years...   

     

    I don't need to be able to /edit/ unicode data, just view it.


  10. The programmer's editor is Mansfield Software's Kedit, based on an IBM mainframe tool, and long pre-dates Unicode.  I think most people who use Kedit have a mainframe background and are used to editing plain ansi/ascii text, in the same way that they used to edit plain EBCDIC text.  I think one of the markets for Kedit is for mainframe programmers whose files are transferred from mainframe to pc, edited in ebcdic, then transferred back to the mainframe...  There's never been a need for unicode support.

     

    You're right that my source files don't have a filetype of '.txt'; they'd instead be eg '.htm', '.css', '.rex'...    But having a powerful editor I'm used to using for those filetypes means I also want to use it for plain text... because the macros etc I've written which run under kedit can be used on the txt files too.  I suppose I could rename my plain text files to, say, '.txtplain' and associate Kedit with those, and NotePad with ordinary '.txt'.  


  11. I see your point, except that you imply that there's lots of potential filetypes involved... but surely there's just ".txt"?   (And I assume that since some of the other text files you generate are plain text, that the reason these particular files are Unicode is that they could contain special characters in the filenames described inside the reports?)

     

    If you really think there are lots of filetypes, then you could still provide a single option - a command to be issued instead of (I presume) 'running' the file, to be used when any file of any type is about to be 'run'.  Provided you allowed the users to dictate where in that command the target file's full path was to be inserted, users like me could have that mechanism run a bat file or something to do what we want with arbitrary files.  You'd not have to support different filetypes; it'd be our problem.


  12. With V7 if I conducted a scan then chose to view a report, EAM opened the folder containing the report files and I'd then then right-click one and choose to open it in Notepad; maybe the same still works in v8 after a scan.

     

    But in the GUI, choosing Logs - Scan - (then selecting one) - then View Details   opens the txt file in (I assume) my default configured application for text files, which is a programmer's text editor that only supports ANSI text.   These logs are Unicode / UTF16, (or whatever the terminology is) and can't be displayed by an ANSI-text only capable application. 

     

    Obviously I'm not going to change the file association I have for .txt files; I need my own txt files to open in my preferred editor.

     

    It would be great if I could configure EAM and tell it always to use NotePad to open log files - indeed any text files - that it's opening on my behalf.

     


  13. I have to confess that the "16" in "\KEDITW16" is irrelevant.  It's my fault and only means I'd installed Kedit V1.6.

     

    Mansfield Software have replied about the csrss.exe issue saying:

     

    I'm not really familiar with CSRSS - it is certainly nothing that KEDIT knowingly makes use of, although Windows may make use of it behind the scenes when handling API calls that KEDIT makes. (Versions of KEDIT up through 1.6 - never tested 1.6.1 - would work OK on Windows 98 and Windows ME, which based on the Wikipedia article about CSRSS did not even include CSRSS.)

     

     

    They also commented on message-passing:

     

    You are right that when KEDIT starts up, it normally looks around to see if another copy is already running and if so passes control to that copy of KEDIT. The newly-started instance of KEDIT uses the Windows PostMessage API to send a message to the existing instance of KEDIT. (Command line and directory are passed to the existing instance of KEDIT by using GlobalAddAtom to create an global atom table entries holding this info; the indices of these two global atom table entries are passed to the previously existing instance via the WPARAM and LPARAM parameters of the PostMessage API.)


  14. I've also read, see: http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/csrssexe/26bba20c-2691-4d42-bec4-637436c53c4f

     that it's used for parts of "the 16-bit virtual MS-DOS environment.".   Kedit's a program that's been around for a LONG time, and I do note that the version I use runs from a program: C:\Program Files\~M-folder\MansfieldSoftware\KEDITW16\Keditw32.exe   - I wonder if the "KEDITW16" part of that implies code running in some sort of 16-bit mode?