iondjp

Hidden Installer Behaviour

Recommended Posts

I witnessed a pop up notification by Emsisoft. Here is the detail...

2018-08-24 8:47:25 AM
Behavior Blocker detected suspicious behavior "HiddenInstallation" of "C:\Windows\Installer\MSI174C.tmp" (SHA1: 67ECD82937ED15C2159EA3892A07BA6ACB74179A)

2018-08-24 8:47:25 AM
A notification message "Suspicious behavior has been found in the following program: C:\Windows\Installer\MSI174C.tmp" has been shown

Now, coincidentally I have been monitoring windows updates and I see in the Windows Update History...

2018-08 Cumulative Update for Windows 10 Version 1803 for x64-based Systems (KB4343909) (9)

Last failed install attempt on 2018-08-23 - 0x80070157

So, is the EIS notification indicating a legitimate behavior block, or is it interfering with Windows Updates? I am confused because the last failed attempt of the Windows Update is 2018-08-23.

Incidentally, I have seen both the EIS behavior block and the Windows Update failure a number of times and I see 3 MSIxxxx.tmp files have been marked "Suspicious Behavior Quarantined by User" as well as 9 have been marked "Allowed by Anti-Malware Network, rule created".

I was going to attach here the C:\Windows\Installer\MSI174C.tmp file, but the folder C:\Windows\Installer does not even exist. Also strange, the EIS Quarantine tab does not list the MSI174C.tmp file, nor does it list one of the other files the log indicates was quarantined (MSIBE3E.tmp) on 2018-08-13.

Share this post


Link to post
Share on other sites

Hi there,

I guess it's not from the Windows Update, but from another application. Maybe you running a setup at that time, or there's auto-update from external application that is running in the background. This alert indeed could happen sometimes with legitimate application, for example when the file is not digitally signed. However without the actual file, I can't verify it. It's not quarantined maybe because the file is already deleted by the setup process.

Share this post


Link to post
Share on other sites

This continues to happen whenever I restart windows. I am still seeing Windows complaining that it could not finish installing update. So,what recourse do I have? I do not have the experience to narrow my troubleshooting down. Is there something I could search for in the Event Viewer? Is there a trick in MSConfig to limit startup options to narrow down the culprit. I did look in the Task Manager startup options, but nothing jumps out at me.

Share this post


Link to post
Share on other sites

Did you see any entries related to Windows Update being blocked in our Logs? Without the complete logs and copy of the blocked files, it's hard to verify it.

If you don't mind, I can forward this topic to our Support forum, so our support team can assist you to find out what was wrong.

Share this post


Link to post
Share on other sites

I don't mind if you forward it to support forum. I would just like to know what is going on and that Windows 10 is up to date.

As far as the Windows Update being blocked....what should I look for? I see again today  that there was a number of items in Emsisoft log showing Component=Scheduler & Action=Update "Downloaded and Installed". The system notified me of a required restart which I allowed to happen. Upon login to my user account, I saw Emsisoft alert me "Suspicious Behaviour "HiddenInstallation" of "MSIC461.tmp".

If I was to click "Wait, I think this is safe" what would happen?

Share this post


Link to post
Share on other sites

Ran the various troubleshooters for Windows Update. 

How can I determine what is launching the installer? In other words, is there a way for me to determine if it is part of the Windows Update process? Is it normal for Windows Update to run installer upon reboot after an update install?

What would happen if I click "Wait, I think this is safe?". Am I going to end up with a world of misery?

Share this post


Link to post
Share on other sites

I don't know if it's possible in W10, but in earlier versions it's possible to turn on 'auditing' of the creation and termination of processes, so that each time a process is created a 'Security' eventlog record is created showing that creation, its command line, and what started it.   This is in itself potentially a security risk because it means that anyone able to read that set of eventlogs can see the commands used to start things, (perhaps including passwords etc).  If your system is a home one and no-one else uses it, or a corporate one and you are authorised to see other users' secrets, then you may be able to turn this on.     

I am the only user on my machine, and I have it enabled, because it makes diagnosis of problems in scripts I write easier.   My machine is a W8.1 one, and it took me ages to find a way to turn the feature on, on a non-enterprise version of Windows.  I have no idea which version of W10 allow the same thing. 

Share this post


Link to post
Share on other sites
7 hours ago, iondjp said:

How can I determine what is launching the installer?

You should be able to find out with a tool like Process Hacker. By default it shows running processes in a tree view, where each process is listed as a child (or "branch" if you prefer) of its parent process (the process that executed it). This makes it very easy to see what executed what, and you can even hold your mouse over a process for a few seconds to see the command used to execute a particular process.

Note that you may need to select "Show details for all processes" in the "Hacker" menu in Process Hacker to see all of the information about processes that are running with Administrator or System rights.

Share this post


Link to post
Share on other sites

I want to thank you for your efforts, but I install Process Hacker and I just don't know where to start and it leaves me just as (more) confused. How do I know which process is launching the installer. By the time I get Process Hacker started to sort and attempt to see what process is guilty, the installer shuts down and evaporates.

Is there nothing in the Event Manager that would reveal anything?

I am close to just doing a full backup and then letting installer do it's thing and see what happens.  

Am I crazy to do so?

Share this post


Link to post
Share on other sites
6 hours ago, iondjp said:

Am I crazy to do so?

If it's only happening during installing Windows Updates, then it's more than likely safe. That being said, Windows 10 does like to install extra stuff when installing updates (recommended apps, app updates, manufacturer apps, driver updates, etc), and you can use a tool like ShutUp10 to reconfigure Windows not to do that. At the very least I'd recommend turning off Windows Update via peer-to-peer (all 3 of them), downloading manufacturers' apps and icons, and Automatic driver updates. It's also not a bad idea to use the Actions menu in ShutUp10 to enable all of the recommended options, which disables most of the worst privacy-violating features in Windows 10 for you.

Just be certain you don't turn on the option shown in the following screenshot with a red box around it, as this will completely disable Windows Update on Windows 10:

image.png
Download Image

Share this post


Link to post
Share on other sites

Thank You GT500 for all your help. I give up. I have tired your suggestion of using ShutUp10 and, well, I don't see what it accomplished. I have disabled the malware protection and let the thing boot without intervention, but I still get frequent update failure notifications daily. Strange things that are above my pay grade and beyond my understanding. I am reluctantly acceptting that this is just microsoft using the trial and error method again to release updates. 

It is not all updates that fail. In fact I don't understand a number of things I see. For example; why would I see 

2018-09 Cumulative Update for Windows 10 Version 1803 for x64-based Systems (KB4457128)
Successfully installed on ‎2018-‎09-‎11

and then further up the history I see;

2018-09 Cumulative Update for Windows 10 Version 1803 for x64-based Systems (KB4457128) (4)
Last failed attempt on ‎2018-‎09-‎17 - 0x80070157

I thought it was already installed successfully?!?!?!

Then I don't see it again higher up on the list with a new date. Has Windows decided to give up trying to install it, or has windows come to realize "oops" we already installed this one. Silly windows.

I also notice even the Windows Defender Antivirus Definitions are failing sometimes.

Definition Update for Windows Defender Antivirus - K2267602 (Definition 1.277.294.0)
Failed to install on ‎2018-‎09-‎29 - 0x8024000b

 

Share this post


Link to post
Share on other sites

@iondjp - MS quite often release new versions of some updates, so they have the same title but slightly different contents.    Windows Update will then install the newer one.    In the particular case of KB4457128 Google shows that enough other people have had it install twice that there's discussion about why (but I didn't see any conclusive answers, but then again I didn't read every page that mentions it). 

Also, some updates - eg the Malicious Software Removal Tool KB890830 is different every month but the KB number doesn't change.

Share this post


Link to post
Share on other sites

It's possible that the issue will be ironed out with the new 1809 update to Windows 10, however the tool at this link has a number of repairs it can run, including one for Windows Update. Note that you will need to turn off protection in Emsisoft Anti-Malware before running the tool (the Behavior Blocker will automatically quarantine some of the fixes).

Share this post


Link to post
Share on other sites

Sorry for leaving this hanging. I have given up on this and decided that it is a windows update issue. I have read a number of articles about issues with recent Windows releases. Most notably, https://www.computerworld.com/article/3216425/microsoft-windows/microsoft-patch-alert-octobers-been-a-nightmare.html. Earlier this summer, I also went through several weeks of back and forth recovery to eliminate Blue Screen boot errors. I was pissed and I don't want to find myself back down that rabbit hole. Thank god for reliable backups. Here's a tip of the hat to 'EaseUS To-0Do Backup'.

So, for now I have prevented Windows from doing Auto Updates by setting my network adapter setting to 'Metered Connection'.

Most frustrating about this is the paragraph (below) from the article about the insane game of roulette that Microsoft is unapologetic about.

"Hard to believe that Windows 10 version rollouts could get any worse, but this month hit the bottom of a nearly bottomless barrel. Some folks who clicked “Check for updates” wound up with a brand spanking new copy of Win10 version 1809 — and all of the files in their \Documents, \Pictures, \Music, \Videos and other folders disappeared."

This is reminds me of the B.S. that Microsoft made us suffer through back in the 1990s.  ARRRGHHH!!!

Thanks all. 

Share this post


Link to post
Share on other sites

I would believe Microsoft has since resolved the issue with missing files that some were experiencing after installing the October (1809) update, however you are correct that Microsoft's track record for problems with updates to Windows 10 is not very good thus far. Personally I use Acronis True Image to make an image of my hard drive before I install Windows Updates, that way if anything bad happens I can restore from the image and everything is as it was before installing Windows Updates.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.