Main Forum > General Computer Support
[SOLVED]Vista Help Pls - Bad Install (and then some!)
Boggin:
You could use that Fixit to rename the tokens.dat to see if that resolves the not genuine.
Have you done an antimalware scan with something like the free version of MBAM - as something has changed the username.
RaveRocks:
As you'll see from the stuff I'm posting today, MBam is currently installed. There currently is no malware detected. Currently.
I've just finished a review of the currently running apps and services on my PC from the perspective of their perceived 'Environments'. One of the most useful tools is Process Explorer. If you are not using it now, you should be. One of the most useful debugging tools I've come across in a long time.
Apologies for the long post, but I thought I should document my woes. If nothing else, it has taught me lessons I didn't want to learn. If nothing else, this exercise has shown how easy it is to screw up the registry and to keep the HELL away from it at all costs. It is nice to have picked up some useful knowledge along the way. I hope the following assists someone else and perhaps will turn on some light bulbs and more hints as to what to do next. Lots of data to sift through, I know. If you take the plunge, thank you for your future insights.
----------------------------------------------------------------
Here is a list of my defined system variables that the Explorer.exe beast passes on to applications that the user chooses to
start. The variables that point to data locations provide these applications with places to dump temp data and also a place
for them to store ini and set up data to be retrieved whenever the app or service is called upon. Watch for the USERDOMAIN
variable that points to classes of tasks and appropriate locations for these classes.
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\USERS\LARRY\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=LARRY-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEPATH=c:\Users\LARRY
LOCALAPPDATA=C:\USERS\LARRY\AppData\LOCAL
NUMBER_OF_PROCESSORS=2
OnlineServices=Online Services
OS=Windows_NT
Path=C:\Windows\System32;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PCBRAND=Pavilion
PLATFORM=HPD
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 67 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4302
ProgramData=C:\PROGRAMDATA
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=c:\USERS\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Windows\system32\config\SYSTEM~1\AppData\Local\Temp
TMP=C:\Windows\system32\config\SYSTEM~1\AppData\Local\Temp
USERNAME=LARRY
USERPROFILE=C:\USERS\LARRY
windir=C:\Windows
==================================
Using Process Explorer, this is a look at the Environments of the Outer Shell of Windows Vista.
System Process
said it had 4 Properties, but did not display them and errored when I tried to have Process Explorer move to other tabs.
Interrupts Process
shows a blank window
smss Process
Path C:\Windows\System32
SystemDrive C:
SystemRoot C:\Windows
csrss.exe Process
ComSpec C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK NO
NUMBER_OF_PROCESSORS 2
OnlineServices Online Services
OS Windows_NT
Path C:\Windows\System32
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PCBRAND Pavilion
PLATFORM HPD
PROCESSOR_ARCHITECTURE x86
PROCESSOR_IDENTIFIER x86 Family 15 Model 67 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL 15
PROCESSOR_REVISION 4302
SystemDrive C:
SystemRoot C:\Windows
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERNAME LARRY
windir C:\Windows
winlogon.exe
SystemDrive C:
SystemRoot C:\Windows
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERNAME LARRY
USERPROFILE C:\Windows\system32\config\systemprofile
wininit
USERNAME Larry
USERPROFILE C:\Windows\system32\config\systemprofile
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
Path C:\Windows\System32
ALLUSERSPROFILE C:\ProgramData
services.exe
ALLUSERSPROFILE C:\ProgramData
CommonProgramFiles C:\Program Files\Common Files
COMPUTERNAME LARRY-PC
ComSpec C:\Windows\system32\cmd.exe
Path C:\Windows\System32
ProgramData C:\ProgramData
ProgramFiles C:\Program Files
PUBLIC C:\Users\Public
SystemDrive C:
SystemRoot C:\Windows
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERNAME LARRY
USERPROFILE C:\Windows\system32\config\systemprofile
windir C:\Windows
==========================================
That is the outer shell of Windows Vista, otherwise known as Gates's Folly Number 3.
A setting somewhere is hi-jacking TEMP and TMP Public variables that are being set and 'hard coded' by the user. Also, the
USERPROFILE SYSTEM variable is being set by a call to Systemprofile. That's all well and good, just as long as it returns the
proper value to whatever process is asking for it. Jumping into another Window's level, here's a look at the Programs running
in Explorer.EXE
Explorer.Exe
ALLUSERSPROFILE C:\ProgramData
APPDATA C:\USERS\LARRY\AppData\Roaming
CommonProgramFiles C:\Program Files\Common Files
COMPUTERNAME LARRY-PC
ComSpec C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK NO
HOMEPATH c:\Users\LARRY
LOCALAPPDATA C:\USERS\LARRY\AppData\LOCAL
NUMBER_OF_PROCESSORS 2
OnlineServices Online Services
OS Windows_NT
Path C:\Windows\System32;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
ProgramData C:\PROGRAMDATA
ProgramFiles C:\Program Files
PUBLIC c:\USERS\Public
SESSIONNAME Console
SystemDrive C:
SystemRoot C:\Windows
TEMP c:\Users\Larry\AppData\Local\Temp
TMP c:\Users\Larry\AppData\Local\Temp
USERNAME LARRY
USERPROFILE C:\USERS\LARRY
windir C:\Windows
HP Connections.exe
(same as Explorer.EXE, but adds)
bwrootdatapath C:\Program Files\HP Connections\6811507\Users\Default\
firefox.exe
(same as Explorer.EXE, but adds)
MOZ_CRASHREPORTER_DATA_DIRECTORY C:\Users\Larry\AppData\Roaming\Mozilla\Firefox\Crash Reports
MOZ_CRASHREPORTER_EVENTS_DIRECTORY C:\Users\Larry\AppData\Roaming\Mozilla\Firefox\Profiles\nsb978da.LrB\crashes\events
MOZ_CRASHREPORTER_RESTART_ARG_0 C:\Program Files\Mozilla Firefox\firefox.exe
MOZ_CRASHREPORTER_STRINGS_OVERRIDE C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini
hpwuSchu2.exe
msseces.exe
hpsysdrv.exe
issch.exe
jusched.exe
ehtray.exe
CCleaner.exe
hpfohmr08.exe
hpotdd01.exe
notepad.exe
procexp.exe
kbd.exe
And not too surprisingly, the above EXE files, running 'inside' Explorer, all had identical Environments as Explorer.Exe
MSASCui.exe
This EXE runs piggy-back on Explorer and inherits it's Environment from Explorer.EXE as well and adds a few of it's own.
MpConfig_ProductAppDataPath C:\ProgramData\Microsoft\Windows Defender
MpConfig_ProductCodeName AntiSpyware
MpConfig_ProductPath C:\Program Files\Windows Defender
MpConfig_ProductUserAppDataPath C:\USERS\LARRY\AppData\Local\Microsoft\Windows Defender
MpConfig_ReportingGUID 0CA2C2EE-C5BE-4E71-8B03-B4603DF77DAB
mydocuments C:\USERS\LARRY\Desktop
deluged.exe
Weirdly, this Torrent client has the same 4 environment variables addeded by Firefox, but otherwise it's environment
is identical to Explorer.exe. (worth exploring and testing the order of loading after a reboot.)
MOZ_CRASHREPORTER_DATA_DIRECTORY C:\Users\Larry\AppData\Roaming\Mozilla\Firefox\Crash Reports
MOZ_CRASHREPORTER_EVENTS_DIRECTORY C:\Users\Larry\AppData\Roaming\Mozilla\Firefox\Profiles\nsb978da.LrB\crashes\events
MOZ_CRASHREPORTER_RESTART_ARG_0 C:\Program Files\Mozilla Firefox\firefox.exe
MOZ_CRASHREPORTER_STRINGS_OVERRIDE C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini
And this explains why I'm able to call most executables and use computer functions like file copying, DVD burning, USB
support, Internet, etc. because Explorer is providing a safe work space. It's when one of these applications uses system
calls that refer to another 'level' of Windows Vista, the Services.
=============================================================
Now the fun begins. Services are really messed up on my HP Pavillion and some of them for quite some time so please do not
use the following as a guideline, because the memory variables at each level seems to be conflicting and that has to be
pointing to settings in an external ini or dat file which are scattered everywhere you look, at least you'll find them if you
turn 'Hidden and System' files ON in your Searches. I'm hoping that by unravelling a bit of the mystery in words and print,
I might come up a way out of my conumdrum as my 'NEW' PC may be months away, unless some rich benefactor feels compassion and raises above the ordinary and becomes a Prince or Princess in my life. For the purposes of this document, I'm going to group them in much the way Explorer has set up an environment for applications to Inherit. Danger Will Robinson. Danger! He who programs system calls outside it's Windows Vista 'layer' Just a reminder that Services.exe is responsible for this layer of Windows Vista and that it inherits from Wininit.exe and from the outer shell. The main discrepancies that differ from the environment that Explorer.EXE provides include the following memory variables
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERNAME LARRY
USERPROFILE C:\Windows\system32\config\systemprofile
Get ready. It's going to be a BUMPY night.
svchost.exe [0 instance] - - where it all starts
Just a few words of scorn about this service that has heard every swear word directed at it in every language around the world
ever since some programmer decided this was the name that everyone would curse as long as a PC exists that still runs
XP,Vista,7,8,etc. It's been called every male and female body part, some of them out of my mouth I'll admit. And it's not
surprising when you lift the hood into this world (at least on my HOOPED HP Pavillion 12 year old PC, sob sob)
svchost.exe [1 instance]
ALLUSERSPROFILE C:\ProgramData
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
CommonProgramFiles C:\Program Files\Common Files
COMPUTERNAME LARRY-PC
ComSpec C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK NO
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\LOCAL
NUMBER_OF_PROCESSORS 2
OnlineServices Online Services
OS Windows_NT
PATH C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PCBRAND Pavilion
PLATFORM HPD
PROCESSOR_ARCHITECTURE x86
PROCESSOR_IDENTIFIER x86 Family 15 Model 67 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL 15
PROCESSOR_REVISION 4302
ProgramData C:\PROGRAMDATA
ProgramFiles C:\Program Files
PUBLIC c:\USERS\Public
SystemDrive C:
SystemRoot C:\Windows
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
windir C:\Windows
At least this instance has same identifiers as the outer shell, such as the values for TMP, TMP, windir, OS, comspec, path,
systemDrive, etc. Where it differs in the USERNAME value that ends up creating (or requiring) access to files that need to
exist in different locations than if an application from within the Explorer.Exe layer would look and expect existence and
values.
This is the first instance of SvcHost.exe that we've opened and it calls ehmas.exe which surprisingly has the following
environment:
ALLUSERSPROFILE C:\ProgramData
APPDATA C:\USERS\LARRY\AppData\Roaming
CommonProgramFiles C:\Program Files\Common Files
COMPUTERNAME LARRY-PC
ComSpec C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK NO
HOMEPATH c:\Users\LARRY
LOCALAPPDATA C:\USERS\LARRY\AppData\LOCAL
NUMBER_OF_PROCESSORS 2
OnlineServices Online Services
OS Windows_NT
Path C:\Windows\System32;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PCBRAND Pavilion
PLATFORM HPD
PROCESSOR_ARCHITECTURE x86
PROCESSOR_IDENTIFIER x86 Family 15 Model 67 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL 15
PROCESSOR_REVISION 4302
ProgramData C:\PROGRAMDATA
ProgramFiles C:\Program Files
PUBLIC c:\USERS\Public
SESSIONNAME Console
SystemDrive C:
SystemRoot C:\Windows
TEMP c:\Users\Larry\AppData\Local\Temp
TMP c:\Users\Larry\AppData\Local\Temp
USERNAME LARRY
USERPROFILE C:\USERS\LARRY
windir C:\Windows
This is a portion of the Media Center Media Status Application that is called into action by Explorer.EXE as required by the
User. On my machine, it hasn't been called ever since I stopped using the old-style non-HD Video tuner. It might be handy
some day and I turned it on to show the interaction of the multiple layers.
The question: What would happen if this app would call other apps in other layers that have different values for key data
locations and file names and in conversing with the program entity in another layer, is only sent over the Token name and not
the Token value. ie: sending over '%USERNAME%' rather than the current content of that variable.
svchost.exe [2 instance]
nvvsvc.exe
The next user environment is for an application service that is called directly by services.exe without the need of a 'host'
framework or extra layer. It's working environment is identical to Services.EXE but it is running so the EXE it calls can
exist in both layers. Each layer has different values for USERNAME, TMP and TEMP
ALLUSERSPROFILE C:\ProgramData
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
CommonProgramFiles C:\Program Files\Common Files
COMPUTERNAME LARRY-PC
ComSpec C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK NO
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\LOCAL
NUMBER_OF_PROCESSORS 2
OnlineServices Online Services
OS Windows_NT
Path C:\Windows\System32;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
ProgramData C:\PROGRAMDATA
ProgramFiles C:\Program Files
PUBLIC c:\USERS\Public
SystemDrive C:
SystemRoot C:\Windows
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
windir C:\Windows
nvxdsync.exe is the Nvidia User Experience Driver Component and is run directly by Services and therefore inherits that
environment. This exe calls another nVidia process nvTray which has different values for USERPROFILE and USERNAME which means different locations for data and files that are referenced by layer specific values. Imagine if an application used one
service to find a location to write information to and then uses another Service applicaion that has other locations in mind
when those same referenced names are used.
USERNAME Larry
USERPROFILE C:\Users\Default
And if the internal application would run a process and create a file, the outer process may not be able to find it if each
layer used it's own Inherited naming convention.
svchost.exe [3 instance] and is described as a Host service for Windows Services with references to a Network
Environment, different than either of the other two uses of SvcHost.exe so far. I've removed the repeated variables that were
inherited from the outer layers of Windows Vista, The values for TEMP and TMP are interesting and do not appear anywhere in
the registry.
APPDATA C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming
LOCALAPPDATA C:\Windows\ServiceProfiles\NetworkService\AppData\Local
ProgramData C:\ProgramData
ProgramFiles C:\Program Files
PUBLIC C:\Users\Public
SystemDrive C:
SystemRoot C:\Windows
TEMP C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
TMP C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\Windows\ServiceProfiles\NetworkService
MsMpEng.Exe is another service called directly by Services.EXE. It resembles the Environment that Services.Exe
provided the first three instances of SvcHost.exe and other directly called apps.
ALLUSERSPROFILE C:\ProgramData
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
commonfiles C:\Program Files\Common Files
CommonProgramFiles C:\Program Files\Common Files
COMPUTERNAME LARRY-PC
ComSpec C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK NO
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\LOCAL
NUMBER_OF_PROCESSORS 2
OnlineServices Online Services
OS Windows_NT
PATH C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
progfiles C:\Program Files
ProgramData C:\PROGRAMDATA
ProgramFiles C:\Program Files
PUBLIC c:\USERS\Public
systemdir C:\Windows\system32
SystemDrive C:
SystemRoot C:\Windows
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
windir C:\Windows
svchost.exe [4 instance] is another instance of this wonderful entity. This time, however, the USERNAME and
USERPROFILE locations point to different folders. And if you've noticed, the USERDOMAIN is same as . I've removed variables
from the outer shells such as comspec, COMPUTERNAME, etc.
APPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Roaming
LOCALAPPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Local
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
ProgramData C:\ProgramData
ProgramFiles C:\Program Files
PUBLIC C:\Users\Public
SystemDrive C:
SystemRoot C:\Windows
TEMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
TMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
USERDOMAIN NT AUTHORITY
USERNAME LOCAL SERVICE
USERPROFILE C:\Windows\ServiceProfiles\LocalService
windir C:\Windows
svchost.exe [5 instance] calls the Desktop Window Manager (DRM.EXE)
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\LOCAL
PATH C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
ProgramData C:\PROGRAMDATA
ProgramFiles C:\Program Files
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
DRM.EXE
USERNAME LARRY
USERPROFILE C:\Users\Default
Note that the USERNAME and USERPROFILE names will point int 'opposite' directions if any use of these token names are
referenced by services or programs from different layers. I guess DOMAINS might be a useful identifier to key in on for the
rest of this diatribe.
svchost [6 instance] labeled as the GPSvcGroup and it sit idle.
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\LOCAL
Path C:\Windows\System32;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
windir C:\Windows
SLsvc.exe is the software licensing service and is called directly by Services.EXE and has a recognizable USERNAME and
USERPROFILE value. The TEMP and TMP variables directing subscribing applications to a file location deep within the bowels of
c:\windows.
ALLUSERSPROFILE C:\ProgramData
APPDATA C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming
LOCALAPPDATA C:\Windows\ServiceProfiles\NetworkService\AppData\Local
ProgramData C:\ProgramData
ProgramFiles C:\Program Files
PUBLIC C:\Users\Public
SystemDrive C:
SystemRoot C:\Windows
TEMP C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
TMP C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\Windows\ServiceProfiles\NetworkService
svchost.exe [7 instance] is labeled as a 'local' service Host, just waiting to jump into action.
APPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Roaming
LOCALAPPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Local
TEMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
TMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
USERDOMAIN NT AUTHORITY
USERNAME LOCAL SERVICE
USERPROFILE C:\Windows\ServiceProfiles\LocalService
svchost.exe [8 instance] is labeled as a Network service host, in waiting
APPDATA C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming
LOCALAPPDATA C:\Windows\ServiceProfiles\NetworkService\AppData\Local
TEMP C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
TMP C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\Windows\ServiceProfiles\NetworkService
spoolv.exe is called the Spooler Sub-system that handles printing chores automatically for the user. This service is
called directly by Services.EXE and has an identical environment.
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\LOCAL
PATH C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
svchost.exe [9 instance] This instance is a non-Network related Host.
APPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Roaming
LOCALAPPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Local
TEMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
TMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
USERDOMAIN NT AUTHORITY
USERNAME LOCAL SERVICE
USERPROFILE C:\Windows\ServiceProfiles\LocalService
HPSupportSolutionsFramework is called by Services.EXE directly.
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\LOCAL
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
LSSrvc.EXE is the Lightscribe printing service that burns labels directly on specially manufactured CD's and DVD's. I
ran out of such disks months ago, so this service sits and waits for me to replenish.
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\LOCAL
Path C:\Windows\System32;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
mbamscheduler.exe is called directly by Services.Exe with the following environment variables.
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\LOCAL
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
mbamservice.exe is a Host called directly by Services.Exe. This service then calls mbam.exe which has a couple of
memory variable locations that resemble the environment found inside Explorer.exe.
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\LOCAL
Path C:\Windows\System32;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
mbam.exe is called by the mbamservice.exe and has a different USERNAME and USERPROFILE than the calling host.
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERNAME LARRY
USERPROFILE C:\Users\Default
MSCAm532,exe has the same environment as Services.Exe.
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\LOCAL
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
NBService.EXE is called by Services.Exe as required and shares memory variables.
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\LOCAL
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
daemonu.exe is part of the Nvidia Settings Update Manager and is called directly by Services.Exe
__COMPAT_LAYER VistaSetUp
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERNAME LARRY
USERPROFILE C:\Users\Default
svchost.exe [10 instance] A network service Host in waiting. I hope you're starting to see a pattern.
APPDATA C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming
LOCALAPPDATA C:\Windows\ServiceProfiles\NetworkService\AppData\Local
TEMP C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
TMP C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\Windows\ServiceProfiles\NetworkService
locator.exe is another direct call Service.
APPDATA C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming
LOCALAPPDATA C:\Windows\ServiceProfiles\NetworkService\AppData\Local
TEMP C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
TMP C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\Windows\ServiceProfiles\NetworkService
windir C:\Windows
Svchost.exe [11 Instance] is labeled as a WerSvcGroup Service in waiting.
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\LOCAL
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
SearchIndexer.Exe This is a Hosting service called by Services.Exe. It calls SearchProtocolHost.Exe and
SearchFilterHost.Exe.
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\Local
TEMP C:\PROGRAMDATA\Microsoft\Search\Data\Temp\usgthrsvc
TMP C:\PROGRAMDATA\Microsoft\Search\Data\Temp\usgthrsvc
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
SearchProtocolHost.Exe This service is called by SearchIndexer.Exe. Notice the unique TEMP and TMP values match those
of the calling Service.
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\Local
TEMP C:\PROGRAMDATA\Microsoft\Search\Data\Temp\usgthrsvc
TMP C:\PROGRAMDATA\Microsoft\Search\Data\Temp\usgthrsvc
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
SearchFilterHost.Exe One of two services called by SearchIndexer.Exe.
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\Local
TEMP C:\PROGRAMDATA\Microsoft\Search\Data\Temp\usgthrsvc
TMP C:\PROGRAMDATA\Microsoft\Search\Data\Temp\usgthrsvc
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
The unique TEMP and TMP values are shared by these three services, all within the LARRY_HP domain
xAudio.Exe is probably the most missed service (it's broken...haven't heard a new tune in 10 days or more) on the
system and one that is called directly by Services.Exe
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\LOCAL
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
wmpnetwk.exe A Windows Media Service called directly from Services.Exe.
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\LOCAL
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
ehsched.exe A Windows Media Player Service called directly from Services.Exe
APPDATA C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming
LOCALAPPDATA C:\Windows\ServiceProfiles\NetworkService\AppData\Local
TEMP C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
TMP C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\Windows\ServiceProfiles\NetworkService
ehrecvr.exe A Windows Media Player Service called directly from Services.Exe
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\LOCAL
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
PresentationFontCache.Exe is called directly from Services.Exe
APPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Roaming
LOCALAPPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Local
TEMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
TMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
USERDOMAIN NT AUTHORITY
USERNAME LOCAL SERVICE
USERPROFILE C:\Windows\ServiceProfiles\LocalService
svchost.exe [12 instance] is labeled as a Local Service No Impersonation.
APPDATA C:\Windows\ServiceProfiles\LocalService\AppData\Roaming
TEMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
TMP C:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp
USERDOMAIN NT AUTHORITY
USERNAME LOCAL SERVICE
USERPROFILE C:\Windows\ServiceProfiles\LocalService
svchost.exe [13 instance] is labeled as the secsvcs service and is part of the Window's Defender service.
APPDATA C:\USERS\LARRY-PC$\AppData\Roaming
HOMEPATH c:\Users\LARRY-PC$
LOCALAPPDATA C:\USERS\LARRY-PC$\AppData\LOCAL
MpConfig_ProductAppDataPath C:\ProgramData\Microsoft\Windows Defender
MpConfig_ProductCodeName AntiSpyware
MpConfig_ProductPath c:\program files\windows defender
MpConfig_ProductUserAppDataPath C:\USERS\LARRY-PC$\AppData\Local\Microsoft\Windows Defender
MpConfig_ReportingGUID 0CA2C2EE-C5BE-4E71-8B03-B4603DF77DAB
TEMP C:\Windows\TEMP
TMP C:\Windows\TEMP
USERDOMAIN LARRY_HP
USERNAME LARRY-PC$
USERPROFILE C:\USERS\LARRY-PC$
That completes a list of environment variables for the various Services that ARE running currently on my gimped 12 year old HP
Pavillion PC that is on it's last leg. I'm going to next try to cover the services that are not running for whatever reason.
For this purpose, I'll be referring to the various errors and warnings that appear in my Event logs that point to broken
services and bad system calls. More on that next time.
Boggin:
I use Process Explorer occasionally but more to check if I have any foreigners in the system.
This is done by clicking on Options and ensuring Verify Signatures is checked and then hover over VirusTotal.Com and check its box.
Anything under the Virus Total column with a highish value/50 in red should be treated as suspect.
It's probably the computer that is generating those usernames for whichever path is required, but I've never gone that deep or needed to or probably know how - so you'll probably know more about that than I do.
When you were talking about the restore disks/applications in your opening post, are they system images or actual recovery disks which are a copy of what is in the Recovery partition, because I think probably the best way to go with this would be a factory reset as you are unable to run the WR program.
If you had a Vista x32 SP2 install disk then you could have booted up with that to see if an offboot sfc /scannow would sort things.
I only have the SP2 Vista ISO for 64 bit, so it would be no good send you a couple of those.
There are Google links (can't remember where I got mine from) but for them to include SP2 are few and far between and you never know if you can trust them.
RaveRocks:
Reporting in. And I made a huge discovery tonight. A few months back (May), I ran malwarebytes and JRT.EXE after a run-in with some nasty adware that wouldn't disappear from FireFox. I feel blessed. Big Time! JRT ran a Registry Backup before two scans. I'm sure I will only need to reinstall any software that was installed after the date of the last RegBack. There are no step by step instructions for running the CMD file in the folder. I do believe I should run Windows Recovery Console, which I've also found a good copy of and then open a cmd window (as admin) and run the bat file from within the little black box. I guess I'm a bit chicken to do it, after the past two weeks of near purgatory. But here goes. I'll report back.
Boggin:
if you use an infected restore/back up then you are going to get that nasty back.
In your opening post you discounted using your restore points - why was that ?
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version