Is there some way of creating event log entries for all
accesses of Outlook so that I can definitively determine
which process it is?
Perhaps an application is launching the mailto: or initiating a MAPI call.
(invokes the default email client, not Outlook explicitly). In any case, try
running these malware cleaners:
1. Ad-Aware
http://www.lavasoftusa.com
2. SpyBot S&D
http://www.safer-networking.org
3. CWShredder
http://www.intermute.com/spysubtract/cwshredder_download.html
Update 1 & 2 before running a scan.
--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org
<ggroth...@gmail.com> wrote in message
news:1124977473.9...@g14g2000cwa.googlegroups.com...
Thanks. I ran Spybot and it found 94 problems which I removed
except for 3 items that appear to be Microsoft related.
I also checked out
Start > Control Panel > Internet Options > Programs tab > Email
and it has Pegasus Mail listed which is correct.
Regarding the possibility of mailto, CDO or MAPI, I tried creating
a one line HTML file:
<a href="mailto:blahblah">mail</a>
where blahblah is my email address and clicking on the link it shows
does try to bring up Pegasus mail thus its not a mailto.
Do you know how I can test out a MAPI attempt and a CDO attempt
to see if they try to start Outlook or Pegasus? If I can determine
that both these routes attempt to start Pegasus I guess I can
assume its attempting to access Outlook. Is that right?
The trouble I have is that its not easy to tell if I have fixed
it since it only comes up a few minutes after each reboot thus
it would be good if I could eliminate all possibilities that its
not like CDO and MAPI. If I can eliminate these possibilities
then I am hoping that there will be some way of logging all
Outlook accesses so that when I get the popup I can look back
in the log.
The Send To > Mail Recipient does a MAPI call. You can try it and see.
Further, if you're using Task Manager, arrange the "Process" column so that
the processes display with proper hierarchy, rather than listing all
processes parallely. (For hierarchial view, you need to click the "Process"
column header twice). When the Outlook.exe is triggered, open Process
Explorer, and look for the parent process.
Alternately if you know scripting, you may write a Process Monitoring script
using WMI that monitors the create event for outlook.exe and displays the
Parent Process Id. You may use "Win32_Process" for that. For sample process
monitoring scripts, see the "Scripting Guy" colums at Microsoft.com
--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org
<ggroth...@gmail.com> wrote in message
news:1125059493....@g43g2000cwa.googlegroups.com...
>> Further, if you're using Task Manager
Should be
Further, if you're using *Process Explorer*
--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org
"Ramesh, MS-MVP" <ram...@XOX.mvps.org> wrote in message
news:uG8Qitj...@TK2MSFTNGP11.phx.gbl...
I tried it and it gives a similar popup so it may be a MAPI call.
>Alternately if you know scripting,
Yes, I have written VBScript/Jscript and have called COM objects
and used Scriptomatic.
> you may write a Process Monitoring script
> using WMI that monitors the create event for outlook.exe and
> displays the Parent Process Id. You may use "Win32_Process"
> for that. For sample process monitoring scripts, see the
> "Scripting Guy" colums at Microsoft.com
What I was doing was: when I saw the popup I would just use
psloglist.exe from sysinternals.com to list out events but could
not find the event. I am not sure
1. how I identify the proper event or
2. is there something I have to do to cause the event
to be entered into the log before it happens?
Not sure if I am looking in the right place but the Scripting Guy
column I found
http://www.microsoft.com/technet/scriptcenter/resources/qanda/aug05/hey0816.mspx
has this example:
strComputer = "."
Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _
strComputer & "\root\cimv2")
Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
("Select * from __InstanceCreationEvent Where " _
& "TargetInstance ISA 'Win32_NTLogEvent' " _
& "and TargetInstance.EventCode = '0' ")
Do
Set objLatestEvent = colMonitoredEvents.NextEvent
Wscript.Echo objLatestEvent.TargetInstance.User
Wscript.Echo objLatestEvent.TargetInstance.TimeWritten
Wscript.Echo objLatestEvent.TargetInstance.Message
Wscript.Echo
Loop
but as far as I can understand all that does is display
information that was already in the event log. Is that right?
If that's so then psloglist.exe from sysinternals.com could also
find it via:
psloglist | findstr whatever
but:
1. is there is something I need to do to get the
Outlook/CDO/MAPI event to be entered into the event
log in the first place?
2. if I search the log, i.e.
psloglist | findstr whatever
then what do I used for whatever?
Thanks.
For the WMI script:
A script is on the way, but I've not tested it *extensively*, but will do it
shortly in all my systems.
Note: It's a basic script (BETA) with no error-handling or anything. Since
it deals with Processes, close all your work and try. It monitors
"Notepad.exe" by default, modify it as you wish. Download it from here:
http://windowsxp.mvps.org/temp/monproc.vbs
Polling interval is set to every 5 seconds (i.e., checks for new process
every 5 seconds)
--------------------------------------------------------------------
To end the script, open Task Manager and end wscript.exe process.
--------------------------------------------------------------------
--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org
<ggroth...@gmail.com> wrote in message
news:1125064679....@g49g2000cwa.googlegroups.com...
Googling around Microsoft's site I found
__methodinvocationevent
here:
which I am assuming is the right call to trap CDO/MAPI calls
but at the top it says that its not implemented. Is there
no way of trapping CDO and MAPI calls? (I am using Windows
XP, by the way.) Am I on the right track?
>> Since I don't know what I am looking for I guess I have to log _all_
>> process creation attempts.
You need to monitor the "create" event from outlook.exe. My script does it
for notepad.exe, you just need to change that to outlook's executable.
>>http://msdn.microsoft.com/library/en-us/wmisdk/wmi/__methodinvocationevent.asp
Will look into that.
--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org
<ggroth...@gmail.com> wrote in message
news:1125072926....@g49g2000cwa.googlegroups.com...
As I mentioned that was the first thing I tried. I use
Process Explorer a lot and am reasonably familiar with it
and if that had allowed me to find this one I would have
never had to post in the first place.
>> Since I don't know what I am looking for I guess I have to log _all_
>> process creation attempts.
> You need to monitor the "create" event from outlook.exe. My script does it
> for notepad.exe, you just need to change that to outlook's executable.
Are you sure about that? We just finished discussing that
it might be MAPI or CDO and if that's the case isn't it pointless
to be looking for outlook? Furthermore, I think I would have
seen it in Process Explorer if that were the problem since I
think I would have recognized outlook.
Note that it takes a while to get just one test of this since I
have to reboot and wait for a while until it happens so its not
feasible to try a bunch of things. I need to do something that
definitively identifies the culprit.
>>http://msdn.microsoft.com/library/en-us/wmisdk/wmi/__methodinvocation...
> Will look into that.
Thanks.
If you're seeing the compose window, then yes, it's pointless to use that
script. But your original reply said that "process is attempting to startup
Outlook". Therefore I thought that some application is calling "outlook.exe"
explicitly.
What an interesting problem! I'll see if this is trackable. In the
mean-time, you may try the conventional methods (selective startup using
MSConfig, etc) to see if you can isolate the problem.
--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org
<ggroth...@gmail.com> wrote in message
news:1125074108.6...@g14g2000cwa.googlegroups.com...
> If you're seeing the compose window, then yes, it's pointless to use that
> script. But your original reply said that "process is attempting to startup
> Outlook". Therefore I thought that some application is calling "outlook.exe"
> explicitly.
Well, that was what I thought but you pointed out that it could
be a CDO or MAPI call and as I mentioned when I tried your
suggestion of using SendTo it did produce a similar looking
popup so it could very well be one of those. By the way,
what is the compose window?
> What an interesting problem! I'll see if this is trackable. In the
> mean-time, you may try the conventional methods (selective startup using
> MSConfig, etc) to see if you can isolate the problem.
As mentioned, the problem is that I must reboot and then it
takes some time before the message comes up so each trial takes
so long that I could never get anything else done. Otherwise, I
would have, indeed, tried that already.
It looks like the Win.ini's [MAPI] section is being read my the MAPI caller.
So, try monitoring Win.ini file accesses using Filemon from
Sysinternals.com. I tried the Send To Mail Recipient, and so explorer reads
the win.ini.
Filemon reports:
===========
------------------
11:39:10 PM explorer.exe:1288 OPEN C:\WINDOWS\win.ini SUCCESS Options: Open
Access: All
------------------
I'm now monitoring the msoe.dll (OE's MAPI implementation)
------------------
11:42:35 PM explorer.exe:1288 CLOSE C:\Program Files\Outlook
Express\msoe.dll SUCCESS
------------------
For Microsoft Outlook, you monitor the MAPI32.dll file. See if that method
helps in locating the foreign application.
--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org
"Ramesh, MS-MVP" <ram...@XOX.mvps.org> wrote in message
news:uDTQTKmq...@TK2MSFTNGP14.phx.gbl...
Thanks for the help.
--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org
<ggroth...@gmail.com> wrote in message
news:1125280749.7...@g43g2000cwa.googlegroups.com...