info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
OT Why you need Process Explorer
31 views
Skip to first unread message
William Sommerwerck
Nov 29, 2014, 11:46:37 AM11/29/14
to
To make a long story short... I accidentally opened an e-mail attachment I
shouldn't have. (I had a "good" reason for doing so.) Wondering if its
executable was lurking anywhere, I ran Process Explorer -- and there it was.
Two clicks, and it was gone.
I will, of course, double-check the next time I restart.
http://download.cnet.com/Process-Explorer/3000-2094_4-10223605.html
shouldn't have. (I had a "good" reason for doing so.) Wondering if its
executable was lurking anywhere, I ran Process Explorer -- and there it was.
Two clicks, and it was gone.
I will, of course, double-check the next time I restart.
http://download.cnet.com/Process-Explorer/3000-2094_4-10223605.html
John Robertson
Nov 29, 2014, 1:03:16 PM11/29/14
to
knows) I did a quick search for "Process Explorer" and it looks quite
valid. My link for Microsoft's musings:
http://technet.microsoft.com/en-ca/sysinternals/bb896653.aspx
"Ever wondered which program has a particular file or directory open?
Now you can find out. Process Explorer shows you information about which
handles and DLLs processes have opened or loaded."
You might as well download from MS - or is the cnet version newer?
John :-#)#
--
(Please post followups or tech inquiries to the newsgroup)
John's Jukes Ltd. 2343 Main St., Vancouver, BC, Canada V5T 3C9
(604)872-5757 or Fax 872-2010 (Pinballs, Jukes, Video Games)
www.flippers.com
"Old pinballers never die, they just flip out."
Maynard A. Philbrook Jr.
Nov 29, 2014, 11:14:40 PM11/29/14
to
In article <2tGdnXDnBZL_l-fJ...@giganews.com>,
sp...@flippers.com says...
are running and if there is one of interest, it then can gain access to
the app and do things like look at the client area, check menu settings
etc..
Do not trust CNET down loads.... A good many and I say many apps that
are hosted by CNET have been repackaged and tricks set up to get you to
install what You don't want to start with..
I got trick by that once from them when I wanted to down load something
they had, what they did was repackage it so the item you wanted was
actually a down load tool bar and then it would open up the app you
wanted which was the name of the tool bar I didn't want.. In short
they switch the names around and made it deniable by them because they
could make claim that the user clicked on the wrong one and in fact that
wasn't the case.
I later found out what was happening day by day, I would see these
little apps being installed on my PC and a new ICON being added to the
desktop.. they were spamming me with promotional software etc..
Trying to remove that was very tricky because they installed two
different apps, one monitor's the other so if you remove one from the
task window, the other would see it and restart it again. Not only
that, they would rename it so I had to find the master file.
I had to go into safe mode and fix the reg etc..
Jamie
sp...@flippers.com says...
>
> On 11/29/2014, 8:46 AM, William Sommerwerck wrote:
> > To make a long story short... I accidentally opened an e-mail attachment
> > I shouldn't have. (I had a "good" reason for doing so.) Wondering if its
> > executable was lurking anywhere, I ran Process Explorer -- and there it
> > was. Two clicks, and it was gone.
> >
> > I will, of course, double-check the next time I restart.
> >
> > http://download.cnet.com/Process-Explorer/3000-2094_4-10223605.html
>
> In case folks here don't like opening links in postings (one never
> knows) I did a quick search for "Process Explorer" and it looks quite
> valid. My link for Microsoft's musings:
>
> http://technet.microsoft.com/en-ca/sysinternals/bb896653.aspx
>
> "Ever wondered which program has a particular file or directory open?
> Now you can find out. Process Explorer shows you information about which
> handles and DLLs processes have opened or loaded."
>
> You might as well download from MS - or is the cnet version newer?
>
> John :-#)#
Right and the reason for it being open is to scan your current apps that
> On 11/29/2014, 8:46 AM, William Sommerwerck wrote:
> > To make a long story short... I accidentally opened an e-mail attachment
> > I shouldn't have. (I had a "good" reason for doing so.) Wondering if its
> > executable was lurking anywhere, I ran Process Explorer -- and there it
> > was. Two clicks, and it was gone.
> >
> > I will, of course, double-check the next time I restart.
> >
> > http://download.cnet.com/Process-Explorer/3000-2094_4-10223605.html
>
> In case folks here don't like opening links in postings (one never
> knows) I did a quick search for "Process Explorer" and it looks quite
> valid. My link for Microsoft's musings:
>
> http://technet.microsoft.com/en-ca/sysinternals/bb896653.aspx
>
> "Ever wondered which program has a particular file or directory open?
> Now you can find out. Process Explorer shows you information about which
> handles and DLLs processes have opened or loaded."
>
> You might as well download from MS - or is the cnet version newer?
>
> John :-#)#
are running and if there is one of interest, it then can gain access to
the app and do things like look at the client area, check menu settings
etc..
Do not trust CNET down loads.... A good many and I say many apps that
are hosted by CNET have been repackaged and tricks set up to get you to
install what You don't want to start with..
I got trick by that once from them when I wanted to down load something
they had, what they did was repackage it so the item you wanted was
actually a down load tool bar and then it would open up the app you
wanted which was the name of the tool bar I didn't want.. In short
they switch the names around and made it deniable by them because they
could make claim that the user clicked on the wrong one and in fact that
wasn't the case.
I later found out what was happening day by day, I would see these
little apps being installed on my PC and a new ICON being added to the
desktop.. they were spamming me with promotional software etc..
Trying to remove that was very tricky because they installed two
different apps, one monitor's the other so if you remove one from the
task window, the other would see it and restart it again. Not only
that, they would rename it so I had to find the master file.
I had to go into safe mode and fix the reg etc..
Jamie
Maynard A. Philbrook Jr.
Nov 29, 2014, 11:21:57 PM11/29/14
to
In article <m5ct8q$99a$1...@dont-email.me>, grizzle...@comcast.net
says...
Be aware that you may still have something in there. I know you used
process explorer to find it but also these little funny programs do the
same as what process explorer does and that is seeking out apps that are
currently operating in your system, being on the desktop or in the
background.
Most of those funny things do exactly what process explorer does and
by you deleting it may have made you feel better but the damage might
have already been done.
I once had an issue with CNET for example tricking me into installing
something I did not want, they switch the file names around in the
package so that you would click on the down loader install instead of
the actually App you wanted.
Process Explorer is a nice tool but just beware, the spammers also know
how it works and I wouldn't suggest getting it from anywhere but MS.
Jamie
says...
process explorer to find it but also these little funny programs do the
same as what process explorer does and that is seeking out apps that are
currently operating in your system, being on the desktop or in the
background.
Most of those funny things do exactly what process explorer does and
by you deleting it may have made you feel better but the damage might
have already been done.
I once had an issue with CNET for example tricking me into installing
something I did not want, they switch the file names around in the
package so that you would click on the down loader install instead of
the actually App you wanted.
Process Explorer is a nice tool but just beware, the spammers also know
how it works and I wouldn't suggest getting it from anywhere but MS.
Jamie
Mike
Nov 30, 2014, 4:03:02 AM11/30/14
to
On Sat, 29 Nov 2014 23:25:42 -0500, Maynard A. Philbrook Jr. wrote:
> Process Explorer is a nice tool but just beware, the spammers also know
> how it works and I wouldn't suggest getting it from anywhere but MS.
Didn't PE originate from SysInternals (I forget the author)? Together with
> Process Explorer is a nice tool but just beware, the spammers also know
> how it works and I wouldn't suggest getting it from anywhere but MS.
that other invaluable tool Dependency Walker, also available from M$,
which can tell you why a program does not run...
Mike.
c4urs11
Nov 30, 2014, 7:26:44 AM11/30/14
to
On Sat, 29 Nov 2014 23:25:42 -0500, Maynard A. Philbrook Jr. wrote:
>
>
> Process Explorer is a nice tool but just beware, the spammers also know
> how it works and I wouldn't suggest getting it from anywhere but MS.
>
> Jamie
In the ages of XP, a colleague at work found his PC endlessly rebooting
> how it works and I wouldn't suggest getting it from anywhere but MS.
>
> Jamie
after normal shutdown.
Process Explorer was his only way to bring the computer to rest.
PE and the other utilities at sysinternals.com are pure gems.
Microsoft had reasons to persuade Mark Russinovitch lodging
sysinternals.com under the wings of MS Technet.
They could actually learn from him and Bryce Cogswell.
Cheers!
William Sommerwerck
Nov 30, 2014, 10:51:38 AM11/30/14
to
"Maynard A. Philbrook Jr." wrote in message
news:MPG.2ee464855...@news.eternal-september.org...
> Do not trust CNET down loads... A good many and I say many apps that
I'm not sure that's true of CNET, but it is true of other sites. I've never
had problems with File Hippo.
news:MPG.2ee464855...@news.eternal-september.org...
> Do not trust CNET down loads... A good many and I say many apps that
> are hosted by CNET have been repackaged and tricks set up to get you
> to install what you don't want to start with.
I'm not sure that's true of CNET, but it is true of other sites. I've never
had problems with File Hippo.
William Sommerwerck
Nov 30, 2014, 10:53:40 AM11/30/14
to
"Maynard A. Philbrook Jr." wrote in message
news:MPG.2ee46653e...@news.eternal-september.org...
> Be aware that you may still have something in there.
little later (on its own, without my running a scan). I requested a removal,
and had to restart the computer. I then ran a full scan, and it seemed to be
gone.
Maynard A. Philbrook Jr.
Nov 30, 2014, 12:02:57 PM11/30/14
to
In article <m5fehi$fsd$1...@dont-email.me>, grizzle...@comcast.net
says...
Did you ever figure out what exactly it was doing? You may have gotten
lucky before the damage was done or it may have already ran its course
or what ever it was meant to do in the first place and you may not have
what it was looking for.
I remember at one time my bank I do business with had a problem. One
day I got an Email from an unknown source showing my back balance and a
few other important things, indicating that I should log in to correct
some details of my. There was a link available for me to use and I
noticed that it didn't go to any site that was my bank.. So I used
my regular log in and there was no problem with my details but, the
information that was in my Email was spot on as to my accounts etc..
I quickly called them after several holds and pass me on to the next
person, I was asked to change my user name etc because apparently a vast
amount of customers that do on line stuff with their accounts were also
getting the same emails, so it appears that not me but the bank got
hacked and was able to view the customers accounts but not able to get
the access information to remotely log in.
Just something to think about how some businesses are naive about the
technology..
I work a lot coding on Windows and I can think of a half dozen ways off
the top of head how to elude the user.
Jamie
says...
lucky before the damage was done or it may have already ran its course
or what ever it was meant to do in the first place and you may not have
what it was looking for.
I remember at one time my bank I do business with had a problem. One
day I got an Email from an unknown source showing my back balance and a
few other important things, indicating that I should log in to correct
some details of my. There was a link available for me to use and I
noticed that it didn't go to any site that was my bank.. So I used
my regular log in and there was no problem with my details but, the
information that was in my Email was spot on as to my accounts etc..
I quickly called them after several holds and pass me on to the next
person, I was asked to change my user name etc because apparently a vast
amount of customers that do on line stuff with their accounts were also
getting the same emails, so it appears that not me but the bank got
hacked and was able to view the customers accounts but not able to get
the access information to remotely log in.
Just something to think about how some businesses are naive about the
technology..
I work a lot coding on Windows and I can think of a half dozen ways off
the top of head how to elude the user.
Jamie
William Sommerwerck
Nov 30, 2014, 1:27:27 PM11/30/14
to
"Maynard A. Philbrook Jr." wrote in message
news:MPG.2ee518775...@news.eternal-september.org...
> Did you ever figure out what exactly it was doing?
process. About an hour later, Kaspersky found the file and deleted it
I was careless. But I'dordered an item from Costco Photo, and this looked like
a status message. My mistake was not paying attention to the sender -- who was
in Italy.
It never hurts to be overly suspicious. This was the first time something got
through in over a decade. I have been warned.
Oh... handy trick... I was badly attacked back in 2004. The attack included
malware that reinstalled itself at each restart. It occurred to me that if I
changed the files' permissions to be executed or rewritten, a lot of problems
would be solved. And they were. You don't need to remove a file -- just keep
it from running or being replaced with a newer version.
Gareth Magennis
Nov 30, 2014, 4:06:56 PM11/30/14
to
"William Sommerwerck" wrote in message news:m5ct8q$99a$1...@dont-email.me...
On booting, everything I tried to do resulted in an error message. I
couldn't access msconfig, control panel, the Start/Stop button on the
taskbar, System Restore, nothing. Right clicking the Start Menu did
nothing.
Kept saying something was trying to erase a registry entry or something.
Googling on my old laptop showed that with Win8, you can no longer get into
safe mode by pressing F8 whilst booting, is has to be achieved via Windows
actually allowing you to do this, and mine wasn't allowing me to do anything
at all. Nightmare.
After a lot of perseverance, I finally discovered there is another instance
of the Power Button if you press the Windows flaggy button to reveal all the
"apps", a feature I never use. Clicking this Power Button whilst holding
Shift finally allowed me to access System Restore.
Which worked.
I don't know how this happened, I don't think I clicked any dodgy attachment
and I don't do any dodgy websites, but I have been caught out in the past,
and since learnt to be very suspicious of most things.
The first error message I got was "Windows Live Mail Calendar is corrupted",
and Live Mail refused to run. This quickly progressed to the registry
error message on everything I then tried to do.
Gareth.
Maynard A. Philbrook Jr.
Nov 30, 2014, 8:18:08 PM11/30/14
to
In article <m5fnht$l5r$1...@dont-email.me>, grizzle...@comcast.net
says...
I got an E-mail the other day from who claim to be a company of Amazon,
"Audible.com", it was short and brief and the hot link they gave me spit
out a URL that had nothing at all to do with Amazon or anything to do
with any one selling something. It look more like some hooky location.
Jamie
says...
"Audible.com", it was short and brief and the hot link they gave me spit
out a URL that had nothing at all to do with Amazon or anything to do
with any one selling something. It look more like some hooky location.
Jamie
rev.11...@gmail.com
Dec 5, 2014, 10:38:38 PM12/5/14
to
rev.11...@gmail.com
Dec 5, 2014, 10:54:28 PM12/5/14
to
AutoRuns is your friend here.
http://technet.microsoft.com/en-us/sysinternals/bb963902
Introduction
This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.
Autoruns' Hide Signed Microsoft Entries option helps you to zoom in on third-party auto-starting images that have been added to your system and it has support for looking at the auto-starting images configured for other accounts configured on a system. Also included in the download package is a command-line equivalent that can output in CSV format, Autorunsc.
You'll probably be surprised at how many executables are launched automatically!
http://technet.microsoft.com/en-us/sysinternals/bb963902
Introduction
This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.
Autoruns' Hide Signed Microsoft Entries option helps you to zoom in on third-party auto-starting images that have been added to your system and it has support for looking at the auto-starting images configured for other accounts configured on a system. Also included in the download package is a command-line equivalent that can output in CSV format, Autorunsc.
You'll probably be surprised at how many executables are launched automatically!
0 new messages