Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Rundll32.exe scanning my computer, PART 2 ! Busted: appraiser.dll

Skip to first unread message

Skybuck Flying

Nov 10, 2015, 9:35:07 PM11/10/15

I was just running Firefox webbrowser with many tabs open, I closed all of

Then I returned to task manager... first I noticed this annoying svchost.exe
running again but it disappeared fast.

I also noticed the harddisk light flickering (thankfully).

Then I noticed this rundll32.exe was running again !

This time I took some advice from you guys and had the image path showing on
columns always !

And this time I was able to bust and caught it red-handed ! ;) =D (took a
screenshot ! =D)

Now the investigation can start to what this is.

And yes it's behaviour is the same... it seems to scan *.exe files, why I
don't know.

Here is the screenshot:

It's command line is:

c:\Windows\system32\rundll32.exe appraiser.dll,DoScheduledTelemetryRun


Skybuck Flying

Nov 10, 2015, 9:40:05 PM11/10/15
Reading into this:

You can see it on your PC by bringing up Task Scheduler (type task scheduler
in the find box), then on the left move down to Task
Scheduler Library/ Microsoft/ Windows/ Application Experience.
There you'll find the Microsoft Compatibility Appraiser task,

*** set to run at 3:00 a.m. every day ***

It happens to be around 3:38 AM right now !

So indeed, this is very sneaky of Microsoft... to be running something at
NIGHT ! When most people are sleeping and might have left their PCs on !

Very sneak ! Very dangerous ! Me "very displeased" that Microsoft takes my
PC for granted !

The CPU cycles are mine... and so is my harddisk. !

Keep your paws of of my files and my computer !

For all I know this fokking thing might cause at fire at night ! You damn
fags !


Skybuck Flying

Nov 10, 2015, 9:48:02 PM11/10/15
More Skybuck busting Microsoft red-handed =D:

^ screenshot shows task scheduler queueing programs to run and such...

Now I understand why this application experience service kept starting up
all the time... fokking thing !

I will try and remove this shit... but I have a strong feeling that
something will put it back ?!

Since I saw people mention this sort of...

Knowledge from:

- go to Computer Management (right-click on MyComputer>Manage)
- in System Tools rollout go to Task Scheduler > Task Scheduler Library

- expand Microsoft, then Windows

- click on Application Experience

- in the list right-click on Microsoft Compatibility Appraiser and Disable





Skybuck Flying

Nov 10, 2015, 9:52:10 PM11/10/15

I now have very hard evidence that Microsoft has been infiltraded/possibly
taken over by NSA:

^ I cannot remember ever signing up to any "customer experience improvement


Skybuck Flying

Nov 10, 2015, 9:56:06 PM11/10/15
More busting time:

Microsoft's Windows 7 privacy statement:

Some features that contact the Internet are turned on by default to make
Windows 7 work better. You can choose to disable these features. To learn
more about these features, see the Windows 7 Privacy Supplement.

^^^ BIG WTF ^^^ there.

This proves they just go ahead... and don't even ask permission !


Skybuck Flying

Nov 10, 2015, 10:00:11 PM11/10/15
Sniff, Sniff, what's that I smell ?! Is that an NSA smell ?! Yup, sure thing
bros !

^ If there ever was such a thing as an NSA smell to it, then this is it !


Uses of information

We use the information collected to enable the features you are using or
provide the services you request. We also use it to improve our products and
services. In order to help provide our services, we occasionally provide
information to other companies that work on our behalf. Only companies who
have a business need to use the information are provided access to them.
These companies are required to keep this information confidential and are
prohibited from using it for any other purpose.

Additional details


Skybuck Flying

Nov 10, 2015, 10:08:32 PM11/10/15
Holyshit batman ! Even more crap...

This shit runs on startup too:

Bleh !

autochk proxy

Whatever that is... SQM related... I have a feeling this has something to do
with windows updates...

Maybe this shit... will re-install it...

Apperently SQM stands for:

"Software Quality Management (SQM) "

I have come to be suspicious of anything called "management" ;) =D

Could also mean:

"Software Quality Metrics (SQM)" a protocol.

Perhaps this is what Microsoft uses to update windows... not sure...



Skybuck Flying

Nov 10, 2015, 10:11:29 PM11/10/15
This is quite alarming:


This changed recently with the release of several updates for both operating
systems that step up the game.

KB3068708 Update for customer experience and diagnostic telemetry - This
update introduces the Diagnostics and Telemetry tracking service to existing
devices. By applying this service, you can add benefits from the latest
version of Windows to systems that have not yet upgraded. The update also
supports applications that are subscribed to Visual Studio Application
Insights. (Windows 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1
(SP1), and Windows Server 2008 R2 SP1)
KB3022345 (replaced by KB3068708) Update for customer experience and
diagnostic telemetry - This update introduces the Diagnostics and Telemetry
tracking service to in-market devices. By applying this service, you can add
benefits from the latest version of Windows to systems that have not yet
been upgraded. The update also supports applications that are subscribed to
Visual Studio Application Insights. (Windows 8.1, Windows Server 2012 R2,
Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1)
KB3075249 Update that adds telemetry points to consent.exe in Windows 8.1
and Windows 7 - This update adds telemetry points to the User Account
Control (UAC) feature to collect information on elevations that come from
low integrity levels. (Windows 8.1, Windows RT 8.1, Windows Server 2012 R2,
Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1)
KB3080149 Update for customer experience and diagnostic telemetry - This
package updates the Diagnostics and Telemetry tracking service to existing
devices. This service provides benefits from the latest version of Windows
to systems that have not yet upgraded. The update also supports applications
that are subscribed to Visual Studio Application Insights. (Windows 8.1,
Windows RT 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1 (SP1), and
Windows Server 2008 R2 SP1)


consent.exe is modified... apperently more data collection points are added.

This could explain why I experience Windows 7 as more sluggish lately...


Skybuck Flying

Nov 11, 2015, 7:36:58 AM11/11/15
The spying crap is so much I had to take a break.

I am now slowly investigating further, even more crap:

Last one is really weird, collects USB information and such and sends it to


Skybuck Flying

Nov 11, 2015, 7:42:09 AM11/11/15
Oh my God, this spyware crap is like the never ending store, there seems no
end to it, even more crap:

gwx, windows 10 update crap.

And surprise, surprise, more appraiser events/calls ! Yikes !

This time with no description even... no customer experience setting or
whatever... it's just there in your face... taking a big poop... and running
whenever it wants apperently.

Sucks bad.


Skybuck Flying

Nov 11, 2015, 7:51:54 AM11/11/15
The stuff under "application experience" was so annoying I delete it... I
kinda regret that now, cause it is deleting evidence... but ok... it's also
an interesting test.

The rest of the crap I have disabled.

It will be curious to see if this crap is somehow re-enabled in the future.

The only thing I am unsure off if it's smart to disable is

autochk... going to investigate what that is.

I have also disable the backup warning cause my system doesn't do that.

I may also disable and probably will disable activation service... cause
that don't need to run every 90 days anyway. I wonder what will happen if
that service is disable.


Skybuck Flying

Nov 11, 2015, 8:01:53 AM11/11/15
Autochk seems to be part of microsoft experience program according to this:



This task collects and uploads autochk SQM data if opted-in to the Microsoft
Customer Experience Improvement Program.

This is enabled by default.

Security Options

Run whether user is logged on or not


At startup
Delay task for 30 minutes


Start %windir%\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations


Start the task only if the computer is idle for 10 minutes
Wait for idle for 365 days


Allow task to be run on demand
Run task as soon as possible after a scheduled start is missed
Stop the task if it runs longer than 3 days
If the running task does not end when requested, force it to stop
If the task is already running do not start a new instance.


So can probably be safely disabled.

I have also disabled "system restore/protection service" since I have
restore points always off as any smart user would hae :) Haha otherwise kiss
system performance goodbye ! ;)

Though this service would run at 0:00 every night... no idea if it does
anything extra... probably not..

It probably just starts... sees that I have it disabled and exits again...
so might as well disable it.

So far I am not liking the new CEO of Microsoft... Apperently he is a sleeze
ball.. who thinks he can get away with spying on people ! So for now I
blame this on him... and he has to go !

If he not responseable for this then he should do something about this !
Otherwise he still has to go ! ;) :P =D


Skybuck Flying

Nov 11, 2015, 8:06:50 AM11/11/15
This explains the SQM files... I probably already deleted those in the past:

What is sqmdata and .sqm file in windows 7 and how to delete them

f you’ve ever turn on show hidden files in the folder options, you will
likely observe sqmdata and sqmnoopt all .sqm files on your root partition
usually under the C drive. Although, the file are relatively small but
annoying to have a huge list of them on your root directory. So I did a
quick Google search, found out that the .sqm files are for Microsoft Live
products, so software like Windows Live Messenger (MSN) and other Live
packages will create those file. “.sqm” file is stand for Service Quality
Monitoring. Its a list of files that collects information and used by
Microsoft to help to improve their products, by monitoring the usage of the
software. You can stop those files being created.

Seems to have been part of Windows Live Messenger... and other microsoft
live products.

Go to Help > Help Improve Windows Live (Hold Alt if you don’t see the tool
bar option)

Click and Choose do not participate

You are done This will disable the .sqm file being created, and hopefully
you will have a clean root directory.


Skybuck Flying

Nov 11, 2015, 8:10:56 AM11/11/15
So more interesting information about SQM files and a tip for resource

The SQM file format is an undocumented, internal, binary format used by
Microsoft's common "Software Quality Metrics" infrastructure. Internally
known as "squim", to the outside world the PR folks named it the "Customer
Experience Improvement Program".
There are dozens Microsoft applications (from Windows Live Messenger, to the
Windows Search service, to SQL Server Management Studio) that use SQM. The
different teams within Microsoft instrument their applications to record how
well things are running, and how users use the software.

The resulting sqm files are a raw binary output of the recorded values. The
file is not obfucated, but is is not documented. It's a highly tedious file
format, which is fine because it's only meant to be decoded by teams
internally at Microsoft (i.e. it's not a supported Windows feature that
outside developers can rely on). If Microsoft did document it, then they'd
be forced to support it forever.

The sqmapi.dll originally started inside the Live group, but other teams
began using it to get feedback on how their software is running and being

Here's a telephone interview on Channel 9 about SQM.

Like it or not: you're not going to get any official documentation on it. It
is not a public-facing API; it's meant for internal use only.


As for who's creating the files. Do what you would do when you want to know
who is creating anything on your computer. Run Process Monitor, set it to
filter for "Path contains fwtsqmfile" and wait a few

You'll then have the name of the executable that creates them.


Well the tip is apperently for process monitor. I thought he might have ment
resource monitor build in to task manager, but nope resource monitor does
not appear to have a filter option like that ! ;)

Unfortunately process monitor tool does not run on my windows 7 x64
edition... I also tried... running as admin to no avail... maybe it was a
bad download and a little bit error snuck into it... somewhat unlikely but



Skybuck Flying

Nov 11, 2015, 8:14:24 AM11/11/15
I re-downloaded Process Monitor:

The files are protected via winrar/rar file so it's unlikely that corruption

This tool does not work on my current system configuration. Perhaps it needs
some service to run.

Let me know if this tool fails for you too or if you did get it running ?!


Skybuck Flying

Nov 11, 2015, 8:22:19 AM11/11/15
Even the 64 bit edition of procmon won't run... I guess it uses some
internal windows nt api which has changed... and now the app fails or so...

I also tried alternative ospy mentioned on stackoverflow... also doesn't
work... (also tried running as admin) well to bad...

(I tried attaching to firefix... 0 bytes were collected... bit weird).

process explorer does work and other tools too... so that is enough for
now... kinda curious though why these tools dont work... it would have been
nice to have.


Skybuck Flying

Nov 16, 2015, 7:40:30 PM11/16/15
Process monitor has a logging capability which could help users discovery
what's going on when Windeows 7 goes idle.

This tool is no longer working. How "convenient".


Skybuck Flying

Nov 16, 2015, 7:41:54 PM11/16/15
Would be interesting if there was a command to force windows into idle

Right now it seems it will take 10 to 15 minutes or so for task manager to
recgonize idle state, which depends on 90% processor idle and no user
interaction during this time.. at least is what I gather from the internet.

Then it might take another 3 minutes before defrag starts running.

Perhaps one way could be to prevent monitor turn off... at least then it
might be visible in task manager.


Jens Stuckelberger

Nov 17, 2015, 10:17:00 AM11/17/15
On Tue, 17 Nov 2015 01:41:55 +0100, Skybuck Flying wrote:

> Would be interesting if there was a command to force windows into idle
> state.

I hate to bring bad news to you, but the truth is that nobody
cares about your Windows issues in sci.crypt.


Nov 22, 2015, 3:28:27 PM11/22/15
For your information: there are several viruses and Trojan horses that
prevent process monitor from running (for obvious reasons.)


Skybuck Flying

Nov 22, 2015, 9:49:06 PM11/22/15

"dunno" wrote in message news:n2t8hb$m2l$
I am gonna have to call bullshit on this.

Task Manager, Resource Monitor, RAMMap and VMMap and ProcessExplorer
sysinternals tools are running.

Futher google has nothing on your claims ;)

Seems very unlikely for a virus/trojan to prevent process monitor from
running but not the rest ?

What would make blocking process monitor so special ?

Seems more likely that process monitor used some internal windows api, that
got changed by a windows update.


Skybuck Flying

Nov 22, 2015, 10:01:21 PM11/22/15
Yet Another Process Monitor fails too.. I think I already wrote about
that... but will mention it again.

Apperently it uses the same fail API or Service that is not running.

It's source code is available... so it would be possible to dive into it to
see why this app's gui does not show.

Not gonna waste my time on it though.

My system behaves ok, no sign of trojan or virus, except the Microsoft crap
which has been disabled ;)


0 new messages