Solved: Re: CSA and services.exe (Slow Login)

stefan.bischoff · ‎12-13-2004

CSA prompts for user response when services.exe tries to open/read several .exe an d .dll-files during the login-procedure (no user is logged in at this moment, so default action deny ist taken). The login procedure increased in time since the installation of CSA from 1.5 minutes to more than 20 minutes. Is there a secure way to create exceptions for this? Rules which triggered the events: 320, 400. 379, 397, 29 (services.exe tried to open/write several files)

Thanks for your replies

Stefan

tsteger1 · ‎12-14-2004

It looks like it's running a setup.exe or two at login or at a specified time (hence the services message). Do you have some automated installations like SMS or SUS running on this machine? You can also check the startup folder or look in the registry for a run or runservices entry.

View solution in original post

tomayer · ‎12-14-2004

Hi Stefan!

Did you start from the Default policies?

Services.exe trying to write EXE and DLLs at Startup is definetly not normal.

Where is the Services.exe located?

A good place to verify if this is a WINDOWS Process or a Virus might be:

www.answersthatwork.com

The WINDOWS Services is located at:

C:\WINNT\System32\Services.exe in Windows NT4/2000, or C:\Windows\System32\Services.exe in Windows XP/2003.

if your Services.exe is located elsewhere, you might be infected with a Virus!

regards,

Tobias

stefan.bischoff · ‎12-14-2004

Hi Tobias,

yes we started from the default policies. As an example I'll put one of the messages into this reply.

14.12.2004 11:25:22: The process 'C:\WINDOWS\system32\services.exe' (as user NT-AUTORITÄT\SYSTEM) tried to open/write the file 'C:\WINDOWS\hh.exe' and the user was queried. The user responded by choosing 'No to All'.

Thanks for your reply

Stefan

tomayer · ‎12-14-2004

Stefan,

What else are you seeing in the log messages?

hh.exe is a windows utility for Helper files, so it seems to be a legitimate application.

regards,

Tobias

stefan.bischoff · ‎12-14-2004

Hello Tobias,

all entries in the event log shows similar content: The process'C:\WINDOWS\system32\services.exe' (as user NT-Autorität\SYSTEM) tried to open/write the file...and the user was queried. (as examples: wmplayer.exe, mplayer2.exe, hh.exe, agentinfo.exe, IsUninst.exe, explorer.exe,... for each of them the log shows the correct pathnames).

With kind regards

Stefan

Is it helpful to post a screenshot from the event log? If yes, I'll attach a JPEG to the message.

stefan.bischoff · ‎12-14-2004

Hello,

this is the example of the event log.

With kind regards

Stefan Bischoff

tsteger1 · ‎12-14-2004

It looks like it's running a setup.exe or two at login or at a specified time (hence the services message). Do you have some automated installations like SMS or SUS running on this machine? You can also check the startup folder or look in the registry for a run or runservices entry.

stefan.bischoff · ‎12-14-2004

Thank you for your reply. It was helpful. On this computer the software "On Command CCM" is installed, which will start several setups during the login process. Problem is now, that the user can't decide, which action is to take when CSA wants to query him, so the default action is taken - deny.

Thanks to all helping me to get an explanation for this problem.

With kind regards

Stefan