Active Protection, Monitored Process window problems.
I had a few warnings and wanted to know more. So I opened Active Protection and the Monitored Process window in TI2020.
I can't enlarge the Process column, can only see the filename and part of the path. Would like to not have to open a CMD prompt and then change to the part of the path I can see and then do a DIR for the file with a /S to actually see where it is?
Also I can't enlarge that window nor SORT on any column.
This makes it hard to read and if I had a lot of hits hard to find what I was looking for.
In the Activity List I see:
================
The process was prevented from accessing the registry:
C:\Windows\System34\rundll32.exe
=================
I have no idea who this could be? Nothing seemed to complain nor can I find an EVENT VIEWER error?
Ahh, hovering does work, takes a few seconds though. Thanks Steve.
Still don't know how to figure out the RUNDLL32.EXE registry stop?
I can't tell if this is causing a problem or not? Happens on every boot? I looked in the Event Viewer and since I've been up less that 1 hour. 4 Errors in the hour, ALL 4 are not this, and all 4 have happened for a very long time, usually the file doesn't exist. Warnings, I've got 56 in the last hour. Still, all existed before the install of TI? Any suggestions on how to determine what this really is? I've used SYSINTERNALS AUTORUNS and it has no RUNDLL32.EXE in it? Not running now in Task Manager either?
Also TI2020 is VERY slow opening. Most of the time sitting at 'Applying User Settings' which seems to be the 1/2 way point on the bar that fills. TI2016 opened immediately it seems before?
Irv, please see forum topic: active "protection" suspicious list STILL SAME ISSUE with rundll32
This will give you more information and a method of check what is using the rundll32.exe process?
Microsoft Windows [Version 10.0.18362.295] (c) 2019 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>tasklist /m /fi "imagename eq rundll32.exe" INFO: No tasks are running which match the specified criteria. C:\WINDOWS\system32>
Also see forum topic: Active Protections "Suspicious Processes".
Steve, I should have mentioned that I did run the command as I saw the other post too. For reference:
===========
C:\WINDOWS\system32>tasklist /m /fi "imagename eq rundll32.exe"
INFO: No tasks are running which match the specified criteria.
C:\WINDOWS\system32>
===========
There is a difference between what I am seeing and that other post In that one it was 'suspicious'. In my case, it was BLOCKED... and to me, whatever that process was, it didn't get access to the Registry. Hopefully is was something that didn't stop the process from 'working'.
I have searched my Registry, 394 hits for RUNDLL32... and there is no way I can even guess what some are as they use replacement values depending on the call.
I need another way to tell what happened? Some can also be used to delete unneeded data from the registry. If this were the case eventually I may run into future troubles. Suppose it was to remove a RUNONCE entry? I'd be running that every boot, but the list could grow.
I need another way to tell what happened? Some can also be used to delete unneeded data from the registry. If this were the case eventually I may run into future troubles. Suppose it was to remove a RUNONCE entry? I'd be running that every boot, but the list could grow.
Irv, have you downloaded / used the MVP Log Viewer tool to look at the AntiRansomware logs that are created by the AAP process?
Steve, I did run it, but had an older version. Got 2.10, Anti-Ransomware is empty? So I looked at the FILE PROTECTOR and searched for the RUNDLL32. All except 1 had a Return code of 0, this is the one:
===============
9/1/2019 7:46:32 AM: [FileProtector][T] GetProcessInformation: processId 0x4b image C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe size 0x0
9/1/2019 7:46:32 AM: [FileProtector][T] GetProcessInformation: processId 0x4a image C:\Windows\System32\LocationNotificationWindows.exe size 0x0
9/1/2019 7:46:32 AM: [FileProtector][T] GetProcessInformation: processId 0x4c image C:\Windows\System32\rundll32.exe size 0x0
9/1/2019 7:46:32 AM: [FileProtector][T] SetProcessTrustStatus: processId 0x4b, status 1
================
Can't make much of that, nor can I really connect it to the error?
Irv, unfortunately the log viewer tool doesn't have options for all the log files in use with ATI 2020 including those for Active Protection which are stored in compressed form in C:\ProgramData\Acronis\ActiveProtection\Logs (as .log.gz files). These are essentially plain text files so once extracted can be viewed in Notepad.
If you have 7Zip installed, you could just double-click on the .gz files then click again on the log file in the archive and it should open in Notepad or a text editor.
You may find more information in these logs if you look for the date / time of the entries you are seeing in AAP.
Steve, I did UNZIP the GZip files... USELESS as they are quite long. Many per day it seems... must get to a size and TI zips them up.
C:\ProgramData\Acronis\FileProtectorLogs>dir
Volume in drive C is OS
Volume Serial Number is EEE1-088E
Directory of C:\ProgramData\Acronis\FileProtectorLogs
09/01/2019 07:46 AM <DIR> .
09/01/2019 07:46 AM <DIR> ..
08/25/2019 08:21 PM 1,519,546 FileProtector-20190825-125131-210.0.log
08/26/2019 04:52 PM 1,469,992 FileProtector-20190826-104313-864.0.log
08/27/2019 08:26 PM 1,559,980 FileProtector-20190827-130042-489.0.log
08/28/2019 08:20 PM 1,449,202 FileProtector-20190828-140821-543.0.log
08/29/2019 08:56 PM 1,649,298 FileProtector-20190829-125656-120.0.log
08/30/2019 10:16 AM 390,554 FileProtector-20190830-135954-519.0.log
08/30/2019 08:17 PM 1,224,634 FileProtector-20190830-141941-961.0.log
08/31/2019 03:05 PM 1,348,266 FileProtector-20190831-112658-507.0.log
08/31/2019 05:00 PM 532,220 FileProtector-20190831-190653-114.0.log
09/01/2019 04:24 PM 1,374,060 FileProtector-20190901-114624-696.0.log
10 File(s) 12,517,752 bytes
2 Dir(s) 32,153,948,160 bytes free
C:\ProgramData\Acronis\FileProtectorLogs>
As you can see, today's log has not been zipped yet, 1.3Mb's... that is a lot of text.
Time stamps are unreal, like this "20190901-114624-696". Got the first part. 114624 if seconds would be over 31 hours? So that isn't a 'time-stamp' possibly?
It does increment later in the log, somewhat fast too:
[20190901-114626-896][FileProtector][T] GetProcessInformation: processId 0x2 image C:\Windows\System32\smss.exe size 0x0
[20190901-114626-981][FileProtector][T] GetProcessInformation: processId 0x3 image C:\Windows\System32\RuntimeBroker.exe size 0x0
[20190901-114627-567][FileProtector][T] GetProcessInformation: processId 0x4 image C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe size 0x0
[20190901-114627-667][FileProtector][T] GetProcessInformation: processId 0x5 image C:\Program Files (x86)\Google\Update\1.3.34.11\GoogleCrashHandler64.exe size 0x0
[20190901-114628-098][FileProtector][T] SetProcessTrustStatus: processId 0x2, status 1
[20190901-114628-113][FileProtector][T] GetProcessInformation: processId 0x6 image C:\Windows\System32\csrss.exe size 0x0
[20190901-114628-120][FileProtector][T] SetProcessTrustStatus: processId 0x4, status 0
So what would I look for to see what happened @ 7:46 AM today, 9/1/2019?
Searched for Registry, found 2, but they are for icon in a folder on the desktop?
Error code might help, but I don't know what that would be?
7 hits on RUNDLL32, all but the one I posted above has an RC of 0 after it?
Any other suggestions?
Irv, your update refers to C:\ProgramData\Acronis\FileProtectorLogs but the logs I mentioned are in C:\ProgramData\Acronis\ActiveProtection\Logs - the logs can be very long but if you have a note of the date & time of the problem entry, you should be able to search for that in the log file.
Steve, so sorry, you are correct...
Unzipped the file... 7:46AM was my boot time or at least once the log started... There are 12,920 lines in the file! Last 7:46 entry, line 2,689! 25 or so have RUNDLL32 in it. So I searched for Registry... got some hits:
2019-09-01 07:46:45.870599 12004 [warning]: Process [192 (internal), 15100 (system-wide), "C:\Windows\System32\rundll32.exe"] <7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE> prevented from accessing registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Later I see this:
2019-09-01 07:46:48.127940 12004 [info]: [driver] Process [192 (internal), 15100 (system-wide), "C:\Windows\System32\rundll32.exe"] is trying to open registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' with access mask = 983103 [ KEY_ALL_ACCESS ]
Looks to be the SAME processes?
Later another one:
2019-09-01 07:46:48.159175 12004 [warning]: Process [192 (internal), 15100 (system-wide), "C:\Windows\System32\rundll32.exe"] <7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE> prevented from accessing registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
Did it try again? Same as the first one above? None after that at that time... did it give up?
Nothing found on my C: drive for 7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE? Registry search for 7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE didn't get a hit either?
Don't have a process 192 or 15100 running now either?
I looked at the KEY in the Registry, looks normal and I think all that is already running?
Not even sure what or why something would be opening that? Only possible reason might be to delete something from there on boot? Doesn't seem to be a need to do anything to those, could it be an add? Did it succeed on what it wanted to do on the 2nd attempt?
Irv, I suspect that the registry run entries are being modified to allow either the install or clean-up of some application component after an update, new install, or uninstall action.
If it doesn't appear to be causing an issue then perhaps just leave alone and monitor.
The alternative would be to turn off AAP then do a restart of the computer to let any such actions complete then turn AAP back on again.
Steve, from what I recall, when something is done to a RUN, like remove it, the entry goes into RUNONCE and that is usually a CMD to delete the entry? I could be wrong, but I did check all RUNONCE and nothing was there to do that?
I'm assuming it is a program during boot that does this, but don't know why?
Take a look at this 'log' for Activities:
REALLY REALLY odd...
A couple of things in this above. See the PeaZip entry... I used THAT to unzip the log file... and it ran? So, it WAS NOT prevented from doing anything! I did add it to Whitelist as you can see. Have not tried using it though.
Between those 2 is the RUNDLL32 again. So as you can see, I disabled AP. Booted, and turned AP back on, and rebooted again. RUNDLL32 is back in the list? It is clear this wasn't a one-time change that needed to be made?
So I just tried PeaXip on the AP Log that is GZipped... opened the log just fine, so I looked at the Activity log and it showed up again.
There is I think some problems with AP? I am quite sure it logged PeaZip that it was preventing it, but empirical proof says it wasn't? Otherwise I'd not be able to open the file?
Same goes for RUNDLL32? I can't determine if anything happened or was truly blocked?
So does AP have some bugs in it? Could the programs fail one way and try a different way? The RUNDLL32 had 3 entries above in an earlier post I did. 2 fails and one that seemed to work was logged?
Whitelist which now has 9 entries after I added PeaZip all are set to 'allow to start' In PeaZip's case it didn't mean much as it was allowed to open a TI file.. so 'starting' was meaningless. But the other 8 entries, originally they were set to 'not start' but it seemed they did? In addition, why are they even on the list? I didn't put them there, and I assume it was done during Install by TI?
I just looked at wife's PC. Now I am TOTALLY confused.
Here Activities also showed RUNDLL32 but only TWICE!!! The day of TI's install and the next day. That PC is booted every day too, but it was installed on 8/23 and the 24th are the only entries???? Also for the Managed Processes she had Firefox as the only one listed. I run it as well but it isn't there? She had 7 Monitored processes and all of them needed Permissions which I set to ALLOW TO START. They then went to the White list, but in some cases when I set that permission other programs appeared needing Permission.
What is going on? Can I believe anything?
Irv, the only suggestion at this point would be to either raise a Support Case direct with Acronis for this issue and get them to investigate / offer an explanation for what's happening with AAP and rundll32.exe - or to post a copy of an Acronis system report (assuming it is small enough to add as a file attachment) and I will cast an eye over that for you. If the report is too large or you prefer not to post to the forum, then send me a PM with a link to where I can access the report zip file via OneDrive, Dropbox etc (if choosing the second option).
I tried to make a report. SYSTEM REPORT is too large it seems.
I've put it on a site. I'll PM you that link, can you handle this from there on?
Irv, I will take a look at the system report file but you would need to open a Support Case yourself if you want Acronis support to investigate. I am not able to forward the report to them.
I'll post again after looking at the report files.
Irv, rundll32.exe is a Windows program that can load a Dynamic Link Library (.dll) to do almost anything. So just looking for rundll32 will do no good. You need to know what DLL is being loaded and why.
I suggest getting the Windows Sysinternals Process Explorer and using that to get a better idea of what is going on.
EDIT: What I meant to suggest was Windows Systinternals Process Monitor.
Irv, from the system report, for the AAP activity entries in your posts above, I am seeing as follows:
active_protection.45.log
2019-09-01 07:46:43.089446 12004 [info]: [driver] Process [192 (internal), 15100 (system-wide), "C:\Windows\System32\rundll32.exe", 7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE] has started (parent PID = A6 (internal))
2019-09-01 07:46:43.089446 12004 [info]: Setting the trust status of [192 (internal), 15100 (system-wide), "C:\Windows\System32\rundll32.exe"] to 'not trusted': success
2019-09-01 07:46:43.089446 11904 [info]: Monitoring PID 15100 (system-wide) for cryptomining protection
2019-09-01 07:46:45.801592 12004 [info]: [driver] Process [192 (internal), 15100 (system-wide), "C:\Windows\System32\rundll32.exe"] is trying to open registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' with access mask = 983103 [ KEY_ALL_ACCESS ]
2019-09-01 07:46:45.870599 12004 [warning]: Process [192 (internal), 15100 (system-wide), "C:\Windows\System32\rundll32.exe"] <7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE> prevented from accessing registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
2019-09-01 07:46:48.127940 12004 [info]: [driver] Process [192 (internal), 15100 (system-wide), "C:\Windows\System32\rundll32.exe"] is trying to open registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' with access mask = 983103 [ KEY_ALL_ACCESS ]
2019-09-01 07:46:48.159175 12004 [warning]: Process [192 (internal), 15100 (system-wide), "C:\Windows\System32\rundll32.exe"] <7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE> prevented from accessing registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
2019-09-01 07:46:48.174798 12004 [info]: [driver] Process [192 (internal), 15100 (system-wide), "C:\Windows\System32\rundll32.exe", 7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE] has stopped (parent PID = 0 (internal))
2019-09-01 07:46:48.174798 11904 [info]: Unmonitoring PID 15100 (system-wide) for cryptomining protection
active_protection.48.log
2019-09-02 07:39:35.160400 10408 [info]: [driver] Process [201 (internal), 8516 (system-wide), "C:\Windows\System32\rundll32.exe", 7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE] has started (parent PID = B1 (internal))
2019-09-02 07:39:35.160400 10408 [info]: Setting the trust status of [201 (internal), 8516 (system-wide), "C:\Windows\System32\rundll32.exe"] to 'not trusted': success
2019-09-02 07:39:35.160400 10344 [info]: Monitoring PID 8516 (system-wide) for cryptomining protection
2019-09-02 07:39:37.696668 10396 [info]: [driver] Process [201 (internal), 8516 (system-wide), "C:\Windows\System32\rundll32.exe"] is trying to open registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' with access mask = 983103 [ KEY_ALL_ACCESS ]
2019-09-02 07:39:37.776444 10396 [warning]: Process [201 (internal), 8516 (system-wide), "C:\Windows\System32\rundll32.exe"] <7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE> prevented from accessing registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
2019-09-02 07:39:40.165396 10408 [info]: [driver] Process [201 (internal), 8516 (system-wide), "C:\Windows\System32\rundll32.exe"] is trying to open registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' with access mask = 983103 [ KEY_ALL_ACCESS ]
2019-09-02 07:39:40.196625 10408 [warning]: Process [201 (internal), 8516 (system-wide), "C:\Windows\System32\rundll32.exe"] <7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE> prevented from accessing registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
2019-09-02 07:39:40.212260 10408 [info]: [driver] Process [201 (internal), 8516 (system-wide), "C:\Windows\System32\rundll32.exe", 7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE] has stopped (parent PID = 0 (internal))
2019-09-02 07:39:40.212260 10344 [info]: Unmonitoring PID 8516 (system-wide) for cryptomining protection
active_protection.50.log
2019-09-02 08:12:16.944116 11832 [info]: [driver] Process [189 (internal), 15288 (system-wide), "C:\Windows\System32\rundll32.exe", 7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE] has started (parent PID = AA (internal))
2019-09-02 08:12:16.944116 11832 [info]: Setting the trust status of [189 (internal), 15288 (system-wide), "C:\Windows\System32\rundll32.exe"] to 'not trusted': success
2019-09-02 08:12:16.944116 12020 [info]: Monitoring PID 15288 (system-wide) for cryptomining protection
2019-09-02 08:12:19.866620 11832 [info]: [driver] Process [189 (internal), 15288 (system-wide), "C:\Windows\System32\rundll32.exe"] is trying to open registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' with access mask = 983103 [ KEY_ALL_ACCESS ]
2019-09-02 08:12:19.926899 11832 [warning]: Process [189 (internal), 15288 (system-wide), "C:\Windows\System32\rundll32.exe"] <7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE> prevented from accessing registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
2019-09-02 08:12:22.204245 11832 [info]: [driver] Process [189 (internal), 15288 (system-wide), "C:\Windows\System32\rundll32.exe"] is trying to open registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' with access mask = 983103 [ KEY_ALL_ACCESS ]
2019-09-02 08:12:22.235439 11832 [warning]: Process [189 (internal), 15288 (system-wide), "C:\Windows\System32\rundll32.exe"] <7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE> prevented from accessing registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
2019-09-02 08:12:22.251064 11832 [info]: [driver] Process [189 (internal), 15288 (system-wide), "C:\Windows\System32\rundll32.exe", 7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE] has stopped (parent PID = 0 (internal))
2019-09-02 08:12:22.251064 12020 [info]: Unmonitoring PID 15288 (system-wide) for cryptomining protection
All of this activity looks to be related to a driver loading or being updated or similar but impossible to say more. As per Bruno's comment, you would need to use a different tool to try to establish exactly what process is invoking rundll32.exe for this driver activity. The downside of trying to do so if if this issue is happening during your boot process?
You may also want to compare what is in common with your wife's computer and what is unique to yours? I suspect that you have extra programs installed / running that would explain the differences in how AAP reports activity.
Bruno, you are absolutely correct, and I am well aware of what that file does.
I've got a lot of 'tools' that would give me the information, Process Explorer, WinPatrol, ProcMon, Process Lasso, and even Task Manager.
Problem is that this is happening VERY early in the boot process. It seems within a minute of the booting starting... when Windows is loading itself and drivers it seems. Those 2 processes are long gone, they finished what they wanted to do, or even failed to do.
This line at that time would have possibly has the information:
2019-09-01 07:46:48.159175 12004 [warning]: Process [192 (internal), 15100 (system-wide), "C:\Windows\System32\rundll32.exe"] <7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE> prevented from accessing registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
At that point those 2 processes were active and if logged I'd have known. The long number, 7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE, that too could have told me something. However a DIR *7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE* /s on the C: drive didn't find anything and neither was that in the Registry? Possibly a temporary task that was deleted when the task completed?
Even then, the PeaZip part where it was supposedly not allowed but worked anyway is puzzling?
For instance, today it happened again:
=============
2019-09-02 07:39:37.776444 10396 [warning]: Process [201 (internal), 8516 (system-wide), "C:\Windows\System32\rundll32.exe"] <7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE> prevented from accessing registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
==============
Same 'error' called a warning. That is what gets logged in APP with the same timestamp. Different processes from above though..
Now the FIRST 2 entries in that log,
--------
2019-09-02 07:39:11.884746 5220 [info]: Not creating registry key because registry key is already created.
2019-09-02 07:39:11.904832 6532 [info]: Executor 'ActiveProtectionService' has started
-------
26 seconds before the warning....
I can't think of any way to capture the needed data either, what the Process was might help?
I've a disk scanner and I'm running it on the C: drive looking at all files for 7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE in it. So far it has been running for 34 minutes, looked at over 320,000 files and found 2 instances. One is the LOG file, the other, analytics.json which is in the C:\PROGRAMDATA\ACRONIS\ACTIVE PROTECTION\STATISTICS folder... however is wasn't there? I assume the file was deleted when I closed TI2020?
If it should find something I'll update it here.
Irv, I'm not an expert on Sysinternals Process Monitor, but is it possible to set it to run on boot with logging? Then maybe you could map the process number seen in the AP error.
Have you looked at the HKLM\...\Run node, turned off AP, rebooted and looked again right away to see if there are any differences?
Steve, no question about it. Our PC's are the same only in maker and OS (not the release Home/Pro). Probably 50% of the applications might be the same. Different USB Network Adapter, keyboard (same maker), and Mouse.
I wouldn't even try to work on hers now (not that she lets me near it, seriously). I have no explanation why RUNDLL32 showed up in the Activity only twice? That doesn't compute to me.
She basically uses the PC for some games, mail, and browsing, as well as Facebook. I do all that, not to the level of gameplay she does, but some. I will run a lot of tools, optimize my PC, she'll never do that. I run some Beta testing too. Track my investments as few ways, Quicken is one. I do some picture and video processing occasionally as well.
Basically my PC is might more heavily used and stressed compared to hers.
I think I'd be better off trying to pin it down on mine, and once I know the issue, I'll be able to check hers.
I also saw what you posted. I can't tell why there is a WARNING that says it was prevented, and then after that and INFO that appears to be saying it was trying to open the Registry and then another INFO that it has stopped (and probably why the Processes are no longer running)? I think a Developer should be able to clear this up? Also why PeaZip is stated as stopped but it works anyway?
Logging error? Compounded by there isn't enough info to determine what did it?
Steve, going to REPLY to Bruno, I clicked on the lower right without reading it, thought it was REPLY. I'm sort of stressed out over Dorian, we're in the cone of a possible hit... Hurricanes make me nervous.
Irv, first and formost... STAY SAFE. Hopefully Dorian will bypass you, but it is a biggie.
I just found this web page. Items 3 and 4 may be useful to get more info.
https://betanews.com/2015/11/18/how-to-monitor-registry-changes/
Irv, focus on keeping yourself and family safe in the face of these major storm events that come all too regularly to the States and that part of the globe! That has to be a much higher priority than strange messages logged by AAP!
I have been fortunate to have never been in your situation with regards to exposure to such extremes of weather. The nearest was time spent in Rochester, Minnesota during their tornado season when with IBM. Here in England we only rarely get any storms even approaching those you see, and these have tended to be years apart though we are all concerned with the changes coming from climate change - we have seen much more flooding in recent years in some parts of the country!
Bruno, I think you can too... but you need to know some things about it. I'm not sure the filename is enough. Same goes for the PROCMON and PROCESS LASSO. I've used those before to determine who was playing a WAV file, but I had no problem starting that before the sound played.
Booting process, could be difficult. Depends who gets started when, and if there is enough resources to capture the item?
It did cross my mind to try that. Still, I'd think a developer could help here. I am STILL not convinced anything really has happened? I know PeaZip worked fine, no matter what the Activity log said.
I'm wondering if some programs will try to do something a few times differently depending on the RC it gets? Like elevate itself if it can't work in normal mode? Might explain the 'warning' vs. the 'info' where it stated the mask used? Something probably a developer can explain?
If I can't figure it out or get a reasonable answer I can either live with until I know there was a real problem that it caused or disable the whole feature?
I didn't join the Beta. I'm wondering if this was found in it by someone? If not? Then it might be something unique to my configuration?
Steve, IBM had me working in Boca on OS/2 during the 18 years I was located there. Lived through many Hurricanes, and by far, Andrew in '92 was the worst. Dorian reminds me of that storm, it made a 90 degree left turn as it was passing the Bahamas. A lot of local damage. Now we're in Central Fl. as I retired 17 years ago. With Irma we lost power for 2 days...
As 'luck' would have it, last night for no particular reason we lost power. No wind or rain or high temps??? Anyway my modem and router are on a 1,350VA UPS. During Irma they stayed on for about 8 hours. Last night, ZERO... battery was too weak (maybe 4 - 6 years old?). $80 and I have got new batteries in it, and hope I don't need them.
Did try my Cell phone as a Hotspot. Worked, kind of slow, but it could be used as long as we have Cell service and battery life on the iPad's and phone.
Steve, have you reported this or do I have to open a report and reference here? Wasn't sure if you would or I had to do it?
Of course today I did still get the 'Warning'
==========
2019-09-03 08:01:28.781139 10996 [warning]: Process [203 (internal), 13412 (system-wide), "C:\Windows\System32\rundll32.exe"] <7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE> prevented from accessing registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
==========
No surprise. However, I get a LOT of warnings.
2019-09-03 08:01:02.248400 6540 [warning]: Fail to query registry key SOFTWARE\Acronis\BackupAndRecovery\Settings\MachineManager\InstanceID. Error: The system cannot find the file specified. (Win32 error code = 2)
Registry doesn't have an InstanceID entry in MachineManager
2019-09-03 08:01:02.731074 6540 [info]: Files in network shares will be recovered to C:\ProgramData\Acronis\Restored Network Files
2019-09-03 08:01:02.731074 6540 [warning]: Failed to start network file protection: Session not created
Not sure what is going on Above here?
2019-09-03 08:01:02.256437 6540 [error]: Failed to read from Json database ("C:\ProgramData\Acronis\ActiveProtection\Statistics\analytics.json")
That was the database I couldn't find yesterday either but it did show at one point? Seems to be a file that is only there what ATI is open?
2019-09-03 08:01:02.801508 6540 [warning]: Failed to start self defense: Session not created
2019-09-03 08:01:02.811542 6540 [info]: Self-defense telemetry events: enabled
2019-09-03 08:01:02.811542 6540 [info]: Skipping process monitoring: Session not created
2019-09-03 08:01:02.811542 6540 [info]: Skipping registry monitoring: Session not created
2019-09-03 08:01:02.811542 6540 [info]: Skipping file monitoring: Session not created
2019-09-03 08:01:02.811542 6540 [warning]: Failed to start file protection: Session not created
2019-09-03 08:01:02.811542 6540 [info]: File-protection telemetry events: enabled
What are the warnings about and is it working or not?
2019-09-03 08:01:03.032668 11216 [warning]: Can't update while another update is on-going
Have no clue what this is about?
2019-09-03 08:01:03.042721 6540 [warning]: Path "C:\Program Files (x86)\Acronis\TrueImageHome\*" already added
A whole bunch of these, but they are to in info, not warnings?
2019-09-03 08:01:03.483250 11028 [warning]: Couldn't retrieve file information of "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe": The operation completed successfully. (Win32 error code = 0)
That one is 'odd'? Can't do something but it was successful?
2019-09-03 08:01:03.485273 11028 [warning]: Couldn't retrieve file information of "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe": The operation completed successfully. (Win32 error code = 0)
Get it again?
2019-09-03 08:01:04.037177 11216 [info]: Handle 02,1E8,7D8 (https://dl.acronis.com/u/active-protection/ati/2020/index) has finished retrieving content: failure (CURL error code = 6 Couldn't resolve host name)
2019-09-03 08:01:04.037177 11216 [info]: Handle 02,1A2,050 (https://dl.acronis.com/u/active-protection/ati/2020/index.signed) has finished retrieving content: failure (CURL error code = 6 Couldn't resolve host name)
2019-09-03 08:01:04.037177 11216 [error]: Failed to retrieve content of signed retrieval ID = 0
2019-09-03 08:01:04.037177 11216 [error]: Failed to retrieve signature of signed retrieval ID = 0
2019-09-03 08:01:04.037177 11216 [info]: Verification of signed retrieval ID = 0: failure
2019-09-03 08:01:04.037177 11216 [error]: Failed to retrieve index
2019-09-03 08:01:04.037177 11216 [warning]: Cancelling on-going update
First 2 as info even though it a failure and then errors and more info with a failure and then a warning that it was a fail???
2019-09-03 08:01:06.125882 10996 [warning]: Couldn't retrieve file information of "C:\Program Files (x86)\NETGEAR\A6200\WifiService.exe": The operation completed successfully. (Win32 error code = 0)
Figure this one out? It was a warning it could get the information but it completed successfully? Sounds like an error to me? Then a short time later is is repeated (didn't bother to include it here)?
There are some many questionable entries in the log, some with too little info to even know what or why it was reported? Info/error/warning entries are not consistent with those meanings (at least to me)?
Problem to me is is something working right or not? Am I really 'protected'? From reading the log (way too long to really be useful) I am not sure?
I'm also still thinking about how to capture the RUNDLL32 info? I'm sort of thinking if I make Acronis a DELAYED start (if this is even possible) of 5 minutes and add one of the Process programs into startup, I might capture the data I need? Just not sure if this is worth it? Reason being, log not withstanding, I think everything is working OK?
Can this be passed onto developer's/support for answers or if you submitted a ticket will they be looking here?
If I am all wrong, please, let me know and I'll forget about this log feature.
Steve, have you reported this or do I have to open a report and reference here? Wasn't sure if you would or I had to do it?
Irv, this is something that you need to do yourself as this issue is only happening on your system not mine, so any diagnostic data needs to come from you.
Steve, OK, wasn't sure? I couldn't file one with the System Report, as it said it was not able to be done, and the size was clearly less that the max.
I'll just point them here I guess for full details.
Steve,
I got a support answer:
========
As I understand, Acronis Active Protection problems, mostly with RUNDLL32.EXE. I will be glad to assist you with this.
If Active Protection reports that an attempt to modify Acronis True Image files or settings was blocked, and you trust the corresponding application, usually you do not have to do anything and just ignore that message.
However, if you absolutely need allow modifying Acronis True Image registry and configuration files outside of Acronis user interface, you can disable the self-defence feature of Active Protection.
============
Totally missed the problem:
"If Active Protection reports that an attempt to modify Acronis True Image files or settings was blocked, and you trust the corresponding application, usually you do not have to do anything and just ignore that message.
However, if you absolutely need allow modifying Acronis True Image registry and configuration files outside of Acronis user interface, you can disable the self-defence feature of Active Protection."
It was the REGISTRY access in the RUN key what was the first problem, nothing to do with Acronis settings or configuration files.
Case # is 04141153 if you can look at them.
Irv, the MVP's are just users and do not have any access to any support cases other than our own via the normal updates sent out by Acronis.
I can only advise you to reject any unacceptable replies from the support team, including replying that they have not understood the issue etc.
Steve, wasn't sure if you could. Did reply back that my problem was not understood. I'm waiting for a response to that.
Irv,
I encourage you to have a look at the LINK below for some great information on the rundll32.exe issue you face and some ways of finding out why it is triggering the AP. I can say that this issue is probably linked to an older app you have installed on your PC and I would hope that you can find out what that app is by following the advice in the LINK. If you can then at least you will learn what the app is and what process it runs that triggers AP. At that point you can possibly check for an update for the app from the maker, turn off the feature of the app causing the problem, or uninstall the app if it is no longer needed, or allow the process if trusted.
Best of luck to you!
Enchanteck,
"I can say that this issue is probably linked to an older app you have installed on your PC and I would hope that you can find out what that app is by following the advice in the LINK."
What leads you to think that? I keep my drivers up to date, and almost everything these days self-checks. I am confused why my wife's PC stopped having the problem after 2 days and mine continues.
Oh, the PEAZIP, it was true, I was using it to open the GZip AP logs. It did open them, so I added it to the Whitelist, didn't matter as you can see.
Things 'prevented' such as PeaZip works which makes it more confusing to me? The others in the whitelist, originally were listed as not able to be started. I then added them to the whitelist thinking one of them was the cause. All, to the best of my knowledge are part of the boot process to enable some h/w or s/w and there was NO booting problems or Event Viewer reports that would match any boot problem? Quite possible that the problem is just the log function? If Peazip is reported as blocked now, on the Whitelist and it worked fine all the time, could RUNDLL32 have the same problem, bogus log reporting?
The rundll.exe is a file which many app use to perform functions within the app. It is difficult to know which app the rundll32 file is associated with without using such tools as I provided the link to.
Since you still have the issue I would say the whitelisted apps you have added to AP are not using this particular rundll32 file.
Irv, if you have Peazip in the AAP whitelist then that should not be a factor here, especially as it is unlikely that Peazip would or should be active when your computer is booting, but that should be fairly easy to check by looking at the Windows 10 Startup items in Task Manager.
As per the linked webpage that Bob pointed you towards, you could try disabling various start up items then check to see if the entries are still given in AAP - if so, the disabled entries are not causing it.
Your statement that this only happens during boot leads me to think that this rundll32 file is a leftover from an uninstalled app. On boot it makes a call to the registry and fails of course and that behavior is triggering AP.
Enchantech wrote:Your statement that this only happens during boot leads me to think that this rundll32 file is a leftover from an uninstalled app. On boot it makes a call to the registry and fails of course and that behavior is triggering AP.
No, it is NOT failing, It is PREVENTED... and to me it was denied access. If so, then what it was trying to do was NOT done.
Given this, I would think I'd see something in Event Viewer to that effect, or something might not work on the PC. Neither one is the case.
Steve Smith wrote:Irv, if you have Peazip in the AAP whitelist then that should not be a factor here, especially as it is unlikely that Peazip would or should be active when your computer is booting, but that should be fairly easy to check by looking at the Windows 10 Startup items in Task Manager.
As per the linked webpage that Bob pointed you towards, you could try disabling various start up items then check to see if the entries are still given in AAP - if so, the disabled entries are not causing it.
Steve, Peazip is only being use to read the GZIP file in AAP's log folder. It IS an Acronis file, and I'll assume the AP protection for Acronis Files is the cause here. So the 'warning' and 'preventing' IS correct. What is NOT correct is that PeaZip works. Does access the log file and I can view the file with Notepad (Peazip I'll assume uses a temp folder to write the unzipped files, hence no warning). So that is a clear problem with AAP, it says it prevented it from accessing Acronis file, but in this specific case, it DID NOT. I reported this to Support in the same case I reported RUNDLL32 problems. Seems clear it did NOT block access.
I think I'll try SAFE MODE first and see if TI reports a problem. There are many places that 'start ups' happen, from device drivers, services, and start programs, it could take some time to pin down. I used SysInternals AUTORUNS to look at them, easily 100 or more. All I see are a few file not found I could probably delete. Remnants of poor uninstalls it seems.
I'm really hoping on an answer from Support on all this...
Sounds like you're on the right track.
Safe mode, no good, AP doesn't start...
Have to rethink what to do?
Autoruns shows these as 'Logon items', many to play with, but the Services is twice as long as is tasks, and drivers 3 times as long. There are some in the lists with 'files not found', I could probably delete those...
Irv, perhaps an alternative approach could be tried?
Are you the only user on this computer? If not, can you try booting and logging in with a different user then check what AAP shows?
If you are the only user, then create a new Administrator user and sign in with it to create all the profile structures, then try with that new user. This should narrow down to those items which are started for All users, eliminating the items which only run for your current user profile.
Steve, yes, only me but I run as Administrator, never get asked if the program is just for me or all users. Suspect a new user wouldn't get to be a real test? TI might not even be on it?
OK, I am 100% confused at this point? Look at this? TI AAP Activity. Two marked are my last 2 morning boots. However I did a SAFE MODE that couldn't start AAP... and then another boot, and I'm sure it didn't do a shutdown, but it did restart my ID, not switch to it. No RUNDLL32 problem?
I'm going to do a PHYSICAL SHUTDOWN and try again, but I am sure a re-boot should have gotten me the error.
This is INSANE!!!
I did a HARD SHUTDOWN! Booted up, NO RUNDLL32 warning at all!
I did get one update on the Cloud operation, not sure if it was MS's One Drive (not even enabled) or Apple's? I am ruling those both out.
I also have a Windows Update waiting for me to d/l and install.
I have NO idea what has happened?
I guess we'll see tomorrow if it 'comes back'?
Looked in the log, doesn't this look like the same operation?
2019-09-06 15:47:44.221577 12084 [info]: [driver] Process [28 (internal), 13560 (system-wide), "C:\Windows\System32\rundll32.exe", 7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE] has stopped (parent PID = 0 (internal))
Same string of characters...
However that above seems to have been the boot from Safe Mode? Maybe it wasn't a full shutdown/reboot which I thought it was as I saw the Dell logo and then the spinning dots.
However I DID get it on the real shutdown after that:
2019-09-06 15:47:57.033423 12112 [warning]: Process [186 (internal), 15132 (system-wide), "C:\Windows\System32\rundll32.exe"] <7662A8D2F23C3474DEC6EF8E2B0365B0B86714EE> prevented from accessing registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
I just checked and opened TI2020 again, same as the above, ONLY the 7AM one is reported under Activity? Not this one? Could there be a buffer that is used, or the actual LOG is not 'handled' until it is turned into a GZip?
Insane... either that or I am doing something really wrong here? On the settings, only the first box is unchecked...
OK, I decided to try a .GZip log with PeaZip... and it did... and I can read the file...
Activities after I open TI:
It registered (even though it IS whitelisted) but not the one just above this? I can NOT explain this?
Irv, it is possible that your previous shutdown or restart didn't perform a full shutdown and restart but the only way to really know would have been to check the Windows Up Time by opening the Performance page of Windows Task Manager where this is shown.
5:13PM here. Uptime, 1 hour 26 min. and 51 seconds. I.E., boot was at 3:47 or so this afternoon.
Error for RUNDLL32 time in log, 2019-09-06 15:47:57.033423
So it happened almost exactly on the last boot, but no Activity shown?
OK, I got 'permission' to look at my wife's PC.
First I opened TI2020... and looked at AAP's Activity. NOTHING since 9/2 where I added the few apps from the Monitored like to be able to start.
Then I used PeaZip to open the GZip file from here boot this morning... well, look what I see...
I don't think the Activity page is really showing everything and the LOG to me, is a mess of inconsistent and incomplete log entries.
Note this is the same string of characters I have as well... but no clue as to what it is?
I know you say this isn't happening to you, but can you trust the Activity page? Have you looked at your log around the boot time?
I now have 2 slightly different PC's doing the same thing. I can post the 2 directories with time stamps if you wish to prove they are different PC's.
Something has to be broke here?
Oh well, more stuff to throw at support when they reply back.
Anyone else, please check the AAP Activity page and you log from first boot time, see if you have it as well?
Irv, my laptop was restarted around 1 hour 35 mins ago as shown for Up Time and I have no entries at all in the AAP Activity page for today or several previous days, as shown in the images below.
Note: I have rundll32.exe as allowed to start in the Manage processes list, and zero processes being monitored by AAP.
How odd? I do not have RUNDLL32 on the Manage Process list at all. It was never listed there. Did you manually add it or was it automatically there when you installed 2020?
Also, I only see in the Activity when I turn off AP and then on again, other times, nothing.
I too have 0 managed processes as well.
I notice you have set some to start and modify your backups. Mine are all set to start. It is possible Peazip didn't have any settings there before and I added it. Now opening a GZIP file shouldn't be considered modify to me, but I see where that is possible IF one considers the LOG files 'backups' (I do not). Maybe the words 'Acronis Files' vs. 'backups' is really needed.
Have you looked at your logs for RUNDLL32? I had a lot of them, including the above 'warning' that to me since it uses the word 'prevented' is actually an error.
Should I add RUNDLL32 to the list, do you think that is really the problem?
Irv,
When you try to manually delete .tib or .tibx files in Windows Explorer, AAP will flag it (twice). That is where most of the whitelists to allow RUNDLL32 come from in the AAP notifications and allowed processes.
Anytime something wants to access or modify .tib / .tibx files or anything to do with True Image, they will get flagged. In mine, you'll see that command prompt and robocopy are also there because of my local scripts to copy backups from one location to another got flagged at one point. You'll also see that tools like DISM++ and even an unsigned copy of an earlier version of the MVP tool got flagged for me at one point - both of which were mounting the True Image provided WinPE files during testing and creation of the MVP tool.
Irv,
AP has a built in self defense mechanism that is triggered anytime a TI app file is attempted to be modified. This would apply to the log files as well.
If you open Windows Explorer and navigate to the Windows\System32 folder and then search that folder for rundll32 what is the result? I am posting a screenshot of what I see on my system.
Got it Steve, and those are true backup files. Log files are not backup files. It is possible AAP considers 'anything' that tries to open any file in the Acronis Folder and all sub-folders 'backup' files as well. That is what is causing the PeaZip prevention of accessing Acronis files. I could change PeaZip to also allow accessing backup files I guess?
Well, I change the PeaZip program to allow it to change backup files. Opened Explorer, change to the AP log folder in ProgramData\acronis, opened a GZip file, then the log file itself, and closed all. Then started TI and in Activity, PeaZip is right there at the top with the present time stamp.
So, that suggests doing that didn't change a thing (unless a reboot is require to change in memory permissions?). Doubt any RUNDLL32 additions would do much either? I'll wait to hear from Support before doing that.