1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

InfiniSource chief's system slows to a crawl

Discussion in 'Windows XP' started by RCS-Joe, 2008/05/12.

  1. 2008/05/12
    RCS-Joe

    RCS-Joe Well-Known Member Thread Starter

    Joined:
    2002/11/18
    Messages:
    22
    Likes Received:
    2
    Hi... this is Joe Burke... head of Infinisource and Rose City Software. I talked to Arie and he suggested I post here with an issue that has surfaced on my main PC. I have a very new quad core custom built PC running XP Pro which up until a couple days ago was running flawlessly and very very fast. Early last week I installed XP SP3 and everything was fine. Then I installed one piece of beta software but didn't allow it to make any system changes... and I also mistakenly wound up on one questionable website. Those are really the only two things I did which I could recall all week which might have precipitated this problem.

    A couple days ago my system began running very slowly... click on something like IE and instead of opening in a split second it would take up to a full minute to respond... same with just about every action, even trying to move a window or pull up a Windows menu. Unfortunately I only had system restore points back a few days so I ran the earliest one I had and everything was fine... for about one day but when I rebooted next day the problem was back. I asked Arie about it... he suggested looking in Task Manager which I did although it took a very long time to open. I could not find anything suspicious running. The only anomaly was that SVChost.exe was using 50% CPU as was system idle process. No activity was happening on the internet... DU Meter running did not disclose any download or upload activity. And the system was not running any scans or activity.

    Arie suggested removing SP3... in order to do anything with the PC I had to run the same restore poiint again which reenabled my PC to work normally. I uninstalled SP3 successfuly and rebooted. I also did a defrag and system cleanup. That was yesterday and all was well all day long. This morning I booted up and again the system was deadly slow. Checking task mgr again, the same condition existed where SVChost.exe was using 50% CPU.

    I spoke to Arie and he suggested a reboot again which I did and the system booted up normally... no system lag at all... and SVChost.exe was using 00% CPU.

    He had me download Deckard's System Scanner run the scan and post the log which I'll paste up below.

    Any help would be much appreciated... my next best option is to restore my system with an Acronis Backup image from 10/22/07 which was a full install of all software at that time.

    Anyway... below is the log... Bear in mind that the system is running normally at the moment and when this scan was run... so if this is a spyware issue, that process is probably not running at the moment, but Arie said to go ahead and post the log now anyhow... so here it is.

    Deckard's System Scanner v20071014.68
    Extra logfile - please post this as an attachment with your post.
    --------------------------------------------------------------------------------

    -- System Information ----------------------------------------------------------

    Microsoft Windows XP Professional (build 2600) SP 2.0
    Architecture: X86; Language: English

    CPU 0: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz
    CPU 1: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz
    Percentage of Memory in Use: 15%
    Physical Memory (total/avail): 3322.75 MiB / 2819.21 MiB
    Pagefile Memory (total/avail): 6483.18 MiB / 6134.51 MiB
    Virtual Memory (total/avail): 2047.88 MiB / 1925.43 MiB

    A: is Removable (No Media)
    C: is Fixed (NTFS) - 229.73 GiB total, 189.67 GiB free.
    D: is Fixed (NTFS) - 229.73 GiB total, 169.91 GiB free.
    E: is CDROM (No Media)
    F: is Removable (No Media)
    G: is Removable (No Media)
    H: is Removable (No Media)
    I: is Removable (No Media)
    J: is Network (NTFS)
    V: is Fixed (NTFS) - 58.59 GiB total, 36.07 GiB free.
    W: is Fixed (NTFS) - 58.59 GiB total, 11.64 GiB free.
    X: is Fixed (NTFS) - 9.77 GiB total, 9.6 GiB free.
    Y: is Fixed (NTFS) - 9.77 GiB total, 9.73 GiB free.

    \\.\PHYSICALDRIVE1 - WDC WD3200AAKS-22SBA0 - 298.09 GiB - 3 partitions
    \PARTITION0 (bootable) - Installable File System - 229.73 GiB - D:
    \PARTITION1 - Extended Partition - 68.36 GiB - W: - Y:

    \\.\PHYSICALDRIVE0 - WDC WD3200YS-01PGB0 - 298.09 GiB - 3 partitions
    \PARTITION0 (bootable) - Installable File System - 229.73 GiB - C:
    \PARTITION1 - Extended w/Extended Int 13 - 68.36 GiB - V: - X:

    \\.\PHYSICALDRIVE2 - Generic STORAGE DEVICE USB Device

    \\.\PHYSICALDRIVE3 - Generic STORAGE DEVICE USB Device

    \\.\PHYSICALDRIVE4 - Generic STORAGE DEVICE USB Device

    \\.\PHYSICALDRIVE5 - Generic STORAGE DEVICE USB Device



    -- Security Center -------------------------------------------------------------

    AUOptions is set to notify before download.
    Windows Internal Firewall is enabled.

    FirstRunDisabled is set.
    AntiVirusDisableNotify is set.
    FirewallDisableNotify is set.
    UpdatesDisableNotify is set.

    AV: CA Anti-Virus v9.0.0.170 (CA, Inc.)

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "= "%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 "

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019 "
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "= "%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000 "
    "C:\\Program Files\\Magic Notes\\Sticky32.exe "= "C:\\Program Files\\Magic Notes\\Sticky32.exe:*:Enabled:Magic Notes for Windows 9x/ME/NT/2000/XP "
    "C:\\Program Files\\Raketu\\Raketu.exe "= "C:\\Program Files\\Raketu\\Raketu.exe:*:Enabled:Raketu "
    "C:\\Program Files\\Raketu\\MessageWave.exe "= "C:\\Program Files\\Raketu\\MessageWave.exe:*:Enabled:Multi-Messenger "
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote "
    "C:\\Program Files\\WS_FTP Pro\\ftp95pro.exe "= "C:\\Program Files\\WS_FTP Pro\\ftp95pro.exe:*:Enabled:WS_FTP 95 "
    "C:\\Program Files\\Skype\\Phone\\Skype.exe "= "C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "


    -- Environment Variables -------------------------------------------------------

    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    APPDATA=C:\Documents and Settings\Joe\Application Data
    CLIENTNAME=Console
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=HQ
    ComSpec=C:\WINDOWS\system32\cmd.exe
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=\Documents and Settings\Joe
    LOGONSERVER=\\HQ
    NUMBER_OF_PROCESSORS=2
    OS=Windows_NT
    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Intel\DMIX;C:\Program Files\SecureCRT 3.0
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
    PROCESSOR_LEVEL=6
    PROCESSOR_REVISION=0f0b
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:\WINDOWS
    TEMP=C:\DOCUME~1\Joe\LOCALS~1\Temp
    TMP=C:\DOCUME~1\Joe\LOCALS~1\Temp
    USERDOMAIN=HQ
    USERNAME=Joe
    USERPROFILE=C:\Documents and Settings\Joe
    windir=C:\WINDOWS


    -- User Profiles ---------------------------------------------------------------

    Joe (admin)


    -- Add/Remove Programs ---------------------------------------------------------

    --> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
    --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{107254A0-0ADF-11D4-9397-00D0B7020B38}\setup.exe"
    --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    1-abc.net Hard Drive Washer (Remove only) --> "C:\Program Files\1-abc\Hard Drive Washer\uninst.exe "
    ACDSee 4.0.2 Standard --> MsiExec.exe /I{A315C579-8E9C-4C39-B13F-CD31FE47F717}
    Acronis*True*Image*Home --> MsiExec.exe /X{419CF344-3D94-4DAD-99C8-EA7B00E5EA8B}
    Admit One --> "C:\Program Files\Admit One\unins000.exe "
    Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
    Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
    akFontViewer --> C:\WINDOWS\GPInstall.exe "/UNINST=C:\Program Files\Anatoli Klassen Software\akFontViewer\UnInst.log " "/APPNAME=akFontViewer "
    All Editor 2.4.3 --> "C:\Program Files\1stbenison\All Editor\unins000.exe "
    AMP Calendar --> "C:\Program Files\AMP Calendar\uninstall.exe "
    Array Networks SSL VPN Client 8,2,2,44 (Array Networks) --> C:\Program Files\Array Networks\Common\8,2,2,44\arr_isrv.exe -u -3
    Borg Design - Expert Email Validatorâ„¢ --> MsiExec.exe /X{D954254B-F5A4-478A-B289-D1CDFA7AD662}
    CA Anti-Virus --> "C:\Program Files\CA\eTrust Internet Security Suite\caunst.exe" /u /product=av
    CA Anti-Virus --> C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\unvet32.exe
    Canon MP Navigator EX 1.0 --> "C:\Program Files\Canon\MP Navigator EX 1.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator EX 1.0\uninst.ini
    CDex extraction audio --> "C:\Program Files\CDex_150\uninstall.exe "
    Cleardrive (Remove only) --> "C:\Program Files\Cleardrive\uninst.exe "
    ClipCache Pro 3.1.1 --> "C:\Program Files\ClipCache\unins000.exe "
    CmdHere Powertoy For Windows XP --> MsiExec.exe /I{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}
    Cole2k Media - Codec Pack (Standard) 6.0.7 --> C:\WINDOWS\system32\C2MP\Uninst.exe
    Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
    Cool Ruler --> C:\WINDOWS\uninst.exe -f "C:\Program Files\CoolRuler\DeIsL1.isu" -c "C:\Program Files\CoolRuler\_ISREG32.DLL "
    Corel Paint Shop Pro X --> MsiExec.exe /I{1A15507A-8551-4626-915D-3D5FA095CC1B}
    Courier Email --> "C:\Program Files\Courier Email\uninstall.exe "
    DigitWiz 1.0 --> "C:\Program Files\DigitWiz\unins000.exe "
    DiskMagik --> MsiExec.exe /I{68D923DC-241A-4DF2-BCE2-06C597562D1C}
    DU Meter --> "C:\Program Files\DU Meter\unins000.exe "
    Dupli Find 2.52 --> "C:\Program Files\Dupli Find 2.52\unins000.exe "
    DVD Solution --> "C:\Program Files\Uninstall_CDS.exe "
    E_Cloaker 2.0 --> C:\Program Files\E_Cloaker\Uninstal.exe
    Easy Text To HTML Converter --> C:\Program Files\Easy Text To HTML Converter\uninst.exe
    FLV Player 1.3.3 --> "C:\Program Files\FLVPlayer\uninstall.exe "
    FTP Synchronizer 3.5.56.193 --> "C:\Program Files\FTP Synchronizer\unins000.exe "
    Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
    gPhotoShow Pro v3.6.1 --> "C:\Program Files\gPhotoShow\unins000.exe "
    HelpMaker (Remove Only) --> "C:\Program Files\vahelp\unins000.exe "
    High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe "
    HomeSite 4.5 --> "C:\Program Files\Allaire\HomeSite 4.5\fsetup32.exe" UNINSTALL_HS45
    Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe "
    Intel(R) PRO Network Connections 12.1.12.0 --> MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1
    Intel® Management Engine Interface --> C:\WINDOWS\system32\heciudlg.exe -uninstall
    Internet Explorer Developer Toolbar --> MsiExec.exe /I{15C9AAEF-20D4-4416-A1BE-7D75FB5F2FE9}
    Ipswitch WS_FTP Pro Uninstall --> "C:\Program Files\WS_FTP Pro\remove32.exe" -f C:\Program Files\WS_FTP Pro -d C:\Program Files\WS_FTP Pro -g WS_FTP Pro
    Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
    JokeSleuth --> "C:\Program Files\JokeSleuth\unins000.exe "
    Keyboard Express --> C:\PROGRA~1\keyexp\UNWISE.EXE C:\PROGRA~1\keyexp\INSTALL.LOG
    LinkStash 2.0.9 --> "C:\Program Files\LinkStash\unins000.exe "
    Magic Notes --> C:\PROGRA~1\MAGICN~1\UNWISE.EXE C:\PROGRA~1\MAGICN~1\INSTALL.LOG
    MasterFind --> C:\Program Files\MasterFind\MasterFindSetup.exe
    Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe "
    Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe "
    Microsoft Office OneNote 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ONENOTER /dll OSETUP.DLL
    Microsoft Office OneNote 2007 --> MsiExec.exe /X{91120000-00A1-0000-0000-0000000FF1CE}
    Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
    Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
    Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
    Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
    Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
    Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
    Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
    Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
    Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe "
    Moffsoft FreeCalc --> "C:\Program Files\Moffsoft FreeCalc\unins000.exe "
    Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
    MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
    Multimedia Launcher --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
    Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
    Netscape Communicator 4.76 --> C:\WINDOWS\cd32.exe 4.76 (en)
    NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
    Opera --> C:\PROGRA~1\Opera\uninst\unwise.exe C:\PROGRA~1\Opera\uninst\install.log
    PADGen 3.0.1.35 --> "C:\Program Files\PADGen\unins000.exe "
    Paint Shop Pro 6.02 ESD --> C:\Program Files\Paint Shop Pro 6\Unwise.exe C:\PROGRA~1\PAINTS~1\INSTALL.LOG
    Paint Shop Pro 7 ESD --> MsiExec.exe /I{D6DE02C7-1F47-11D4-9515-00105AE4B89A}
    PocoMail 4.5 (Build 3910) --> "C:\Program Files\PocoMail4\unins000.exe "
    PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
    PowerQuest PartitionMagic 8.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}
    Presto! PageManager 7.15.16 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}\PMSetup.exe" -l0x9 anythinganything -removeonly
    PrimoPDF --> "C:\WINDOWS\PrimoPDF\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstall.xml "
    PrimoPDF --> "C:\WINDOWS\PrimoPDF\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstall.xml "
    PrimoPDF Redistribution Package --> MsiExec.exe /I{885744A4-1A01-44B0-858A-0AE6738CBCF7}
    Qlock Lite --> "C:\Program Files\Qlock\uninstall.exe "
    Raketu - Communications Information and Entertainment --> "C:\Windows\uninstallW.exe "
    RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
    Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
    Registry First Aid --> "C:\Program Files\RFA\unins000.exe "
    ScanSoft OmniPage SE 4 --> MsiExec.exe /I{DEE88727-779B-47A9-ACEF-F87CA5F92A65}
    Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
    Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
    Security Update for Office 2007 (KB934062) --> msiexec /package {91120000-00A1-0000-0000-0000000FF1CE} /uninstall {305D509B-F194-4638-9F0F-D9E4C05F9D33}
    Security Update for the 2007 Microsoft Office System (KB936960) --> msiexec /package {91120000-00A1-0000-0000-0000000FF1CE} /uninstall {5E5BD655-7AA9-47F9-BB6D-A1D8CE29AC86}
    SereneScreen Marine Aquarium 2 MD --> "C:\Program Files\SereneScreen\Marine Aquarium 2 MD\unins000.exe "
    Skypeâ„¢ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
    SnadBoy's Revelation v2 --> C:\PROGRA~1\SNADBO~1\UNWISE.EXE C:\PROGRA~1\SNADBO~1\INSTALL.LOG
    Sygate Personal Firewall 5.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D422994-9E10-11D4-AEB1-00D0B7237D97}\setup.exe" -Uninstall
    Synchromagic --> C:\WINDOWS\unvise32.exe C:\Program Files\Synchromagic\uninstal.log
    Synchromagic Keygen --> C:\WINDOWS\unvise32.exe C:\Program Files\SynchKeyGen\uninstal.log
    SynchroMaster 1.7.1.15 --> "C:\Program Files\SynchroMaster\unins000.exe "
    Taskbar Shuffle version 2.2 --> "C:\Program Files\Taskbar Shuffle\unins000.exe "
    TextPad 5 --> MsiExec.exe /X{B6EC7388-E277-4A5B-8C8F-71067A41BA64}
    The Armadillo Software Protection System --> C:\Program Files\Armadillo\UNINST.EXE
    TradeTrakker --> "C:\Program Files\TradeTrakker\unins000.exe "
    TweakMASTER --> "C:\Program Files\TweakMASTER\unins000.exe "
    Tweakui Powertoy for Windows XP --> MsiExec.exe /I{C7793EE8-F666-4E6B-9827-76468679480E}
    Update for Office 2007 (KB932080) --> msiexec /package {91120000-00A1-0000-0000-0000000FF1CE} /uninstall {EDC9CA29-6BC1-471C-828C-7A36109005D7}
    Update for Office 2007 (KB946691) --> msiexec /package {91120000-00A1-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
    Van Dyke Technologies SecureCRT 3.3 --> C:\PROGRA~1\SECURE~1.0\UNINSTAL.EXE C:\PROGRA~1\SECURE~1.0\INSTALL.LOG
    ViewSonic Monitor Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B4FEA924-630D-11D4-B78E-005004566E4D}\Setup.exe" -l0x9
    Virtual Earth 3D (Beta) --> MsiExec.exe /I{39CE3C17-846D-4D9B-8B3E-C01A4B90FB73}
    WD Spindown or Stop Utility for External Drive, v1.00 --> MsiExec.exe /I{BE6F412F-C276-4FD8-B3E1-F996CC172776}
    Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe "
    Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe "
    Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe "
    Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
    WinHTTrack Website Copier 3.42-2 --> "C:\Program Files\WinHTTrack\unins000.exe "
    WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
    WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
    Wise Disk Cleaner 3.0 --> "C:\Program Files\Wise Disk Cleaner\unins000.exe "
    XML Paper Specification Shared Components Pack 1.0 -->
    Zapeze --> "C:\Program Files\Hagel Technologies\Zapeze\unins000.exe "


    -- Application Event Log -------------------------------------------------------

    Event Record #/Type1349 / Warning
    Event Submitted/Written: 05/11/2008 11:43:31 AM
    Event ID/Source: 5603 / WinMgmt
    Event Description:
    A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

    Event Record #/Type1348 / Warning
    Event Submitted/Written: 05/11/2008 11:43:31 AM
    Event ID/Source: 5603 / WinMgmt
    Event Description:
    A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

    Event Record #/Type1311 / Error
    Event Submitted/Written: 05/08/2008 04:33:16 PM
    Event ID/Source: 1002 / Application Hang
    Event Description:
    Hanging application Notepadplus.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

    Event Record #/Type1301 / Error
    Event Submitted/Written: 05/07/2008 03:12:37 PM
    Event ID/Source: 1000 / Application Error
    Event Description:
    Faulting application courier.exe, version 3.50.0.13, faulting module mfc42.dll, version 6.2.4131.0, fault address 0x0008e4f7.
    Processing media-specific event for [courier.exe!ws!]

    Event Record #/Type1290 / Warning
    Event Submitted/Written: 05/06/2008 08:03:27 PM
    Event ID/Source: 5603 / WinMgmt
    Event Description:
    A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.



    -- Security Event Log ----------------------------------------------------------

    No Errors/Warnings found.


    -- System Event Log ------------------------------------------------------------

    Event Record #/Type11035 / Error
    Event Submitted/Written: 05/12/2008 08:44:50 AM
    Event ID/Source: 7000 / Service Control Manager
    Event Description:
    The Zapeze service failed to start due to the following error:
    %%1053

    Event Record #/Type11034 / Error
    Event Submitted/Written: 05/12/2008 08:44:50 AM
    Event ID/Source: 7009 / Service Control Manager
    Event Description:
    Timeout (30000 milliseconds) waiting for the Zapeze service to connect.

    Event Record #/Type11033 / Error
    Event Submitted/Written: 05/12/2008 08:44:50 AM
    Event ID/Source: 7000 / Service Control Manager
    Event Description:
    The Upload Manager service failed to start due to the following error:
    %%1079

    Event Record #/Type11032 / Error
    Event Submitted/Written: 05/12/2008 08:44:14 AM
    Event ID/Source: 16391 / BITS
    Event Description:
    The BITS job list is not in a recognized format. It may have been created by a different version of BITS. The job list has been cleared.

    Event Record #/Type11031 / Warning
    Event Submitted/Written: 05/12/2008 08:44:04 AM
    Event ID/Source: 1003 / Dhcp
    Event Description:
    Your computer was not able to renew its address from the network (from the
    DHCP Server) for the Network Card with network address 0019D1B0C0D5. The following
    error occurred:
    %%121.
    Your computer will continue to try and obtain an address on its own from
    the network address (DHCP) server.



    -- End of Deckard's System Scanner: finished at 2008-05-12 08:53:09 ------------
     
  2. 2008/05/12
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Hi Joe :)

    The Deckards scan produced another log named main.txt
    Please post it here. I'll look it over this evening when home from work (on lunch break right now).

    For the time being, please stop the BITS service. There's a BITS related error in the log and I'd like to check into it further. To stop BITS, copy the following command, then click Start>Run and paste it in, hit Enter.

    sc stop BITS

    Note that if you reboot BITS will restart.
     

  3. to hide this advert.

  4. 2008/05/12
    RCS-Joe

    RCS-Joe Well-Known Member Thread Starter

    Joined:
    2002/11/18
    Messages:
    22
    Likes Received:
    2
    main.txt...

    Hi thanks... i could have sworn that's what I posted... sorry... anyway it is below... and I ran "sc stop BITS "

    Deckard's System Scanner v20071014.68
    Run by Joe on 2008-05-12 08:51:21
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    Successfully created a Deckard's System Scanner Restore Point.


    -- Last 5 Restore Point(s) --
    5: 2008-05-12 15:51:25 UTC - RP274 - Deckard's System Scanner Restore Point
    4: 2008-05-11 19:13:35 UTC - RP273 - Registry First Aid registry scan
    3: 2008-05-11 18:29:30 UTC - RP272 - Restore Operation
    2: 2008-05-11 00:39:59 UTC - RP271 - System Checkpoint
    1: 2008-05-09 23:46:12 UTC - RP270 - post-restore for lag problem


    Backed up registry hives.
    Performed disk cleanup.



    -- HijackThis Clone ------------------------------------------------------------


    Emulating logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2008-05-12 08:52:22
    Platform: Windows XP Service Pack 2 (5.01.2600)
    MSIE: Internet Explorer (7.00.6000.16640)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sygate\SPF\Smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Array Networks\Common\8,2,2,44\arr_isrv.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Array Networks\Array SSL VPN\8,2,2,44\arr_srvs.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\isafe.exe
    C:\Program Files\DiskMagik\DiskMgkS.exe
    C:\Program Files\DU Meter\DUMeterSvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\vetmsg.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\RTHDCPL.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
    C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\cavrid.exe
    C:\Program Files\Western Digital Technologies\Spindown\ExSpinDn.exe
    C:\Program Files\RFA\rfagent.exe
    C:\Program Files\TweakMASTER\TMTray.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
    C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
    C:\Program Files\DiskMagik\DiskMagik.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
    C:\Program Files\Magic Notes\Sticky32.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
    C:\Program Files\DU Meter\DUMeter.exe
    C:\Program Files\LinkStash\lsmon.exe
    C:\Program Files\AMP Calendar\Calendar.exe
    C:\Program Files\ClipCache\clipc.exe
    C:\Program Files\keyexp\KEYEXP.EXE
    C:\Program Files\LinkStash\lnkstash.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\Qlock\qlock.exe
    C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
    C:\DOWNLOADS\dss.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: MasterFind - {684B7DF7-51DE-4852-ACF8-7BA3934D9BD1} - C:\Program Files\MasterFind\MasterFindShell.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: TweakMASTER Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\Program Files\TweakMASTER\TweakBHO.dll
    O2 - BHO: IE DOM Explorer - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
    O3 - Toolbar: Developer Toolbar - {CC962137-2E78-4f94-975E-FC0C07DBD78F} - C:\Program Files\Internet Explorer Developer Toolbar\IEDevToolbar.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe "
    O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe "
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe "
    O4 - HKLM\..\Run: [WD Spindown Utility] "C:\Program Files\Western Digital Technologies\Spindown\ExSpinDn.exe "
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
    O4 - HKLM\..\Run: [rfagent] "C:\Program Files\RFA\rfagent.exe "
    O4 - HKLM\..\Run: [TweakMASTER] "C:\Program Files\TweakMASTER\TMTray.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
    O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
    O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe "
    O4 - HKLM\..\Run: [DiskMagik] C:\Program Files\DiskMagik\DiskMagik.exe /minimize
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Taskbar Shuffle] C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
    O4 - HKCU\..\Run: [Magic Notes] "C:\Program Files\Magic Notes\Sticky32.exe "
    O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
    O4 - HKCU\..\Run: [LinkStashMonitor] "C:\Program Files\LinkStash\lsmon.exe "
    O4 - HKCU\..\Run: [AMP Calendar] C:\Program Files\AMP Calendar\Calendar.exe -quiet
    O4 - Startup: ClipCache Pro.lnk = C:\Program Files\ClipCache\clipc.exe
    O4 - Startup: Keyboard Express 95.lnk = C:\Program Files\keyexp\KEYEXP.EXE
    O4 - Startup: LinkStash.lnk = C:\Program Files\LinkStash\lnkstash.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Startup: qlock.lnk = C:\Program Files\Qlock\qlock.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
    O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} (SentinelVE3D Class) - http://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
    O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com.../en/x86/MuCatalogWebControl.cab?1201098441453
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1192056656703
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1192056650671
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_03) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} (ArrVPNAX Control) - https://vpn.dal01.softlayer.com/prx/000/http/localhost/arr_x.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - https://publishers.esellerate.net/SalesMgr/CustomLayouts/XUpload.ocx
    O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{F3C51933-9826-4961-8B93-49BBF5FA506C}: NameServer = 10.0.80.11,10.0.80.12
    O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: SearchList = service.softlayer.com,
    O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: SearchList = service.softlayer.com,
    O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: SearchList = service.softlayer.com,
    O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
    O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
    O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: Array SSL VPN Service 8,2,2,44 (ArraySSL_VPN_Service8.2.2.44) - Array Networks, Inc. - C:\Program Files\Array Networks\Array SSL VPN\8,2,2,44\arr_srvs.exe
    O23 - Service: Array Utility Service 8,2,2,44 (Array_Utility_Service8.2.2.44) - Array Networks, Inc. - C:\Program Files\Array Networks\Common\8,2,2,44\arr_isrv.exe
    O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\isafe.exe
    O23 - Service: DiskMagik Service (DiskMgkS) - RoseCity Software - C:\Program Files\DiskMagik\DiskMgkS.exe
    O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\vetmsg.exe
    O23 - Service: Zapeze (ZapezeSvc) - Hagel Technologies Ltd - C:\Program Files\Hagel Technologies\Zapeze\zpzsvc.exe


    --
    End of file - 12034 bytes

    -- File Associations -----------------------------------------------------------

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R0 Teefer (Teefer for NT) - c:\windows\\systemroot\system32\drivers\teefer.sys (file missing)
    R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
    R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
    R2 wg3n (SyGate for NT, wg3n) - c:\windows\system32\drivers\wg3n.sys <Not Verified; Sygate Technologies, Inc.; SyberGen WGXN>

    S3 ATP (ArrayNetworks SSL VPN Miniport Driver) - c:\windows\system32\drivers\atpdrvr.sys <Not Verified; Array Networks, Inc.; Array SSL VPN>


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    R2 Array_Utility_Service8.2.2.44 (Array Utility Service 8,2,2,44) - c:\program files\array networks\common\8,2,2,44\arr_isrv.exe <Not Verified; Array Networks, Inc.; Array SSL VPN>
    R2 ArraySSL_VPN_Service8.2.2.44 (Array SSL VPN Service 8,2,2,44) - c:\program files\array networks\array ssl vpn\8,2,2,44\arr_srvs.exe <Not Verified; Array Networks, Inc.; Array SSL VPN>


    -- Device Manager: Disabled ----------------------------------------------------

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Array Networks VPN Adapter
    Device ID: ROOT\NET\0000
    Manufacturer: Array Networks
    Name: Array Networks VPN Adapter
    PNP Device ID: ROOT\NET\0000
    Service: ATP


    -- Scheduled Tasks -------------------------------------------------------------

    2008-01-06 00:00:53 366 --a------ C:\WINDOWS\Tasks\DiskMgkC.job
    2007-11-09 19:00:40 316 --a------ C:\WINDOWS\Tasks\Registry First Aid autoscan.job


    -- Files created between 2008-04-12 and 2008-05-12 -----------------------------

    2008-05-11 11:46:04 0 d-------- C:\WINDOWS\Prefetch
    2008-05-06 19:57:48 0 d-------- C:\WINDOWS\system32\scripting
    2008-05-06 19:57:47 0 d-------- C:\WINDOWS\system32\en
    2008-05-06 19:57:47 0 d-------- C:\WINDOWS\system32\bits
    2008-05-06 19:57:47 0 d-------- C:\WINDOWS\l2schemas
    2008-05-06 19:51:06 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
    2008-05-05 07:17:49 59904 --a------ C:\secur9x.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows(R) Operating System>
    2008-05-05 07:17:49 217163 --a------ C:\ArrayApi.dll <Not Verified; Array Networks, Inc.; Array SSL VPN>
    2008-05-05 07:17:49 61515 --a------ C:\arr_getp.exe <Not Verified; Array Networks, Inc.; Array SSL VPN>
    2008-05-04 08:33:49 0 d-------- C:\Program Files\Virtual Earth 3D
    2008-04-14 05:42:38 7680 --a------ C:\WINDOWS\system32\spdwnwxp.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


    -- Find3M Report ---------------------------------------------------------------

    2008-05-12 08:44:57 0 d-------- C:\Documents and Settings\Joe\Application Data\Magic Notes
    2008-05-12 08:44:52 0 d-------- C:\Program Files\Taskbar Shuffle
    2008-05-11 23:21:37 0 d-------- C:\Program Files\ClipCache
    2008-05-11 22:52:06 0 d-------- C:\Documents and Settings\Joe\Application Data\Skype
    2008-05-11 22:30:55 0 d-------- C:\Program Files\LinkStash
    2008-05-11 16:09:38 0 d-------- C:\Documents and Settings\Joe\Application Data\skypePM
    2008-05-11 12:21:48 38150 --a------ C:\WINDOWS\nsreg.dat
    2008-05-11 11:42:40 0 d-------- C:\Program Files\Messenger
    2008-05-11 11:40:07 0 d-------- C:\Program Files\Windows NT
    2008-05-11 11:40:04 0 d-------- C:\Program Files\Movie Maker
    2008-05-09 16:34:48 0 d-------- C:\Program Files\Cleardrive
    2008-05-09 15:55:20 0 d-------- C:\Program Files\Paint Shop Pro 6
    2008-04-16 13:48:06 61515 --a------ C:\WINDOWS\system32\arr_getp.exe <Not Verified; Array Networks, Inc.; Array SSL VPN>
    2008-04-16 13:43:56 217163 --a------ C:\WINDOWS\system32\ArrayApi.dll <Not Verified; Array Networks, Inc.; Array SSL VPN>
    2008-04-10 11:31:21 0 d-------- C:\Program Files\TradeTrakker
    2008-04-05 12:02:25 0 d-------- C:\Program Files\WinHTTrack
    2008-04-05 07:15:27 0 d-------- C:\Program Files\MSECache
    2008-03-27 13:08:18 0 d-------- C:\Documents and Settings\Joe\Application Data\PocoMail
    2008-03-27 12:57:40 0 d-------- C:\Program Files\PocoMail4
    2008-03-18 19:57:03 0 d-------- C:\Program Files\SynchroMaster
    2008-03-14 18:47:26 12306 --a------ C:\WINDOWS\system32\NEWSOFT
    2008-02-18 19:52:31 952 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{684B7DF7-51DE-4852-ACF8-7BA3934D9BD1}]
    01/27/2008 03:50 PM 426060 --a------ C:\Program Files\MasterFind\MasterFindShell.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL "= "RTHDCPL.EXE" [08/20/2007 03:38 PM C:\WINDOWS\RTHDCPL.exe]
    "Alcmtr "= "ALCMTR.EXE" [05/03/2005 06:43 PM C:\WINDOWS\Alcmtr.exe]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [09/17/2007 01:07 AM]
    "nwiz "= "nwiz.exe" [09/17/2007 01:07 AM C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [09/17/2007 01:07 AM]
    "RemoteControl "= "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [11/02/2004 08:24 PM]
    "TrueImageMonitor.exe "= "C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [10/16/2006 09:12 PM]
    "AcronisTimounterMonitor "= "C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [10/16/2006 09:17 PM]
    "Acronis Scheduler2 Service "= "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [10/16/2006 09:13 PM]
    "CAVRID "= "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe" [05/03/2008 11:26 AM]
    "WD Spindown Utility "= "C:\Program Files\Western Digital Technologies\Spindown\ExSpinDn.exe" [08/09/2004 03:15 PM]
    "SmcService "= "C:\PROGRA~1\Sygate\SPF\Smc.exe" [01/21/2003 03:55 PM]
    "rfagent "= "C:\Program Files\RFA\rfagent.exe" [04/14/2007 04:37 PM]
    "TweakMASTER "= "C:\Program Files\TweakMASTER\TMTray.exe" [11/27/2006 03:25 PM]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM]
    "WrtMon.exe "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [09/20/2006 09:35 AM]
    "cctray "= "C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe" [05/03/2008 11:26 AM]
    "DiskMagik "= "C:\Program Files\DiskMagik\DiskMagik.exe" [02/22/2008 08:37 PM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 05:00 AM]
    "Taskbar Shuffle "= "C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe" [06/16/2007 02:47 PM]
    "Magic Notes "= "C:\Program Files\Magic Notes\Sticky32.exe" [07/04/2007 09:53 PM]
    "DU Meter "= "C:\Program Files\DU Meter\DUMeter.exe" [10/15/2007 10:46 AM]
    "LinkStashMonitor "= "C:\Program Files\LinkStash\lsmon.exe" [03/03/2008 04:41 PM]
    "AMP Calendar "= "C:\Program Files\AMP Calendar\Calendar.exe" [08/17/2005 01:03 PM]

    C:\Documents and Settings\Joe\Start Menu\Programs\Startup\
    ClipCache Pro.lnk - C:\Program Files\ClipCache\clipc.exe [10/12/2007 6:21:27 PM]
    Keyboard Express 95.lnk - C:\Program Files\keyexp\KEYEXP.EXE [10/17/2007 9:45:31 PM]
    LinkStash.lnk - C:\Program Files\LinkStash\lnkstash.exe [10/17/2007 10:11:23 PM]
    OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [10/26/2006 8:24:54 PM]
    qlock.lnk - C:\Program Files\Qlock\qlock.exe [2/22/2007 1:54:30 AM]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages "= msv1_0 relog_ap
    "Notification Packages "= scecli

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @= "Volume shadow copy "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]
    "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
    "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe "

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    eapsvcs eaphost
    dot3svc dot3svc




    -- End of Deckard's System Scanner: finished at 2008-05-12 08:53:09 ------------
     
  5. 2008/05/12
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Hi Joe,

    I missed this in the BITS error earlier.

    I don't see anything suspect in your logs either. So, lets do some basic cleanup and restart BITS first. Download ATF Cleaner by Atribune and save it to your Desktop.
    • Double click ATF-Cleaner.exe to run the program.
    • Check the boxes to the left of:

      • Windows Temp
      • Current User Temp
      • All Users Temp
      • Temporary Internet Files
      • Prefetch
      • Java Cache

    • The rest are optional - if you want it to remove everything check "Select All ".
    • Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.
    Reboot to complete the cleanup and re-start BITS.


    Now, download Process Explorer by Sysinternals, extract to it's own folder then run it.
    Go ahead and do whatever is normal computing and if/when svchost again acts up, pull up Process Explorer and locate the svchost process that is consuming the cpu.
    Click View on the Menu, then select View Lower Pane if not checked.
    Again, click View then point to Lower Pane View and select DLLs.
    Select that instance of svchost, and when the lower pane populates, click File>Save.
    It will automatically name the file svchost.exe.txt
    Save it to a convenient place and post it's contents here.
     
  6. 2008/05/12
    RCS-Joe

    RCS-Joe Well-Known Member Thread Starter

    Joined:
    2002/11/18
    Messages:
    22
    Likes Received:
    2
    OK thanks for the tips... I'll try it all next time it happens... this is all on my home PC, and now I'm away form home and on my laptop for perhaps the entire week... spending some time with Arie and his wife here in the Columbia River Gorge in oregon. No issues with the laptop... but when I get back home in a week or two I'll folow up with all this... thanks for the tips. Process explorer is a good idea to try and identify where all the activity is coming from... Joe
     
  7. 2008/05/13
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    If that's XP Pro, you should also check what services are running under the identified svchost process responsible for the high usage. Open a command window, type tasklist -svc and hit enter, then match the PID.

    Enjoy your week Joe! (you too Arie ;) )
     
  8. 2008/05/13
    RCS-Joe

    RCS-Joe Well-Known Member Thread Starter

    Joined:
    2002/11/18
    Messages:
    22
    Likes Received:
    2
    it's on the laptop also!

    OK... I pulled my laptop out of standby this morning and not *it* has the same problem. I had not noted the issue on the laptop previously. I have not been using the laptop in the last 10 days since I returned from my last trip. But yesterday, I ran my trusty sync tool to sync all my data folders, email, and the like from the desktop to the laptop and then drove out to visit with Arie where I am now. The laptop was performing normally last night... and I put it into standby about 11:00 and when I pulled it out this morning it has the same symptom and again svhost was consuming 50%.

    I have not installed anything new on the laptop in the past 10 days... except XP SP3... and updating CA antivirus... which as poggy notes *might* be the culprit. I should note I have been using the AV for about 7 years thru all its iterations and never had an issue. I did synch data across the network to my laptop, so if it were something like a Word macro virus or something it would have gotten transferred, I suppose. Of course, I was not running Word at all when I started up this morning so I doubt it's anything like that. It could be some sort of aggressive virus or spyware which infects all accessible network drives... that would be bad as it would be on my laptop, my backup drive, etc. But then it would also be on my wife's computer as well as she's on my home network... and so far she has not seen it, so I think network transfer seems unlikely.

    Just a guess here, but I'm thinking it has something to do with SP3 having a bad interaction with something I have installed on my computers... and even removing SP3 did not clear the issue. That would make some sense because my wife did NOT install SP3... and also she doesn't run all the background utilities that I do either.

    Anyway, the laptop was almost unusable... every click was experiencing a 20 second delay. I showed it to Arie... he made a good suggestion and we 'ended the process' in task manager for the iteration of svchost that was showing the 50%. Wham... that fixed it! Symptoms vanished and laptop normal. Immediately I downloaded process explorer and installed it, ran it, viewed the lower pane as recommended and I'll leave it running now until this symptom again rears its ugly head. Then I'll save the svchost.exe.txt file for the svchost process and post it here.

    At least now I have a was to restore my system to functionality pretty quickly. It *seems* to me that it reoccurs every 24 hours... I could be wrong, but that's how it seems... so if that's the case, I won't see it again on the laptop until tomorrow. Stay tuned....
     
  9. 2008/05/13
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Don't forget to check the PID for the culprit svchost process in tasklist. It sounds as though a service may be responsible, one running under that svchost process. If it is, a reboot alone might trigger the symptom.
     
  10. 2008/05/13
    RCS-Joe

    RCS-Joe Well-Known Member Thread Starter

    Joined:
    2002/11/18
    Messages:
    22
    Likes Received:
    2
    eureka!

    OK... found the problem... it is not CA A/V... it is Skype. I had v 3.1 installed and had not noticed any problems with it til now. Perhaps it is an interface with SP3, who knows. In any case, I suspected Skype when it crashed with some weird messages when I rebooted my laptop. When I reboot I do not have skype set to launch automatically. So everything was fine. As soon as I launched my IM which also launches Skype, the system slowed to a crawl. Task manager immediately showed svchost at 49% again. Using Process explorer I made the log below. Then I exited skype, but this did not resolve the problem until I ended that svchost process again. So the good news is, I can live without skype. I updated it to the current 3.8 to see if that fixes it. but meantime I won't launch skype anymore until the problem is resolved. Thanks to all for the input

    Here's the PE log for PID 764

    Process PID CPU Description Company Name
    System Idle Process 0 36.84
    Interrupts n/a Hardware Interrupts
    DPCs n/a Deferred Procedure Calls
    System 4 0.66
    smss.exe 824 Windows NT Session Manager Microsoft Corporation
    csrss.exe 1196 Client Server Runtime Process Microsoft Corporation
    winlogon.exe 1728 Windows NT Logon Application Microsoft Corporation
    services.exe 1876 Services and Controller app Microsoft Corporation
    svchost.exe 1056 Generic Host Process for Win32 Services Microsoft Corporation
    wmiprvse.exe 1912 WMI Microsoft Corporation
    svchost.exe 1684 Generic Host Process for Win32 Services Microsoft Corporation
    svchost.exe 764 50.00 Generic Host Process for Win32 Services Microsoft Corporation
    wuauclt.exe 3508 Windows Update Automatic Updates Microsoft Corporation
    wmiadap.exe 1748 WMI Microsoft Corporation
    EvtEng.exe 1140 Intel(R) PROSet/Wireless Event Log Intel Corporation
    S24EvMon.exe 1568 Wireless Management Service Intel Corporation
    Smc.exe 2016 Sygate Personal Firewall Sygate Technologies, Inc.
    svchost.exe 1072 Generic Host Process for Win32 Services Microsoft Corporation
    svchost.exe 1768 Generic Host Process for Win32 Services Microsoft Corporation
    spoolsv.exe 1424 Spooler SubSystem App Microsoft Corporation
    arr_isrv.exe 4004 Array SSL VPN Installation Service Array Networks, Inc.
    schedul2.exe 2284 Acronis Scheduler 2 Acronis
    arr_srvs.exe 2580 Array SSL VPN L3 Client Service Array Networks, Inc.
    isafe.exe 3128 CA ISafe Service Computer Associates International, Inc.
    DiskMgkS.exe 3572 DiskMagik Defrag Service RoseCity Software
    DUMeterSvc.exe 4024 DU Meter Service Hagel Technologies Ltd
    svchost.exe 2692 Generic Host Process for Win32 Services Microsoft Corporation
    nvsvc32.exe 3580 NVIDIA Driver Helper Service, Version 84.69 NVIDIA Corporation
    RegSrvc.exe 700 Intel(R) PROSet/Wireless Registry Service Intel Corporation
    vetmsg.exe 2508 CA Anti-Virus Realtime Messaging Service CA, Inc.
    wmpnetwk.exe 4008 Windows Media Player Network Sharing Service Microsoft Corporation
    ccprovsp.exe 2408 CCProvSP CA, Inc.
    alg.exe 3808 Application Layer Gateway Service Microsoft Corporation
    lsass.exe 1960 LSA Shell (Export Version) Microsoft Corporation
    taskmgr.exe 568 2.63 Windows TaskManager Microsoft Corporation
    explorer.exe 868 Windows Explorer Microsoft Corporation
    rundll32.exe 1300 Run a DLL as an App Microsoft Corporation
    stsystra.exe 296 Sigmatel Audio system tray application SigmaTel, Inc.
    ZCfgSvc.exe 552 ZeroCfgSvc MFC Application Intel Corporation
    iFrmewrk.exe 588 Intel Framework MFC Application Intel Corporation
    EOUWiz.exe 1244 Ease Of Use Wizard Application Intel Corporation
    Matrox.PowerDesk SE.exe 1448 PowerDesk-SE Application Matrox Graphics Inc.
    schedhlp.exe 1796 Acronis Scheduler Helper Acronis
    cavrid.exe 1468 CA Anti-Virus Realtime Infection Report CA, Inc.
    TMTray.exe 2040 TweakMASTER PRO Agent Hagel Technologies Ltd
    DLACTRLW.EXE 668 Drive Letter Access Component Sonic Solutions
    ExSpinDn.exe 1052 WD Spindown Utility Western Digital Technologies, Inc.
    SynTPEnh.exe 1320 Synaptics TouchPad Enhancements Synaptics, Inc.
    jusched.exe 1632 Java(TM) 2 Platform Standard Edition binary Sun Microsystems, Inc.
    rfagent.exe 2032 Registry First Aid Platinum, the easy powerful registry cleanup program KsL Software
    TrueImageMonitor.exe 856 Acronis True Image Monitor Acronis
    TimounterMonitor.exe 988 Monitor for Acronis True Image Backup Archive Explorer Acronis
    ipoint.exe 1560 IPoint.exe Microsoft Corporation
    dpupdchk.exe 1820 dpupdchk.exe Microsoft Corporation
    cctray.exe 1784 CA Common Tray CA, Inc.
    Sticky32.exe 788 Magic Notes for Windows 9x/ME/NT/2000/XP Eskil Software
    lsmon.exe 1288
    ctfmon.exe 1988 CTF Loader Microsoft Corporation
    DUMeter.exe 880 DU Meter Monitor Hagel Technologies Ltd
    taskbarshuffle.exe 1324 Taskbar Shuffle Jay Elaraj
    Calendar.exe 1792 AMP Calendar Alberto Martínez Pérez
    wmpnscfg.exe 620 Windows Media Player Network Sharing Service Configuration Application Microsoft Corporation
    clipc.exe 2060 ClipCache clipboard extender & enhancer XRayz Software
    KEYEXP.EXE 2280
    lnkstash.exe 2428 LinkStash John Williams / XRayz Software
    procexp.exe 3208 9.87 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
    Courier.exe 2700 Courier EMail Program Rose City Software, Inc.
    Raketu.exe 2436 Raketu Communications Inc.
    MessageWave.exe 2204 Multi-Messenger Raketu Communication Inc.
    Skype.exe 2028

    Process: svchost.exe Pid: 764

    Type Name
    Desktop \Default
    Desktop \SADesktop
    Desktop \Default
    Directory \KnownDlls
    Directory \Windows
    Directory \BaseNamedObjects
    Event \BaseNamedObjects\DINPUTWINMM
    Event \BaseNamedObjects\userenv: User Profile setup event
    Event \BaseNamedObjects\DHCPNEWIPADDRESS
    Event \BaseNamedObjects\wkssvc: MUP finished initializing event
    Event \BaseNamedObjects\AgentToWkssvcEvent
    Event \BaseNamedObjects\WkssvcToAgentStartEvent
    Event \BaseNamedObjects\WkssvcToAgentStopEvent
    Event \BaseNamedObjects\crypt32LogoffEvent
    Event \BaseNamedObjects\WIRELESS_POLICY_CHANGE_EVENT
    Event \BaseNamedObjects\{469B8B7A-78DF-473F-A6BE-45E9744C1BE5}ShellHWDetection
    Event \BaseNamedObjects\{469B8B7A-78DF-473F-A6BE-45E9744C1BE5}ShellHWDetection
    Event \BaseNamedObjects\PrefetchParametersChanged
    Event \BaseNamedObjects\PrefetchOverrideIdle
    Event \BaseNamedObjects\PrefetchProcessingComplete
    Event \BaseNamedObjects\PrefetchTracesReady
    Event \BaseNamedObjects\SAConEvt
    Event \BaseNamedObjects\ReSyncKernel
    Event \Device\DmControl\VxKernel2VoldEvent
    Event \BaseNamedObjects\WinSta0_DesktopSwitch
    Event \LanmanServerAnnounceEvent
    Event \BaseNamedObjects\SENS Started Event
    Event \BaseNamedObjects\SRCounter
    Event \BaseNamedObjects\SRInitEvent
    Event \BaseNamedObjects\SRStopEvent
    Event \BaseNamedObjects\SRIdleReqEvent
    Event \Security\TRKWKS_EVENT
    Event \BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
    Event \BaseNamedObjects\WINMGMT_COREDLL_CANSHUTDOWN
    Event \BaseNamedObjects\WMI_SysEvent_LodCtr
    Event \BaseNamedObjects\WMI_SysEvent_UnLodCtr
    Event \BaseNamedObjects\WMI_RevAdap_Set
    Event \BaseNamedObjects\WMI_RevAdap_ACK
    Event \BaseNamedObjects\WMI_ProcessIdleTasksStart
    Event \BaseNamedObjects\WMI_ProcessIdleTasksComplete
    Event \BaseNamedObjects\W32TIME_NAMED_EVENT_SYSTIME_NOT_CORRECT
    Event \BaseNamedObjects\userenv: Machine Group Policy has been applied
    Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
    Event \BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
    Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
    Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
    Event \BaseNamedObjects\EVENT_READYROOT/CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
    Event \BaseNamedObjects\EVENT_READYROOT/CIMV2SCM EVENT PROVIDER
    Event \BaseNamedObjects\EVENT_READYROOT/CIMV2PROVIDERSUBSYSTEM
    Event \BaseNamedObjects\SC_AutoStartComplete
    Event \BaseNamedObjects\IPNAT
    Event \BaseNamedObjects\Ready0: ESENT Performance Data Schema Version 40
    Event \BaseNamedObjects\Go0: ESENT Performance Data Schema Version 40
    Event \BaseNamedObjects\userenv: User Group Policy has been applied
    File C:\WINDOWS\system32
    File \Device\KsecDD
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    File \Device\NamedPipe\net\NtControlPipe4
    File \Device\Tcp
    File \Device\Ip
    File \Device\Tcp
    File \Device\Ip
    File \Device\Ip
    File \Device\Ip
    File \Device\WMIDataDevice
    File \Device\WMIDataDevice
    File \Device\NamedPipe\srvsvc
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    File C:\WINDOWS\SchedLgU.Txt
    File \Device\NamedPipe\atsvc
    File \Device\NamedPipe\atsvc
    File C:\WINDOWS\Tasks
    File \Device\LanmanRedirector
    File \Device\LanmanDatagramReceiver
    File \Device\NamedPipe\wkssvc
    File \Device\Afd\Endpoint
    File C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    File C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    File \Device\Tcp
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    File \Device\NamedPipe\keysvc
    File \Device\NamedPipe\keysvc
    File \Device\NamedPipe\PCHHangRepExecPipe
    File \Device\NamedPipe\PCHFaultRepExecPipe
    File C:\WINDOWS\pchealth\helpctr\batch
    File \Device\00000091
    File \Device\LanmanServer
    File \Device\NamedPipe\srvsvc
    File \Device\NamedPipe\srvsvc
    File \Device\HarddiskVolume1
    File \FileSystem\Filters\SystemRestore
    File \Device\HarddiskVolume2
    File \Device\NamedPipe\trkwks
    File \Device\NamedPipe\trkwks
    File X:\System Volume Information\tracking.log
    File X:\$Extend\$ObjId
    File C:\$Extend\$ObjId
    File C:\System Volume Information\tracking.log
    File C:\WINDOWS\system32\wbem\mof
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File \Device\NamedPipe\W32TIME
    File \Device\NamedPipe\W32TIME
    File \Device\Afd\Endpoint
    File \Device\Udp
    File \Device\Afd\Endpoint
    File \Device\Udp
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File \Device\Afd\Endpoint
    File C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP
    File C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
    File C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
    File C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
    File C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
    File C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
    File C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
    File \Device\NamedPipe\ROUTER
    File \Device\NamedPipe\EVENTLOG
    File \Device\NamedPipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
    File \Device\NamedPipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
    File \Device\LanmanDatagramReceiver
    File \Device\NamedPipe\ROUTER
    File \Device\IPNAT
    File \Device\Afd\Endpoint
    File \Device\NdisWan
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    File \Device\NdisTapi
    File \Device\NdisTapi
    File \Device\NDProxy
    File \Device\NDProxy
    File C:\WINDOWS\system32\h323log.txt
    File \Device\NamedPipe\ROUTER
    File \Device\NamedPipe\ROUTER
    File \Device\WANARP
    File \Device\NamedPipe\ROUTER
    File \Device\NamedPipe\ROUTER
    File C:\WINDOWS\Installer\17141c6.msi
    File \Device\Afd\Endpoint
    File \Device\NamedPipe\ROUTER
    File C:\WINDOWS\Installer\190beb09.msp
    File C:\WINDOWS\Installer\190beb1f.msp
    File \Device\Tcp
    File C:\WINDOWS\Installer\1bfb777a.msp
    File \Device\NamedPipe\ROUTER
    File \Device\NamedPipe\ROUTER
    File \Device\IPNAT
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    File C:\WINDOWS\Installer\91b0a13.msp
    File \Device\NamedPipe\wkssvc
    File \Device\IPNAT
    File \Device\IPNAT
    File \Device\NamedPipe\Winsock2\CatalogChangeListener-2fc-0
    File \Device\NamedPipe\wkssvc
    File \Device\NamedPipe\lsarpc
    File \Device\Afd\Endpoint
    File \Device\Udp
    File \Device\Afd\AsyncConnectHlp
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    File C:\Documents and Settings\NetworkService\Cookies\index.dat
    File C:\Documents and Settings\JB\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    File C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
    File C:\WINDOWS\system32\CatRoot2\edb.log
    File C:\WINDOWS\system32\CatRoot2\tmp.edb
    File C:\WINDOWS\Installer\131b7f.msp
    File \Device\NamedPipe\browser
    File \Device\NamedPipe\browser
    File C:\WINDOWS\SoftwareDistribution\ReportingEvents.log
    File \Device\NamedPipe\ROUTER
    File \Device\NamedPipe\ROUTER
    File C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My
    File \Device\NamedPipe\ROUTER
    File \Device\NetBT_Tcpip_{43C85A68-6D7C-49BF-AB75-7F92B9065027}
    File \Device\NamedPipe\ROUTER
    Job \BaseNamedObjects\WmiProviderSubSystemHostJob
    Key HKLM
    Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
    Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
    Key HKLM\SYSTEM\ControlSet002\Services\Tcpip\Linkage
    Key HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters
    Key HKLM\SYSTEM\ControlSet002\Services\NetBT\Parameters\Interfaces
    Key HKLM\SYSTEM\ControlSet002\Services\NetBT\Parameters
    Key HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9
    Key HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5
    Key HKLM\SYSTEM\ControlSet002\Services\Dhcp\Parameters
    Key HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters
    Key HKLM\SYSTEM\ControlSet002\Services\Dhcp\Parameters\Options
    Key HKLM\SYSTEM\ControlSet002\Services
    Key HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DNSRegisteredAdapters
    Key HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{43C85A68-6D7C-49BF-AB75-7F92B9065027}
    Key HKU
    Key HKLM\SOFTWARE\Microsoft\Tracing\WZCTrace
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\EAPOL
    Key HKLM\SOFTWARE\Microsoft\NetworkAccessProtection\NapClient
    Key HKLM\SOFTWARE\Microsoft\Tracing\EAPOLQEC
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Control\NetworkProvider\HwOrder
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKU
    Key HKCR
    Key HKU
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKCR\CLSID
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKU
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKCR\CLSID
    Key HKLM\SOFTWARE\Microsoft\Tracing\Wlpolicy
    Key HKLM\SOFTWARE\Microsoft\Tracing\EAPOLQECCB
    Key HKLM\SOFTWARE\Microsoft\Tracing\OneExSup
    Key HKU\.DEFAULT
    Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    Key HKLM\SOFTWARE\Microsoft\Tracing\svchost_RASTLS
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\svchost_RASCHAP
    Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher
    Key HKLM\SYSTEM\ControlSet002\Services\lanmanworkstation\parameters
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
    Key HKLM\SOFTWARE\Microsoft\Tracing\tapisrv
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Control\Terminal Server
    Key HKLM\SOFTWARE\Policies
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Epoch
    Key HKLM\SYSTEM\ControlSet002\Services\lanmanserver\parameters
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\Setup
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\IPNATHLP
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Control\Lsa\Audit
    Key HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Epoch
    Key HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy
    Key HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters
    Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam
    Key HKCR
    Key HKCR
    Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Epoch
    Key HKLM\SOFTWARE\Microsoft\Security Center
    Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI
    Key HKLM\SOFTWARE\Microsoft\Tracing\tapi32
    Key HKLM\SOFTWARE\Microsoft\Tracing\KMDDSP
    Key HKLM\SOFTWARE\Microsoft\Tracing\NDPTSP
    Key HKLM\SOFTWARE\Microsoft\Tracing\conftsp
    Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\H323TSP
    Key HKLM\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASQEC
    Key HKLM\SYSTEM\ControlSet002\Services\RasMan\Parameters\Quarantine
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASMAN
    Key HKLM\SOFTWARE\Microsoft\Tracing\PPP
    Key HKLM\SOFTWARE\Microsoft\Tracing\BAP
    Key HKLM\SYSTEM\ControlSet002\Services\RasMan\PPP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASSPAP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASPAP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASEAP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASCCP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASBACP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASIPHLP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASIPCP
    Key HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Epoch
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Control\Network\Connections
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\Dot3API
    Key HKLM\SOFTWARE\Microsoft\Tracing\NETMAN
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Security Center\Monitoring
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
    Key HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
    Key HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASDLG
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Control\Nls\Locale
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{FE1E8395-B44C-449C-954C-E63A17A7C040}\Connection
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Control\Nls\Language Groups
    Key HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{43C85A68-6D7C-49BF-AB75-7F92B9065027}\Connection
    Key HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{A3DE016D-302B-41C4-B8D7-9FCE7354CACB}\Connection
    Key HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{98DA5B6C-3734-4C86-A15C-31BE4F87A2E0}\Connection
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Control\Nls\Locale\Alternate Sorts
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT
    Key HKCR
    Key HKLM\SOFTWARE\Policies
    Key HKU\.DEFAULT\Software\Policies
    Key HKU\.DEFAULT\Software
    Key HKLM\SOFTWARE
    Key HKU\.DEFAULT\Software
    Key HKLM\SOFTWARE
    Key HKU\.DEFAULT\Software\Policies
    Key HKLM\SOFTWARE\Policies
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Services\Browser\Parameters
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\CA
    Key HKU\.DEFAULT
    Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\Root
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\CA
    Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
    Key HKU\.DEFAULT
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
    Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
    Key HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates
    Key HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\trust
    Key HKU\.DEFAULT
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\trust
    Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\My
    Key HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates
    Key HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates
    Key HKCR
    Key HKCR
    Key HKCR
    KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
    Mutant \BaseNamedObjects\SHIMLIB_LOG_MUTEX
    Mutant \BaseNamedObjects\RasPbFile
    Mutant \BaseNamedObjects\0CADFD67AF62496dB34264F000F5624A
    Mutant \BaseNamedObjects\4FCC0DEFE22C4f138FB9D5AF25FD9398
    Mutant \BaseNamedObjects\238FAD3109D3473aB4764B20B3731840
    Mutant \BaseNamedObjects\OOC State Mutex
    Mutant \BaseNamedObjects\SRDataStore
    Mutant \BaseNamedObjects\SRDataStore
    Mutant \BaseNamedObjects\WindowsUpdateTracingMutex
    Mutant \BaseNamedObjects\DBWinMutex
    Mutant \BaseNamedObjects\RAS_MO_02
    Mutant \BaseNamedObjects\RAS_MO_01
    Mutant \BaseNamedObjects\RasPbFile
    Mutant \BaseNamedObjects\Instance0: ESENT Performance Data Schema Version 40
    Mutant \BaseNamedObjects\ZonesCacheCounterMutex
    Mutant \BaseNamedObjects\ZonesCounterMutex
    Mutant \BaseNamedObjects\ZonesLockedCacheCounterMutex
    Mutant \BaseNamedObjects\_!MSFTHISTORY!_
    Mutant \BaseNamedObjects\c:!documents and settings!jb!local settings!temporary internet files!content.ie5!
    Mutant \BaseNamedObjects\c:!documents and settings!networkservice!cookies!
    Mutant \BaseNamedObjects\c:!documents and settings!networkservice!local settings!history!history.ie5!
    Mutant \BaseNamedObjects\WininetStartupMutex
    Mutant \BaseNamedObjects\WininetProxyRegistryMutex
    Mutant \BaseNamedObjects\ShimCacheMutex
    Port \ThemeApiPort
    Port \RPC Control\dhcpcsvc
    Port \RPC Control\wzcsvc
    Port \RPC Control\OLE4FC5D5092F564739828120B057DB
    Port \RPC Control\AudioSrv
    Port \RPC Control\keysvc
    Port \XactSrvLpcPort
    Port \RPC Control\SECLOGON
    Port \RPC Control\senssvc
    Port \RPC Control\trkwks
    Port \RPC Control\srrpc
    Port \RPC Control\tapsrvlpc
    Port \FusApiPort
    Port \RPC Control\unimdmsvc
    Process winlogon.exe(1728)
    Process winlogon.exe(1728)
    Process winlogon.exe(1728)
    Process winlogon.exe(1728)
    Process rundll32.exe(1300)
    Process Smc.exe(2016)
    Process svchost.exe(764)
    Process clipc.exe(2060)
    Process S24EvMon.exe(1568)
    Process procexp.exe(3208)
    Process wmpnscfg.exe(620)
    Process ExSpinDn.exe(1052)
    Process Courier.exe(2700)
    Process explorer.exe(868)
    Process lnkstash.exe(2428)
    Process explorer.exe(868)
    Process TMTray.exe(2040)
    Process iFrmewrk.exe(588)
    Process ZCfgSvc.exe(552)
    Process stsystra.exe(296)
    Process EOUWiz.exe(1244)
    Process schedhlp.exe(1796)
    Process DLACTRLW.EXE(668)
    Process SynTPEnh.exe(1320)
    Process cavrid.exe(1468)
    Process jusched.exe(1632)
    Process rfagent.exe(2032)
    Process KEYEXP.EXE(2280)
    Process TrueImageMonitor.exe(856)
    Process TimounterMonitor.exe(988)
    Process ctfmon.exe(1988)
    Process DUMeter.exe(880)
    Process ipoint.exe(1560)
    Process lsmon.exe(1288)
    Process Sticky32.exe(788)
    Process cctray.exe(1784)
    Process Calendar.exe(1792)
    Process taskbarshuffle.exe(1324)
    Process nvsvc32.exe(3580)
    Process taskmgr.exe(568)
    Process Matrox.PowerDesk SE.exe(1448)
    Process vetmsg.exe(2508)
    Process MessageWave.exe(2204)
    Process Raketu.exe(2436)
    Process svchost.exe(764)
    Process wmiprvse.exe(1912)
    Process wmiadap.exe(1748)
    Process Raketu.exe(2436)
    Process svchost.exe(764)
    Process lsass.exe(1960)
    Process svchost.exe(764)
    Process svchost.exe(1768)
    Process Smc.exe(2016)
    Process arr_srvs.exe(2580)
    Process wuauclt.exe(3508)
    Section \BaseNamedObjects\AtlDebugAllocator_FileMappingNameStatic3_2fc
    Section \BaseNamedObjects\mmGlobalPnpInfo
    Section \BaseNamedObjects\AtlDebugAllocator_FileMappingNameStatic3_2fc
    Section \BaseNamedObjects\AtlDebugAllocator_FileMappingNameStatic3_2fc
    Section \BaseNamedObjects\DfSharedHeap1DFE5E
    Section \BaseNamedObjects\SENS Information Cache
    Section \BaseNamedObjects\DFMap0-1959787
    Section \BaseNamedObjects\DfSharedHeap1ED8CC
    Section \BaseNamedObjects\RotHintTable
    Section \BaseNamedObjects\DfSharedHeap1EC72C
    Section \BaseNamedObjects\DfRoot0001ED8CC
    Section \BaseNamedObjects\DFMap0-2027278
    Section \BaseNamedObjects\Wmi Provider Sub System Counters
    Section \BaseNamedObjects\DfSharedHeap1A3C52
    Section \BaseNamedObjects\Debug.Memory.2fc
    Section \BaseNamedObjects\DfRoot0001EC72C
    Section \BaseNamedObjects\DfRoot0001DE7AE
    Section \BaseNamedObjects\DFMap0-1719383
    Section \BaseNamedObjects\DFMap0-1965654
    Section \BaseNamedObjects\DFMap0-2021573
    Section \BaseNamedObjects\DfSharedHeap1DE7AE
    Section \BaseNamedObjects\DFMap0-2014004
    Section \BaseNamedObjects\GDA: ESENT Performance Data Schema Version 40
    Section \BaseNamedObjects\DfSharedHeap1EEF4B
    Section \BaseNamedObjects\IDA0: ESENT Performance Data Schema Version 40
    Section \BaseNamedObjects\DfSharedHeap1DE275
    Section \BaseNamedObjects\DfRoot0001DFE5E
    Section \BaseNamedObjects\C:_Documents and Settings_JB_Local Settings_Temporary Internet Files_Content.IE5_index.dat_65536
    Section \BaseNamedObjects\C:_Documents and Settings_NetworkService_Cookies_index.dat_16384
    Section \BaseNamedObjects\C:_Documents and Settings_NetworkService_Local Settings_History_History.IE5_index.dat_16384
    Section \BaseNamedObjects\ShimSharedMemory
    Section \BaseNamedObjects\DfRoot0001DE275
    Section \BaseNamedObjects\DfRoot0001A3C52
    Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
    Semaphore \BaseNamedObjects\OleDfRoot0001DFE5E
    Semaphore \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
    Semaphore \BaseNamedObjects\PowerProfileRegistrySemaphore
    Semaphore \BaseNamedObjects\OleDfRoot0001ED8CC
    Semaphore \BaseNamedObjects\OleDfRoot0001DE275
    Semaphore \BaseNamedObjects\OleDfRoot0001EC72C
    Semaphore \BaseNamedObjects\OleDfRoot0001DE7AE
    Semaphore \BaseNamedObjects\OleDfRoot0001A3C52
    Thread svchost.exe(764): 784
    Thread svchost.exe(764): 1044
    Thread svchost.exe(764): 1024
    Thread svchost.exe(764): 1048
    Thread svchost.exe(764): 1108
    Thread svchost.exe(764): 964
    Thread svchost.exe(764): 964
    Thread svchost.exe(764): 1096
    Thread svchost.exe(764): 1100
    Thread svchost.exe(764): 1524
    Thread svchost.exe(764): 720
    Thread svchost.exe(764): 940
    Thread svchost.exe(764): 948
    Thread svchost.exe(764): 976
    Thread svchost.exe(764): 980
    Thread svchost.exe(764): 984
    Thread svchost.exe(764): 1236
    Thread svchost.exe(764): 984
    Thread svchost.exe(764): 1172
    Thread svchost.exe(764): 2916
    Thread svchost.exe(764): 1388
    Thread svchost.exe(764): 1392
    Thread svchost.exe(764): 1400
    Thread svchost.exe(764): 1396
    Thread svchost.exe(764): 1396
    Thread svchost.exe(764): 1416
    Thread svchost.exe(764): 1416
    Thread svchost.exe(764): 1420
    Thread svchost.exe(764): 1440
    Thread svchost.exe(764): 1736
    Thread svchost.exe(764): 1172
    Thread svchost.exe(764): 1936
    Thread explorer.exe(868): 1516
    Thread svchost.exe(764): 1408
    Thread svchost.exe(764): 1760
    Thread svchost.exe(764): 3100
    Thread svchost.exe(764): 3100
    Thread svchost.exe(764): 2532
    Thread svchost.exe(764): 2544
    Thread svchost.exe(764): 2760
    Thread svchost.exe(764): 2800
    Thread svchost.exe(764): 2760
    Thread svchost.exe(764): 2784
    Thread svchost.exe(764): 3512
    Thread svchost.exe(764): 3072
    Thread svchost.exe(764): 3708
    Thread svchost.exe(764): 3764
    Thread svchost.exe(764): 2912
    Thread svchost.exe(764): 2476
    Thread svchost.exe(764): 2624
    Thread svchost.exe(764): 2912
    Thread svchost.exe(764): 2896
    Thread svchost.exe(764): 3240
    Thread svchost.exe(764): 3456
    Thread svchost.exe(764): 1048
    Thread svchost.exe(764): 3456
    Thread svchost.exe(764): 1964
    Thread svchost.exe(764): 276
    Thread svchost.exe(764): 680
    Thread svchost.exe(764): 276
    Thread svchost.exe(764): 3360
    Thread svchost.exe(764): 1164
    Thread svchost.exe(764): 2072
    Thread svchost.exe(764): 2072
    Thread svchost.exe(764): 2276
    Thread svchost.exe(764): 2516
    Thread svchost.exe(764): 1628
    Thread svchost.exe(764): 3468
    Thread svchost.exe(764): 3776
    Thread svchost.exe(764): 2788
    Thread svchost.exe(764): 3112
    Thread svchost.exe(764): 3124
    Thread svchost.exe(764): 3116
    Thread svchost.exe(764): 3112
    Thread svchost.exe(764): 2344
    Thread svchost.exe(764): 3884
    Thread svchost.exe(764): 2840
    Thread svchost.exe(764): 3888
    Thread svchost.exe(764): 2256
    Thread svchost.exe(764): 3652
    Thread svchost.exe(764): 4040
    Thread svchost.exe(764): 4044
    Thread svchost.exe(764): 4040
    Thread svchost.exe(764): 2844
    Thread svchost.exe(764): 2988
    Thread svchost.exe(764): 3024
    Thread svchost.exe(764): 3012
    Thread svchost.exe(764): 2988
    Thread svchost.exe(764): 3036
    Thread svchost.exe(764): 3024
    Thread svchost.exe(764): 3188
    Thread svchost.exe(764): 3192
    Thread svchost.exe(764): 3536
    Thread svchost.exe(764): 3520
    Thread svchost.exe(764): 3536
    Thread svchost.exe(764): 3636
    Thread svchost.exe(764): 3724
    Thread svchost.exe(764): 3892
    Thread svchost.exe(764): 3800
    Thread svchost.exe(764): 3800
    Thread svchost.exe(764): 1332
    Thread svchost.exe(764): 2396
    Thread svchost.exe(764): 2840
    Thread svchost.exe(764): 2336
    Thread svchost.exe(764): 2256
    Thread svchost.exe(764): 2260
    Thread svchost.exe(764): 3380
    Thread svchost.exe(764): 1420
    Thread svchost.exe(764): 2776
    Thread svchost.exe(764): 1132
    Thread svchost.exe(764): 2336
    Thread svchost.exe(764): 1132
    Thread svchost.exe(764): 2456
    Thread svchost.exe(764): 3360
    Thread svchost.exe(764): 2832
    Thread svchost.exe(764): 1420
    Thread svchost.exe(764): 1132
    Thread svchost.exe(764): 3652
    Thread svchost.exe(764): 3912
    Thread svchost.exe(764): 2788
    Thread svchost.exe(764): 2396
    Thread svchost.exe(764): 3040
    Thread svchost.exe(764): 1048
    Thread svchost.exe(764): 3616
    Thread svchost.exe(764): 3040
    Thread svchost.exe(764): 3048
    Thread svchost.exe(764): 3028
    Thread svchost.exe(764): 1900
    Thread svchost.exe(764): 3884
    Thread svchost.exe(764): 3188
    Thread svchost.exe(764): 3044
    Thread svchost.exe(764): 3052
    Thread svchost.exe(764): 2160
    Thread svchost.exe(764): 2456
    Thread svchost.exe(764): 3864
    Thread svchost.exe(764): 2952
    Thread svchost.exe(764): 2788
    Thread svchost.exe(764): 2160
    Thread svchost.exe(764): 3072
    Thread svchost.exe(764): 3048
    Thread svchost.exe(764): 3652
    Thread svchost.exe(764): 3652
    Thread svchost.exe(764): 2336
    Thread svchost.exe(764): 3804
    Thread svchost.exe(764): 928
    Thread svchost.exe(764): 1160
    Thread svchost.exe(764): 3804
    Thread svchost.exe(764): 928
    Thread svchost.exe(764): 1160
    Thread svchost.exe(764): 1160
    Thread svchost.exe(764): 3468
    Thread svchost.exe(764): 928
    Thread svchost.exe(764): 2396
    Thread svchost.exe(764): 2072
    Thread svchost.exe(764): 2072
    Thread svchost.exe(764): 2776
    Thread svchost.exe(764): 4044
    Thread svchost.exe(764): 2776
    Thread svchost.exe(764): 2776
    Thread svchost.exe(764): 2776
    Thread svchost.exe(764): 1100
    Thread svchost.exe(764): 2952
    Token NT AUTHORITY\SYSTEM:3e7
    Token JB3\Joe:11083
    Token JB3\Joe:11083
    Token JB3\Joe:11083
    Token NT AUTHORITY\NETWORK SERVICE:3e4
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\NETWORK SERVICE:3e4
    Token NT AUTHORITY\LOCAL SERVICE:3e5
    Token JB3\Joe:11083
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\SYSTEM:3e7
    Token JB3\Joe:11083
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\NETWORK SERVICE:3e4
    Token JB3\Joe:11083
    Token NT AUTHORITY\LOCAL SERVICE:3e5
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\NETWORK SERVICE:3e4
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\SYSTEM:3e7
    Token JB3\Joe:11083
    Token JB3\Joe:11083
    Token NT AUTHORITY\SYSTEM:3e7
    Token JB3\Joe:11083
    WaitablePort \Security\TRKWKS_PORT
    WaitablePort \NLAPublicPort
    WaitablePort \NLAPrivatePort
    WindowStation \Windows\WindowStations\Service-0x0-3e7$
    WindowStation \Windows\WindowStations\WinSta0
    WindowStation \Windows\WindowStations\SAWinSta
    WindowStation \Windows\WindowStations\WinSta0
     
  11. 2008/05/13
    RCS-Joe

    RCS-Joe Well-Known Member Thread Starter

    Joined:
    2002/11/18
    Messages:
    22
    Likes Received:
    2
    I spoke too soon

    I thought I had it, but no... I rebooted and again my system immediately slowed to a crawl... Skype was not running at all nor was my IM. Task mgr again showed svchost as the culprit. Killing that process restores ystem to normal. One anomaly I am noting is that after killing that process I have no audioand click on the speaker in my tray does nothing... doubleclick produces an error "no active mixer devices available ". I managed to get the log below from Process Explorer before killing the process... hope this helps

    Process PID CPU Description Company Name
    System Idle Process 0 41.20
    Interrupts n/a Hardware Interrupts
    DPCs n/a Deferred Procedure Calls
    System 4
    smss.exe 2020 Windows NT Session Manager Microsoft Corporation
    csrss.exe 684 Client Server Runtime Process Microsoft Corporation
    winlogon.exe 1304 Windows NT Logon Application Microsoft Corporation
    services.exe 1452 Services and Controller app Microsoft Corporation
    svchost.exe 1048 Generic Host Process for Win32 Services Microsoft Corporation
    wmiprvse.exe 308 WMI Microsoft Corporation
    svchost.exe 1940 Generic Host Process for Win32 Services Microsoft Corporation
    svchost.exe 1008 49.07 Generic Host Process for Win32 Services Microsoft Corporation
    EvtEng.exe 1852 Intel(R) PROSet/Wireless Event Log Intel Corporation
    S24EvMon.exe 1132 Wireless Management Service Intel Corporation
    Smc.exe 1672 Sygate Personal Firewall Sygate Technologies, Inc.
    svchost.exe 664 Generic Host Process for Win32 Services Microsoft Corporation
    svchost.exe 1200 Generic Host Process for Win32 Services Microsoft Corporation
    spoolsv.exe 2036 Spooler SubSystem App Microsoft Corporation
    arr_isrv.exe 2880 Array SSL VPN Installation Service Array Networks, Inc.
    schedul2.exe 3604 Acronis Scheduler 2 Acronis
    arr_srvs.exe 3908 Array SSL VPN L3 Client Service Array Networks, Inc.
    isafe.exe 1784 CA ISafe Service Computer Associates International, Inc.
    DiskMgkS.exe 2596 DiskMagik Defrag Service RoseCity Software
    DUMeterSvc.exe 2928 DU Meter Service Hagel Technologies Ltd
    svchost.exe 4076 Generic Host Process for Win32 Services Microsoft Corporation
    nvsvc32.exe 2480 NVIDIA Driver Helper Service, Version 84.69 NVIDIA Corporation
    RegSrvc.exe 3036 Intel(R) PROSet/Wireless Registry Service Intel Corporation
    vetmsg.exe 3660 CA Anti-Virus Realtime Messaging Service CA, Inc.
    wmpnetwk.exe 2756 Windows Media Player Network Sharing Service Microsoft Corporation
    ccprovsp.exe 3932 CCProvSP CA, Inc.
    alg.exe 3364 Application Layer Gateway Service Microsoft Corporation
    lsass.exe 1536 LSA Shell (Export Version) Microsoft Corporation
    taskmgr.exe 2888 1.85 Windows TaskManager Microsoft Corporation
    explorer.exe 1660 0.46 Windows Explorer Microsoft Corporation
    rundll32.exe 1720 Run a DLL as an App Microsoft Corporation
    stsystra.exe 1136 Sigmatel Audio system tray application SigmaTel, Inc.
    ZCfgSvc.exe 1348 ZeroCfgSvc MFC Application Intel Corporation
    iFrmewrk.exe 1344 Intel Framework MFC Application Intel Corporation
    EOUWiz.exe 1472 Ease Of Use Wizard Application Intel Corporation
    Matrox.PowerDesk SE.exe 1556 PowerDesk-SE Application Matrox Graphics Inc.
    schedhlp.exe 1892 Acronis Scheduler Helper Acronis
    cavrid.exe 304 CA Anti-Virus Realtime Infection Report CA, Inc.
    TMTray.exe 384 TweakMASTER PRO Agent Hagel Technologies Ltd
    DLACTRLW.EXE 988 Drive Letter Access Component Sonic Solutions
    ExSpinDn.exe 752 WD Spindown Utility Western Digital Technologies, Inc.
    SynTPEnh.exe 1800 Synaptics TouchPad Enhancements Synaptics, Inc.
    jusched.exe 1932 Java(TM) 2 Platform Standard Edition binary Sun Microsystems, Inc.
    rfagent.exe 380 Registry First Aid Platinum, the easy powerful registry cleanup program KsL Software
    TrueImageMonitor.exe 896 Acronis True Image Monitor Acronis
    TimounterMonitor.exe 1040 Monitor for Acronis True Image Backup Archive Explorer Acronis
    ipoint.exe 1532 IPoint.exe Microsoft Corporation
    dpupdchk.exe 1228 dpupdchk.exe Microsoft Corporation
    cctray.exe 272 CA Common Tray CA, Inc.
    Sticky32.exe 672 Magic Notes for Windows 9x/ME/NT/2000/XP Eskil Software
    lsmon.exe 1400
    ctfmon.exe 452 CTF Loader Microsoft Corporation
    DUMeter.exe 944 DU Meter Monitor Hagel Technologies Ltd
    taskbarshuffle.exe 1520 Taskbar Shuffle Jay Elaraj
    Calendar.exe 1776 AMP Calendar Alberto Martínez Pérez
    wmpnscfg.exe 884 Windows Media Player Network Sharing Service Configuration Application Microsoft Corporation
    clipc.exe 2088 ClipCache clipboard extender & enhancer XRayz Software
    KEYEXP.EXE 2180
    lnkstash.exe 2276 LinkStash John Williams / XRayz Software
    procexp.exe 2664 7.41 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
    Courier.exe 832 Courier EMail Program Rose City Software, Inc.

    Process: svchost.exe Pid: 1008

    Type Name
    Desktop \Default
    Desktop \SADesktop
    Desktop \Default
    Directory \KnownDlls
    Directory \Windows
    Directory \BaseNamedObjects
    Event \BaseNamedObjects\DINPUTWINMM
    Event \BaseNamedObjects\userenv: User Profile setup event
    Event \BaseNamedObjects\DHCPNEWIPADDRESS
    Event \BaseNamedObjects\WkssvcToAgentStopEvent
    Event \BaseNamedObjects\WkssvcToAgentStartEvent
    Event \BaseNamedObjects\wkssvc: MUP finished initializing event
    Event \BaseNamedObjects\AgentToWkssvcEvent
    Event \BaseNamedObjects\crypt32LogoffEvent
    Event \BaseNamedObjects\{06F6FA1C-4A97-401E-AC5C-0A1DD88100F1}ShellHWDetection
    Event \BaseNamedObjects\WIRELESS_POLICY_CHANGE_EVENT
    Event \BaseNamedObjects\{06F6FA1C-4A97-401E-AC5C-0A1DD88100F1}ShellHWDetection
    Event \BaseNamedObjects\PrefetchParametersChanged
    Event \BaseNamedObjects\PrefetchOverrideIdle
    Event \BaseNamedObjects\PrefetchProcessingComplete
    Event \BaseNamedObjects\PrefetchTracesReady
    Event \BaseNamedObjects\SAConEvt
    Event \BaseNamedObjects\ReSyncKernel
    Event \Device\DmControl\VxKernel2VoldEvent
    Event \BaseNamedObjects\WinSta0_DesktopSwitch
    Event \LanmanServerAnnounceEvent
    Event \BaseNamedObjects\SENS Started Event
    Event \BaseNamedObjects\SRCounter
    Event \BaseNamedObjects\SRStopEvent
    Event \BaseNamedObjects\SRInitEvent
    Event \BaseNamedObjects\SRIdleReqEvent
    Event \Security\TRKWKS_EVENT
    Event \BaseNamedObjects\W32TIME_NAMED_EVENT_SYSTIME_NOT_CORRECT
    Event \BaseNamedObjects\userenv: Machine Group Policy has been applied
    Event \BaseNamedObjects\WINMGMT_COREDLL_CANSHUTDOWN
    Event \BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
    Event \BaseNamedObjects\WMI_SysEvent_LodCtr
    Event \BaseNamedObjects\WMI_SysEvent_UnLodCtr
    Event \BaseNamedObjects\WMI_RevAdap_Set
    Event \BaseNamedObjects\WMI_RevAdap_ACK
    Event \BaseNamedObjects\WMI_ProcessIdleTasksStart
    Event \BaseNamedObjects\WMI_ProcessIdleTasksComplete
    Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
    Event \BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
    Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
    Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
    Event \BaseNamedObjects\EVENT_READYROOT/CIMV2PROVIDERSUBSYSTEM
    Event \BaseNamedObjects\EVENT_READYROOT/CIMV2SCM EVENT PROVIDER
    Event \BaseNamedObjects\EVENT_READYROOT/CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
    Event \BaseNamedObjects\SC_AutoStartComplete
    Event \BaseNamedObjects\IPNAT
    Event \BaseNamedObjects\Go0: ESENT Performance Data Schema Version 40
    Event \BaseNamedObjects\Ready0: ESENT Performance Data Schema Version 40
    Event \BaseNamedObjects\userenv: User Group Policy has been applied
    File C:\WINDOWS\system32
    File \Device\KsecDD
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    File \Device\NamedPipe\net\NtControlPipe4
    File \Device\Tcp
    File \Device\Ip
    File \Device\Tcp
    File \Device\Ip
    File \Device\Ip
    File \Device\Ip
    File \Device\WMIDataDevice
    File \Device\WMIDataDevice
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    File C:\WINDOWS\SchedLgU.Txt
    File \Device\NamedPipe\atsvc
    File \Device\NamedPipe\atsvc
    File C:\WINDOWS\Tasks
    File \Device\LanmanDatagramReceiver
    File \Device\LanmanRedirector
    File \Device\Afd\Endpoint
    File C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    File C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    File \Device\Tcp
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    File \Device\NamedPipe\keysvc
    File \Device\NamedPipe\keysvc
    File \Device\NamedPipe\PCHHangRepExecPipe
    File \Device\NamedPipe\PCHFaultRepExecPipe
    File C:\WINDOWS\pchealth\helpctr\batch
    File \Device\00000091
    File \Device\LanmanServer
    File \Device\NamedPipe\srvsvc
    File \Device\HarddiskVolume2
    File \FileSystem\Filters\SystemRestore
    File \Device\NamedPipe\trkwks
    File \Device\HarddiskVolume1
    File \Device\NamedPipe\trkwks
    File X:\$Extend\$ObjId
    File X:\System Volume Information\tracking.log
    File C:\$Extend\$ObjId
    File C:\System Volume Information\tracking.log
    File \Device\NamedPipe\W32TIME
    File \Device\NamedPipe\W32TIME
    File C:\WINDOWS\system32\wbem\mof
    File \Device\Udp
    File \Device\Afd\Endpoint
    File \Device\Udp
    File \Device\Afd\Endpoint
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File \Device\Afd\Endpoint
    File \Device\NamedPipe\EVENTLOG
    File C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP
    File C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
    File C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
    File C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
    File C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
    File C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
    File C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
    File \Device\LanmanDatagramReceiver
    File \Device\NamedPipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
    File \Device\NamedPipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
    File \Device\IPNAT
    File \Device\Afd\Endpoint
    File \Device\NamedPipe\lsarpc
    File \Device\NdisWan
    File \Device\NamedPipe\ROUTER
    File \Device\NamedPipe\wkssvc
    File \Device\NamedPipe\ROUTER
    File \Device\NamedPipe\ROUTER
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    File \Device\NdisTapi
    File \Device\NdisTapi
    File \Device\NDProxy
    File \Device\NDProxy
    File C:\WINDOWS\system32\h323log.txt
    File \Device\NamedPipe\ROUTER
    File \Device\NamedPipe\ROUTER
    File \Device\WANARP
    File C:\WINDOWS\system32\CatRoot2\tmp.edb
    File \Device\Afd\Endpoint
    File \Device\IPNAT
    File \Device\Tcp
    File \Device\IPNAT
    File \Device\NamedPipe\wkssvc
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    File \Device\NamedPipe\browser
    File \Device\NamedPipe\browser
    File \Device\IPNAT
    File \Device\NamedPipe\Winsock2\CatalogChangeListener-3f0-0
    File \Device\NamedPipe\srvsvc
    File \Device\NamedPipe\ROUTER
    File \Device\NamedPipe\ROUTER
    File C:\WINDOWS\system32\CatRoot2\edb.log
    File \Device\Afd\Endpoint
    File \Device\Udp
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    File \Device\Afd\AsyncConnectHlp
    File C:\Documents and Settings\JB\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    File C:\Documents and Settings\NetworkService\Cookies\index.dat
    File C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
    File C:\WINDOWS\SoftwareDistribution\ReportingEvents.log
    File \Device\NamedPipe\srvsvc
    File \Device\NamedPipe\wkssvc
    File C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My
    File C:\WINDOWS\Installer\17141c6.msi
    File \Device\NetBT_Tcpip_{43C85A68-6D7C-49BF-AB75-7F92B9065027}
    Job \BaseNamedObjects\WmiProviderSubSystemHostJob
    Key HKLM
    Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
    Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
    Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
    Key HKLM\SYSTEM\ControlSet002\Services\Tcpip\Linkage
    Key HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters
    Key HKLM\SYSTEM\ControlSet002\Services\NetBT\Parameters\Interfaces
    Key HKLM\SYSTEM\ControlSet002\Services\NetBT\Parameters
    Key HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9
    Key HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5
    Key HKLM\SYSTEM\ControlSet002\Services\Dhcp\Parameters
    Key HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters
    Key HKLM\SYSTEM\ControlSet002\Services\Dhcp\Parameters\Options
    Key HKLM\SYSTEM\ControlSet002\Services
    Key HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DNSRegisteredAdapters
    Key HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{43C85A68-6D7C-49BF-AB75-7F92B9065027}
    Key HKLM\SYSTEM\ControlSet002\Services\lanmanworkstation\parameters
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\WZCTrace
    Key HKLM\SOFTWARE\Microsoft\Tracing\EAPOL
    Key HKLM\SOFTWARE\Microsoft\Tracing\EAPOLQEC
    Key HKLM\SOFTWARE\Microsoft\NetworkAccessProtection\NapClient
    Key HKU
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKU
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKCR\CLSID
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKU
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKCR\CLSID
    Key HKLM\SOFTWARE\Microsoft\Tracing\Wlpolicy
    Key HKLM\SOFTWARE\Microsoft\Tracing\EAPOLQECCB
    Key HKU\.DEFAULT
    Key HKCR
    Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    Key HKLM\SOFTWARE\Microsoft\Tracing\svchost_RASTLS
    Key HKLM\SOFTWARE\Microsoft\Tracing\OneExSup
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\svchost_RASCHAP
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher
    Key HKU
    Key HKLM\SYSTEM\ControlSet002\Control\NetworkProvider\HwOrder
    Key HKLM\SOFTWARE\Microsoft\Tracing\tapisrv
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Control\Terminal Server
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Policies
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Epoch
    Key HKLM\SYSTEM\ControlSet002\Services\lanmanserver\parameters
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions
    Key HKLM\SYSTEM\ControlSet002\Services\Browser\Parameters
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\Setup
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\IPNATHLP
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam
    Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Epoch
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Control\Lsa\Audit
    Key HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy
    Key HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Epoch
    Key HKLM\SOFTWARE\Microsoft\Security Center
    Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI
    Key HKLM\SOFTWARE\Microsoft\Tracing\tapi32
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\KMDDSP
    Key HKLM\SOFTWARE\Microsoft\Tracing\NDPTSP
    Key HKLM\SOFTWARE\Microsoft\Tracing\conftsp
    Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\H323TSP
    Key HKLM\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000
    Key HKLM\SOFTWARE\Microsoft\Security Center\Monitoring
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASQEC
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASMAN
    Key HKLM\SOFTWARE\Microsoft\Tracing\PPP
    Key HKLM\SOFTWARE\Microsoft\Tracing\BAP
    Key HKLM\SYSTEM\ControlSet002\Services\RasMan\Parameters\Quarantine
    Key HKLM\SYSTEM\ControlSet002\Services\RasMan\PPP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASSPAP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASPAP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASEAP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASCCP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASBACP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASIPHLP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASIPCP
    Key HKLM\SYSTEM\ControlSet002\Control\Network\Connections
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\Dot3API
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\NETMAN
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Epoch
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
    Key HKCR
    Key HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
    Key HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASDLG
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{FE1E8395-B44C-449C-954C-E63A17A7C040}\Connection
    Key HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{43C85A68-6D7C-49BF-AB75-7F92B9065027}\Connection
    Key HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{98DA5B6C-3734-4C86-A15C-31BE4F87A2E0}\Connection
    Key HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{A3DE016D-302B-41C4-B8D7-9FCE7354CACB}\Connection
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Control\Nls\Locale
    Key HKLM\SYSTEM\ControlSet002\Control\Nls\Locale\Alternate Sorts
    Key HKLM\SYSTEM\ControlSet002\Control\Nls\Language Groups
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Policies
    Key HKCR
    Key HKU\.DEFAULT\Software\Policies
    Key HKU\.DEFAULT\Software
    Key HKLM\SOFTWARE
    Key HKU\.DEFAULT\Software
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT
    Key HKLM\SOFTWARE
    Key HKU\.DEFAULT\Software\Policies
    Key HKLM\SOFTWARE\Policies
    Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA
    Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\CA
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
    Key HKCR
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\CA
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
    Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\Root
    Key HKU\.DEFAULT
    Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
    Key HKU\.DEFAULT
    Key HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates
    Key HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\trust
    Key HKU\.DEFAULT
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\trust
    Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\My
    Key HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates
    Key HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates
    KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
    Mutant \BaseNamedObjects\SHIMLIB_LOG_MUTEX
    Mutant \BaseNamedObjects\RasPbFile
    Mutant \BaseNamedObjects\0CADFD67AF62496dB34264F000F5624A
    Mutant \BaseNamedObjects\4FCC0DEFE22C4f138FB9D5AF25FD9398
    Mutant \BaseNamedObjects\238FAD3109D3473aB4764B20B3731840
    Mutant \BaseNamedObjects\OOC State Mutex
    Mutant \BaseNamedObjects\SRDataStore
    Mutant \BaseNamedObjects\SRDataStore
    Mutant \BaseNamedObjects\WindowsUpdateTracingMutex
    Mutant \BaseNamedObjects\DBWinMutex
    Mutant \BaseNamedObjects\RAS_MO_02
    Mutant \BaseNamedObjects\RAS_MO_01
    Mutant \BaseNamedObjects\RasPbFile
    Mutant \BaseNamedObjects\Instance0: ESENT Performance Data Schema Version 40
    Mutant \BaseNamedObjects\ZonesCacheCounterMutex
    Mutant \BaseNamedObjects\ZonesCounterMutex
    Mutant \BaseNamedObjects\ZonesLockedCacheCounterMutex
    Mutant \BaseNamedObjects\_!MSFTHISTORY!_
    Mutant \BaseNamedObjects\c:!documents and settings!jb!local settings!temporary internet files!content.ie5!
    Mutant \BaseNamedObjects\c:!documents and settings!networkservice!cookies!
    Mutant \BaseNamedObjects\c:!documents and settings!networkservice!local settings!history!history.ie5!
    Mutant \BaseNamedObjects\WininetStartupMutex
    Mutant \BaseNamedObjects\WininetProxyRegistryMutex
    Mutant \BaseNamedObjects\ShimCacheMutex
    Port \ThemeApiPort
    Port \RPC Control\dhcpcsvc
    Port \RPC Control\wzcsvc
    Port \RPC Control\OLEC83507C4570E467BBED6AAB768E5
    Port \RPC Control\AudioSrv
    Port \RPC Control\keysvc
    Port \XactSrvLpcPort
    Port \RPC Control\SECLOGON
    Port \RPC Control\senssvc
    Port \RPC Control\trkwks
    Port \RPC Control\srrpc
    Port \RPC Control\tapsrvlpc
    Port \FusApiPort
    Port \RPC Control\unimdmsvc
    Process winlogon.exe(1304)
    Process winlogon.exe(1304)
    Process winlogon.exe(1304)
    Process winlogon.exe(1304)
    Process Courier.exe(832)
    Process S24EvMon.exe(1132)
    Process Smc.exe(1672)
    Process svchost.exe(1008)
    Process KEYEXP.EXE(2180)
    Process clipc.exe(2088)
    Process explorer.exe(1660)
    Process explorer.exe(1660)
    Process stsystra.exe(1136)
    Process rundll32.exe(1720)
    Process iFrmewrk.exe(1344)
    Process ZCfgSvc.exe(1348)
    Process EOUWiz.exe(1472)
    Process schedhlp.exe(1892)
    Process DLACTRLW.EXE(988)
    Process cavrid.exe(304)
    Process TMTray.exe(384)
    Process SynTPEnh.exe(1800)
    Process ExSpinDn.exe(752)
    Process jusched.exe(1932)
    Process rfagent.exe(380)
    Process TrueImageMonitor.exe(896)
    Process TimounterMonitor.exe(1040)
    Process lnkstash.exe(2276)
    Process ipoint.exe(1532)
    Process cctray.exe(272)
    Process Sticky32.exe(672)
    Process lsmon.exe(1400)
    Process ctfmon.exe(452)
    Process DUMeter.exe(944)
    Process Calendar.exe(1776)
    Process taskbarshuffle.exe(1520)
    Process wmpnscfg.exe(884)
    Process procexp.exe(2664)
    Process nvsvc32.exe(2480)
    Process vetmsg.exe(3660)
    Process lsass.exe(1536)
    Process taskmgr.exe(2888)
    Process svchost.exe(1008)
    Process wmiprvse.exe(308)
    Process svchost.exe(1008)
    Process svchost.exe(1200)
    Process svchost.exe(1008)
    Process Matrox.PowerDesk SE.exe(1556)
    Process arr_srvs.exe(3908)
    Process Smc.exe(1672)
    Section \BaseNamedObjects\AtlDebugAllocator_FileMappingNameStatic3_3f0
    Section \BaseNamedObjects\DFMap0-2280030
    Section \BaseNamedObjects\mmGlobalPnpInfo
    Section \BaseNamedObjects\AtlDebugAllocator_FileMappingNameStatic3_3f0
    Section \BaseNamedObjects\AtlDebugAllocator_FileMappingNameStatic3_3f0
    Section \BaseNamedObjects\DfSharedHeap22CA2F
    Section \BaseNamedObjects\SENS Information Cache
    Section \BaseNamedObjects\RotHintTable
    Section \BaseNamedObjects\Wmi Provider Sub System Counters
    Section \BaseNamedObjects\DfRoot00022CA2F
    Section \BaseNamedObjects\Debug.Memory.3f0
    Section \BaseNamedObjects\GDA: ESENT Performance Data Schema Version 40
    Section \BaseNamedObjects\IDA0: ESENT Performance Data Schema Version 40
    Section \BaseNamedObjects\C:_Documents and Settings_JB_Local Settings_Temporary Internet Files_Content.IE5_index.dat_65536
    Section \BaseNamedObjects\C:_Documents and Settings_NetworkService_Cookies_index.dat_16384
    Section \BaseNamedObjects\C:_Documents and Settings_NetworkService_Local Settings_History_History.IE5_index.dat_16384
    Section \BaseNamedObjects\ShimSharedMemory
    Section \BaseNamedObjects\DfSharedHeap245AFC
    Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
    Semaphore \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
    Semaphore \BaseNamedObjects\PowerProfileRegistrySemaphore
    Semaphore \BaseNamedObjects\OleDfRoot00022CA2F
    Thread svchost.exe(1008): 1020
    Thread svchost.exe(1008): 1404
    Thread svchost.exe(1008): 1360
    Thread svchost.exe(1008): 1516
    Thread svchost.exe(1008): 548
    Thread svchost.exe(1008): 548
    Thread svchost.exe(1008): 632
    Thread svchost.exe(1008): 744
    Thread svchost.exe(1008): 1076
    Thread svchost.exe(1008): 2656
    Thread svchost.exe(1008): 784
    Thread svchost.exe(1008): 1600
    Thread svchost.exe(1008): 1568
    Thread svchost.exe(1008): 1380
    Thread svchost.exe(1008): 1576
    Thread svchost.exe(1008): 1596
    Thread svchost.exe(1008): 1608
    Thread svchost.exe(1008): 1600
    Thread svchost.exe(1008): 1880
    Thread svchost.exe(1008): 1880
    Thread svchost.exe(1008): 1964
    Thread svchost.exe(1008): 1968
    Thread svchost.exe(1008): 1972
    Thread svchost.exe(1008): 1984
    Thread svchost.exe(1008): 2004
    Thread svchost.exe(1008): 1984
    Thread svchost.exe(1008): 1196
    Thread svchost.exe(1008): 2004
    Thread svchost.exe(1008): 596
    Thread svchost.exe(1008): 652
    Thread svchost.exe(1008): 708
    Thread explorer.exe(1660): 648
    Thread svchost.exe(1008): 636
    Thread svchost.exe(1008): 2808
    Thread svchost.exe(1008): 1380
    Thread svchost.exe(1008): 2384
    Thread svchost.exe(1008): 3956
    Thread svchost.exe(1008): 1612
    Thread svchost.exe(1008): 1612
    Thread svchost.exe(1008): 3964
    Thread svchost.exe(1008): 1884
    Thread svchost.exe(1008): 2420
    Thread svchost.exe(1008): 1936
    Thread svchost.exe(1008): 2376
    Thread svchost.exe(1008): 3656
    Thread svchost.exe(1008): 3940
    Thread svchost.exe(1008): 3992
    Thread svchost.exe(1008): 3980
    Thread svchost.exe(1008): 3992
    Thread svchost.exe(1008): 1948
    Thread svchost.exe(1008): 1196
    Thread svchost.exe(1008): 872
    Thread svchost.exe(1008): 956
    Thread svchost.exe(1008): 1460
    Thread svchost.exe(1008): 1460
    Thread svchost.exe(1008): 872
    Thread svchost.exe(1008): 2988
    Thread svchost.exe(1008): 1808
    Thread svchost.exe(1008): 596
    Thread svchost.exe(1008): 2720
    Thread svchost.exe(1008): 556
    Thread svchost.exe(1008): 652
    Thread svchost.exe(1008): 844
    Thread svchost.exe(1008): 1788
    Thread svchost.exe(1008): 844
    Thread svchost.exe(1008): 3488
    Thread svchost.exe(1008): 3572
    Thread svchost.exe(1008): 2424
    Thread svchost.exe(1008): 3144
    Thread svchost.exe(1008): 1196
    Thread svchost.exe(1008): 3636
    Thread svchost.exe(1008): 3936
    Thread svchost.exe(1008): 3988
    Thread svchost.exe(1008): 3936
    Thread svchost.exe(1008): 3636
    Thread svchost.exe(1008): 888
    Thread svchost.exe(1008): 2400
    Thread svchost.exe(1008): 2608
    Thread svchost.exe(1008): 3328
    Thread svchost.exe(1008): 2600
    Thread svchost.exe(1008): 2396
    Thread svchost.exe(1008): 2784
    Thread svchost.exe(1008): 2644
    Thread svchost.exe(1008): 2784
    Thread svchost.exe(1008): 3316
    Thread svchost.exe(1008): 3484
    Thread svchost.exe(1008): 3484
    Thread svchost.exe(1008): 3500
    Thread svchost.exe(1008): 1668
    Thread svchost.exe(1008): 3504
    Thread svchost.exe(1008): 228
    Thread svchost.exe(1008): 3560
    Thread svchost.exe(1008): 3564
    Thread svchost.exe(1008): 1296
    Thread svchost.exe(1008): 1668
    Thread svchost.exe(1008): 1516
    Thread svchost.exe(1008): 2396
    Thread svchost.exe(1008): 1296
    Thread svchost.exe(1008): 4068
    Thread svchost.exe(1008): 2000
    Thread svchost.exe(1008): 348
    Thread svchost.exe(1008): 992
    Thread svchost.exe(1008): 1060
    Thread svchost.exe(1008): 1060
    Thread svchost.exe(1008): 2408
    Thread svchost.exe(1008): 2824
    Thread svchost.exe(1008): 3328
    Thread svchost.exe(1008): 3596
    Thread svchost.exe(1008): 228
    Thread svchost.exe(1008): 908
    Thread svchost.exe(1008): 1964
    Thread svchost.exe(1008): 228
    Thread svchost.exe(1008): 1016
    Thread svchost.exe(1008): 908
    Thread svchost.exe(1008): 1808
    Thread svchost.exe(1008): 3144
    Thread svchost.exe(1008): 2092
    Thread svchost.exe(1008): 2996
    Thread svchost.exe(1008): 1504
    Thread svchost.exe(1008): 1788
    Thread svchost.exe(1008): 3144
    Thread svchost.exe(1008): 2736
    Thread svchost.exe(1008): 2608
    Thread svchost.exe(1008): 1808
    Thread svchost.exe(1008): 3560
    Thread svchost.exe(1008): 1408
    Thread svchost.exe(1008): 3548
    Thread svchost.exe(1008): 892
    Thread svchost.exe(1008): 912
    Thread svchost.exe(1008): 912
    Thread svchost.exe(1008): 2988
    Thread svchost.exe(1008): 3216
    Thread svchost.exe(1008): 3144
    Thread svchost.exe(1008): 908
    Thread svchost.exe(1008): 3220
    Thread svchost.exe(1008): 3228
    Thread svchost.exe(1008): 3216
    Thread svchost.exe(1008): 3220
    Thread svchost.exe(1008): 3228
    Thread svchost.exe(1008): 3228
    Thread svchost.exe(1008): 3216
    Thread svchost.exe(1008): 844
    Thread svchost.exe(1008): 844
    Thread svchost.exe(1008): 2644
    Thread svchost.exe(1008): 3104
    Thread svchost.exe(1008): 1872
    Thread svchost.exe(1008): 1872
    Thread svchost.exe(1008): 1872
    Thread svchost.exe(1008): 1872
    Thread svchost.exe(1008): 1872
    Thread svchost.exe(1008): 744
    Thread svchost.exe(1008): 2396
    Token NT AUTHORITY\SYSTEM:3e7
    Token JB3\Joe:11683
    Token JB3\Joe:11683
    Token JB3\Joe:11683
    Token JB3\Joe:11683
    Token NT AUTHORITY\NETWORK SERVICE:3e4
    Token JB3\Joe:11683
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\LOCAL SERVICE:3e5
    Token NT AUTHORITY\NETWORK SERVICE:3e4
    Token JB3\Joe:11683
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\SYSTEM:3e7
    Token JB3\Joe:11683
    Token NT AUTHORITY\LOCAL SERVICE:3e5
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\NETWORK SERVICE:3e4
    Token NT AUTHORITY\NETWORK SERVICE:3e4
    Token JB3\Joe:11683
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\NETWORK SERVICE:3e4
    WaitablePort \Security\TRKWKS_PORT
    WaitablePort \NLAPublicPort
    WaitablePort \NLAPrivatePort
    WindowStation \Windows\WindowStations\Service-0x0-3e7$
    WindowStation \Windows\WindowStations\WinSta0
    WindowStation \Windows\WindowStations\SAWinSta
    WindowStation \Windows\WindowStations\WinSta0
     
  12. 2008/05/13
    RCS-Joe

    RCS-Joe Well-Known Member Thread Starter

    Joined:
    2002/11/18
    Messages:
    22
    Likes Received:
    2
    update - system still hosed

    so here's what happens...

    I reboot, initially my system is ok for a few minutes, all tray apps launch and the sound system is working... i.e. I can click on the tray loudspeaker, for example and adjust volumne... and it makes a default grunt. However watching process explorer shortly thereafter svchost kicks in and after bouncing around some different numbers for a bit, it winds up at 49 or 50 and the system is hosed. I can right click exit the process from PE and the system is fully restored once again. But the sound system is dead... I get a few default sounds like windows shut down but I cannot generate any manually... going to control panel/sounds, for example has the "test" button grayed out ad the default sound system unaailable... liewise when I click on the tray volume icon, nothing happens and a double click says "no active mixer devices available ". Arie suggested updating my audio drivers from Dell which I did, but after a reboot the conditions were the same.

    I can use my system well enough except for sound by killing the svchost process whenever it kicks in, but obviously I would like to get to the bottom of it. And I think it's odd that both my dell laptop and my custom build desktop pc have the identical issue. They have most utilities in common, except sound card for example, and both had SP3 installed, though I removed it on the desktop which did not help.

    I'm out of ideas here... maybe the PE log posted will yield some clues?

    thanks

    jb
     
  13. 2008/05/13
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Hi Joe,

    Nothing jumping out out me in the PE log, but I will study it a bit closer.

    Download driver_service_info.exe, a utility I wrote, then run it when the svchost process is consuming the cpu.
    Once opened, type S to gather service information, then A at the next prompt to gather Active service info.
    When prompted, type Y to gather ServiceGroup and LoadOrderGroup info.
    Please post the contents of the log that opens, and let me know the PID of the svchost consuming the cpu.
     
  14. 2008/05/13
    RCS-Joe

    RCS-Joe Well-Known Member Thread Starter

    Joined:
    2002/11/18
    Messages:
    22
    Likes Received:
    2
    driver service info

    ok... I foolowed the steps as outlined... took a very long time because of system lag but now that I've killed the process (PID 1004) system is ok again. perhaps I should also mention that Once I kill that svchost process with PE, I minimize PE and shortly thereafter it crashes... every single time.

    anyhow here is the log:


    ~~~ Active Service Info report ~~~

    Microsoft Windows XP Professional
    Service Pack 3
    5.1.2600

    5/13/2008 8:19:09 PM


    ~~~Running Processes~~~

    System Idle Process
    PID: 0
    Path:
    Parent PID: 0

    System
    PID: 4
    Path:
    Parent PID: 0

    smss.exe
    PID: 692
    Path: C:\WINDOWS\System32\smss.exe
    Parent PID: 4

    csrss.exe
    PID: 1052
    Path:
    Parent PID: 692

    winlogon.exe
    PID: 1364
    Path: C:\WINDOWS\system32\winlogon.exe
    Parent PID: 692

    services.exe
    PID: 1516
    Path: C:\WINDOWS\system32\services.exe
    Parent PID: 1364

    lsass.exe
    PID: 1600
    Path: C:\WINDOWS\system32\lsass.exe
    Parent PID: 1364

    svchost.exe
    PID: 976
    Path: C:\WINDOWS\system32\svchost.exe
    Parent PID: 1516

    svchost.exe
    PID: 1932
    Path:
    Parent PID: 1516

    svchost.exe
    PID: 1004
    Path: C:\WINDOWS\System32\svchost.exe
    Parent PID: 1516

    EvtEng.exe
    PID: 1624
    Path: C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    Parent PID: 1516

    S24EvMon.exe
    PID: 1088
    Path: C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    Parent PID: 1516

    Smc.exe
    PID: 1664
    Path: C:\Program Files\Sygate\SPF\Smc.exe
    Parent PID: 1516

    svchost.exe
    PID: 628
    Path:
    Parent PID: 1516

    svchost.exe
    PID: 1196
    Path:
    Parent PID: 1516

    spoolsv.exe
    PID: 368
    Path: C:\WINDOWS\system32\spoolsv.exe
    Parent PID: 1516

    explorer.exe
    PID: 1816
    Path: C:\WINDOWS\Explorer.EXE
    Parent PID: 1440

    rundll32.exe
    PID: 1064
    Path: C:\WINDOWS\system32\rundll32.exe
    Parent PID: 1816

    ZCfgSvc.exe
    PID: 1156
    Path: C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    Parent PID: 1816

    iFrmewrk.exe
    PID: 1228
    Path: C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    Parent PID: 1816

    EOUWiz.exe
    PID: 1588
    Path: C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
    Parent PID: 1816

    Matrox.PowerDesk SE.exe
    PID: 1848
    Path: C:\Program Files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe
    Parent PID: 1816

    schedhlp.exe
    PID: 2004
    Path: C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
    Parent PID: 1816

    cavrid.exe
    PID: 460
    Path: C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
    Parent PID: 1816

    TMTray.exe
    PID: 788
    Path: C:\Program Files\TweakMASTER\TMTray.exe
    Parent PID: 1816

    DLACTRLW.EXE
    PID: 1000
    Path: C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    Parent PID: 1816

    ExSpinDn.exe
    PID: 1476
    Path: C:\Program Files\Western Digital Technologies\Spindown\ExSpinDn.exe
    Parent PID: 1816

    SynTPEnh.exe
    PID: 1648
    Path: C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    Parent PID: 1816

    jusched.exe
    PID: 808
    Path: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    Parent PID: 1816

    rfagent.exe
    PID: 1956
    Path: C:\Program Files\RFA Platinum\rfagent.exe
    Parent PID: 1816

    TrueImageMonitor.exe
    PID: 588
    Path: C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
    Parent PID: 1816

    TimounterMonitor.exe
    PID: 968
    Path: C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
    Parent PID: 1816

    ipoint.exe
    PID: 1336
    Path: C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    Parent PID: 1816

    cctray.exe
    PID: 1880
    Path: C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
    Parent PID: 1816

    stsystra.exe
    PID: 728
    Path: C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
    Parent PID: 1816

    Sticky32.exe
    PID: 1128
    Path: C:\Program Files\Magic Notes\Sticky32.exe
    Parent PID: 1816

    lsmon.exe
    PID: 1660
    Path: C:\Program Files\LinkStash\lsmon.exe
    Parent PID: 1816

    ctfmon.exe
    PID: 1796
    Path: C:\WINDOWS\system32\ctfmon.exe
    Parent PID: 1816

    DUMeter.exe
    PID: 964
    Path: C:\Program Files\DU Meter\DUMeter.exe
    Parent PID: 1816

    taskbarshuffle.exe
    PID: 1908
    Path: C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
    Parent PID: 1816

    dpupdchk.exe
    PID: 572
    Path: c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    Parent PID: 1336

    Calendar.exe
    PID: 1444
    Path: C:\Program Files\AMP Calendar\Calendar.exe
    Parent PID: 1816

    wmpnscfg.exe
    PID: 612
    Path: C:\Program Files\Windows Media Player\WMPNSCFG.exe
    Parent PID: 1816

    clipc.exe
    PID: 2072
    Path: C:\Program Files\ClipCache\clipc.exe
    Parent PID: 1816

    KEYEXP.EXE
    PID: 2252
    Path: C:\Program Files\keyexp\KEYEXP.EXE
    Parent PID: 1816

    lnkstash.exe
    PID: 2296
    Path: C:\Program Files\LinkStash\lnkstash.exe
    Parent PID: 1816

    procexp.exe
    PID: 2644
    Path: C:\Program Files\Accessories\process explorer\procexp.exe
    Parent PID: 1816

    arr_isrv.exe
    PID: 3984
    Path: C:\Program Files\Array Networks\Common\8,2,0,32\arr_isrv.exe
    Parent PID: 1516

    schedul2.exe
    PID: 1876
    Path: C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    Parent PID: 1516

    arr_srvs.exe
    PID: 1136
    Path: C:\Program Files\Array Networks\Array SSL VPN\8,2,0,32\arr_srvs.exe
    Parent PID: 1516

    isafe.exe
    PID: 1448
    Path: C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    Parent PID: 1516

    DiskMgkS.exe
    PID: 2588
    Path: C:\Program Files\DiskMagik\DiskMgkS.exe
    Parent PID: 1516

    DUMeterSvc.exe
    PID: 2724
    Path: C:\Program Files\DU Meter\DUMeterSvc.exe
    Parent PID: 1516

    svchost.exe
    PID: 3832
    Path: C:\WINDOWS\System32\svchost.exe
    Parent PID: 1516

    nvsvc32.exe
    PID: 2160
    Path: C:\WINDOWS\system32\nvsvc32.exe
    Parent PID: 1516

    RegSrvc.exe
    PID: 2508
    Path: C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    Parent PID: 1516

    vetmsg.exe
    PID: 3220
    Path: C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
    Parent PID: 1516

    wmpnetwk.exe
    PID: 3668
    Path:
    Parent PID: 1516

    ccprovsp.exe
    PID: 2416
    Path: C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
    Parent PID: 1516

    alg.exe
    PID: 1836
    Path:
    Parent PID: 1516

    wuauclt.exe
    PID: 900
    Path: C:\WINDOWS\system32\wuauclt.exe
    Parent PID: 1004

    driver_service_info.exe
    PID: 904
    Path: C:\DOWNLOAD\_driver\driver_service_info.exe
    Parent PID: 1816

    cmd.exe
    PID: 2996
    Path: C:\WINDOWS\system32\cmd.exe
    Parent PID: 904

    wmiprvse.exe
    PID: 1968
    Path:
    Parent PID: 976

    wmiadap.exe
    PID: 2948
    Path: \\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
    Parent PID: 1004

    cscript.exe
    PID: 2512
    Path: C:\WINDOWS\system32\cscript.exe
    Parent PID: 2996

    findstr.exe
    PID: 2392
    Path: C:\WINDOWS\system32\findstr.exe
    Parent PID: 2996

    wmiprvse.exe
    PID: 3272
    Path:
    Parent PID: 976


    ~~~Running Services by PID~~~

    PID: 1876
    Acronis Scheduler2 Service
    PID: 1836
    Application Layer Gateway Service
    PID: 3984
    Array Utility Service 8,2,0,32
    PID: 1136
    Array SSL VPN Service 8,2,0,32
    PID: 1004
    Windows Audio
    Background Intelligent Transfer Service
    Computer Browser
    Cryptographic Services
    DHCP Client
    Logical Disk Manager
    Error Reporting Service
    COM+ Event System
    Fast User Switching Compatibility
    Help and Support
    HID Input Service
    Server
    Workstation
    Network Connections
    Network Location Awareness (NLA)
    Remote Access Connection Manager
    Task Scheduler
    Secondary Logon
    System Event Notification
    Windows Firewall/Internet Connection Sharing (ICS)
    Shell Hardware Detection
    System Restore Service
    Telephony
    Themes
    Distributed Link Tracking Client
    Windows Time
    Windows Management Instrumentation
    Security Center
    Automatic Updates
    Wireless Zero Configuration
    PID: 2416
    CaCCProvSP
    PID: 1448
    CAISafe
    PID: 976
    DCOM Server Process Launcher
    Terminal Services
    PID: 2588
    DiskMagik Service
    PID: 628
    DNS Client
    PID: 2724
    DU Meter Service
    PID: 1516
    Event Log
    Plug and Play
    PID: 1624
    Intel(R) PROSet/Wireless Event Log
    PID: 3832
    HTTP SSL
    PID: 1196
    TCP/IP NetBIOS Helper
    Remote Registry
    SSDP Discovery Service
    Universal Plug and Play Device Host
    WebClient
    PID: 2160
    NVIDIA Display Driver Service
    PID: 1600
    IPSEC Services
    Protected Storage
    Security Accounts Manager
    PID: 2508
    Intel(R) PROSet/Wireless Registry Service
    PID: 1932
    Remote Procedure Call (RPC)
    PID: 1088
    Intel(R) PROSet/Wireless Service
    PID: 1664
    Sygate Personal Firewall
    PID: 368
    Print Spooler
    PID: 3220
    VET Message Service
    PID: 3668
    Windows Media Player Network Sharing Service


    ~~~Running Services Configuration~~~

    PID: 1876
    Service: AcrSch2Svc
    Displayed: Acronis Scheduler2 Service
    Image: "C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe "
    Start Mode: Auto

    PID: 1836
    Service: ALG
    Displayed: Application Layer Gateway Service
    Image: C:\WINDOWS\System32\alg.exe
    Start Mode: Manual

    PID: 1136
    Service: ArraySSL_VPN_Service8.2.0.32
    Displayed: Array SSL VPN Service 8,2,0,32
    Image: C:\Program Files\Array Networks\Array SSL VPN\8,2,0,32\arr_srvs.exe
    Start Mode: Auto

    PID: 3984
    Service: Array_Utility_Service8.2.0.32
    Displayed: Array Utility Service 8,2,0,32
    Image: C:\Program Files\Array Networks\Common\8,2,0,32\arr_isrv.exe
    Start Mode: Auto

    PID: 1004
    Service: AudioSrv
    Displayed: Windows Audio
    Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 1004
    Service: BITS
    Displayed: Background Intelligent Transfer Service
    Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 1004
    Service: Browser
    Displayed: Computer Browser
    Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 2416
    Service: CaCCProvSP
    Displayed: CaCCProvSP
    Image: "C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe "
    Start Mode: Manual

    PID: 1448
    Service: CAISafe
    Displayed: CAISafe
    Image: C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
    Start Mode: Auto

    PID: 1004
    Service: CryptSvc
    Displayed: Cryptographic Services
    Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 976
    Service: DcomLaunch
    Displayed: DCOM Server Process Launcher
    Image: C:\WINDOWS\system32\svchost -k DcomLaunch
    Start Mode: Auto

    PID: 1004
    Service: Dhcp
    Displayed: DHCP Client
    Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 2588
    Service: DiskMgkS
    Displayed: DiskMagik Service
    Image: "C:\Program Files\DiskMagik\DiskMgkS.exe "
    Start Mode: Auto

    PID: 1004
    Service: dmserver
    Displayed: Logical Disk Manager
    Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 628
    Service: Dnscache
    Displayed: DNS Client
    Image: C:\WINDOWS\system32\svchost.exe -k NetworkService
    Start Mode: Auto

    PID: 2724
    Service: DUMeterSvc
    Displayed: DU Meter Service
    Image: C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService
    Start Mode: Auto

    PID: 1004
    Service: ERSvc
    Displayed: Error Reporting Service
    Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 1516
    Service: Eventlog
    Displayed: Event Log
    Image: C:\WINDOWS\system32\services.exe
    Start Mode: Auto

    PID: 1004
    Service: EventSystem
    Displayed: COM+ Event System
    Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
    Start Mode: Manual

    PID: 1624
    Service: EvtEng
    Displayed: Intel(R) PROSet/Wireless Event Log
    Image: C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    Start Mode: Auto

    PID: 1004
    Service: FastUserSwitchingCompatibility
    Displayed: Fast User Switching Compatibility
    Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
    Start Mode: Manual

    PID: 1004
    Service: helpsvc
    Displayed: Help and Support
    Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 1004
    Service: HidServ
    Displayed: HID Input Service
    Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 3832
    Service: HTTPFilter
    Displayed: HTTP SSL
    Image: C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    Start Mode: Manual

    PID: 1004
    Service: lanmanserver
    Displayed: Server
    Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 1004
    Service: lanmanworkstation
    Displayed: Workstation
    Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 1196
    Service: LmHosts
    Displayed: TCP/IP NetBIOS Helper
    Image: C:\WINDOWS\system32\svchost.exe -k LocalService
    Start Mode: Auto

    PID: 1004
    Service: Netman
    Displayed: Network Connections
    Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
    Start Mode: Manual

    PID: 1004
    Service: Nla
    Displayed: Network Location Awareness (NLA)
    Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
    Start Mode: Manual

    PID: 2160
    Service: NVSvc
    Displayed: NVIDIA Display Driver Service
    Image: C:\WINDOWS\system32\nvsvc32.exe
    Start Mode: Auto

    PID: 1516
    Service: PlugPlay
    Displayed: Plug and Play
    Image: C:\WINDOWS\system32\services.exe
    Start Mode: Auto

    PID: 1600
    Service: PolicyAgent
    Displayed: IPSEC Services
    Image: C:\WINDOWS\system32\lsass.exe
    Start Mode: Auto

    PID: 1600
    Service: ProtectedStorage
    Displayed: Protected Storage
    Image: C:\WINDOWS\system32\lsass.exe
    Start Mode: Auto

    PID: 1004
    Service: RasMan
    Displayed: Remote Access Connection Manager
    Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
    Start Mode: Manual

    PID: 2508
    Service: RegSrvc
    Displayed: Intel(R) PROSet/Wireless Registry Service
    Image: C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    Start Mode: Auto

    PID: 1196
    Service: RemoteRegistry
    Displayed: Remote Registry
    Image: C:\WINDOWS\system32\svchost.exe -k LocalService
    Start Mode: Auto

    PID: 1932
    Service: RpcSs
    Displayed: Remote Procedure Call (RPC)
    Image: C:\WINDOWS\system32\svchost -k rpcss
    Start Mode: Auto

    PID: 1088
    Service: S24EventMonitor
    Displayed: Intel(R) PROSet/Wireless Service
    Image: C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    Start Mode: Auto

    PID: 1600
    Service: SamSs
    Displayed: Security Accounts Manager
    Image: C:\WINDOWS\system32\lsass.exe
    Start Mode: Auto

    PID: 1004
    Service: Schedule
    Displayed: Task Scheduler
    Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 1004
    Service: seclogon
    Displayed: Secondary Logon
    Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 1004
    Service: SENS
    Displayed: System Event Notification
    Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 1004
    Service: SharedAccess
    Displayed: Windows Firewall/Internet Connection Sharing (ICS)
    Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 1004
    Service: ShellHWDetection
    Displayed: Shell Hardware Detection
    Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 1664
    Service: SmcService
    Displayed: Sygate Personal Firewall
    Image: C:\Program Files\Sygate\SPF\Smc.exe
    Start Mode: Auto

    PID: 368
    Service: Spooler
    Displayed: Print Spooler
    Image: C:\WINDOWS\system32\spoolsv.exe
    Start Mode: Auto

    PID: 1004
    Service: srservice
    Displayed: System Restore Service
    Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 1196
    Service: SSDPSRV
    Displayed: SSDP Discovery Service
    Image: C:\WINDOWS\system32\svchost.exe -k LocalService
    Start Mode: Manual

    PID: 1004
    Service: TapiSrv
    Displayed: Telephony
    Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
    Start Mode: Manual

    PID: 976
    Service: TermService
    Displayed: Terminal Services
    Image: C:\WINDOWS\System32\svchost -k DComLaunch
    Start Mode: Manual

    PID: 1004
    Service: Themes
    Displayed: Themes
    Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 1004
    Service: TrkWks
    Displayed: Distributed Link Tracking Client
    Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 1196
    Service: upnphost
    Displayed: Universal Plug and Play Device Host
    Image: C:\WINDOWS\system32\svchost.exe -k LocalService
    Start Mode: Manual

    PID: 3220
    Service: VETMSGNT
    Displayed: VET Message Service
    Image: C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
    Start Mode: Auto

    PID: 1004
    Service: W32Time
    Displayed: Windows Time
    Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 1004
    Service: winmgmt
    Displayed: Windows Management Instrumentation
    Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 3668
    Service: WMPNetworkSvc
    Displayed: Windows Media Player Network Sharing Service
    Image: C:\Program Files\Windows Media Player\WMPNetwk.exe
    Start Mode: Auto

    PID: 1004
    Service: wscsvc
    Displayed: Security Center
    Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 1004
    Service: wuauserv
    Displayed: Automatic Updates
    Image: C:\WINDOWS\system32\svchost.exe -k netsvcs
    Start Mode: Auto

    PID: 1004
    Service: WZCSVC
    Displayed: Wireless Zero Configuration
    Image: C:\WINDOWS\System32\svchost.exe -k netsvcs
    Start Mode: Auto


    ~~~ svchost Export ~~~

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
    HTTPFilter REG_MULTI_SZ
    HTTPFilter
    LocalService REG_MULTI_SZ
    Alerter
    WebClient
    LmHosts
    RemoteRegistry
    upnphost
    SSDPSRV
    NetworkService REG_MULTI_SZ
    DnsCache
    netsvcs REG_MULTI_SZ
    6to4
    AppMgmt
    AudioSrv
    Browser
    CryptSvc
    DMServer
    DHCP
    ERSvc
    EventSystem
    FastUserSwitchingCompatibility
    HidServ
    Ias
    Iprip
    Irmon
    LanmanServer
    LanmanWorkstation
    Messenger
    Netman
    Nla
    Ntmssvc
    NWCWorkstation
    Nwsapagent
    Rasauto
    Rasman
    Remoteaccess
    Schedule
    Seclogon
    SENS
    Sharedaccess
    SRService
    Tapisrv
    Themes
    TrkWks
    W32Time
    WZCSVC
    Wmi
    WmdmPmSp
    winmgmt
    wscsvc
    xmlprov
    BITS
    wuauserv
    ShellHWDetection
    helpsvc
    WmdmPmSN
    napagent
    hkmsvc
    DcomLaunch REG_MULTI_SZ
    DcomLaunch
    TermService
    rpcss REG_MULTI_SZ
    RpcSs
    imgsvc REG_MULTI_SZ
    StiSvc
    termsvcs REG_MULTI_SZ
    TermService
    WudfServiceGroup REG_MULTI_SZ
    WUDFSvc
    eapsvcs REG_MULTI_SZ
    eaphost
    dot3svc REG_MULTI_SZ
    dot3svc
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\DComLaunch
    CoInitializeSecurityParam REG_DWORD 0x1
    DefaultRpcStackSize REG_DWORD 0x8
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\dot3svc
    AuthenticationCapabilities REG_DWORD 0x3020
    CoInitializeSecurityParam REG_DWORD 0x1
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\eapsvcs
    AuthenticationCapabilities REG_DWORD 0x3020
    CoInitializeSecurityParam REG_DWORD 0x1
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\HTTPFilter
    CoInitializeSecurityParam REG_DWORD 0x1
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\LocalService
    CoInitializeSecurityParam REG_DWORD 0x1
    AuthenticationCapabilities REG_DWORD 0x2000
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\netsvcs
    CoInitializeSecurityParam REG_DWORD 0x1
    AuthenticationCapabilities REG_DWORD 0x3020
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\PCHealth
    CoInitializeSecurityParam REG_DWORD 0x2
    AuthenticationCapabilities REG_DWORD 0x40
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\termsvcs
    CoInitializeSecurityParam REG_DWORD 0x1
    DefaultRpcStackSize REG_DWORD 0x8


    ~~~ ServiceGroupOrder ~~~

    System Reserved
    Boot Bus Extender
    System Bus Extender
    SCSI miniport
    Port
    Primary Disk
    SCSI Class
    SCSI CDROM Class
    FSFilter Infrastructure
    FSFilter System
    FSFilter Bottom
    FSFilter Copy Protection
    FSFilter Security Enhancer
    FSFilter Open File
    FSFilter Physical Quota Management
    FSFilter Encryption
    FSFilter Compression
    FSFilter HSM
    FSFilter Cluster File System
    FSFilter System Recovery
    FSFilter Quota Management
    FSFilter Content Screener
    FSFilter Continuous Backup
    FSFilter Replication
    FSFilter Anti-Virus
    FSFilter Undelete
    FSFilter Activity Monitor
    FSFilter Top
    Filter
    Boot File System
    Vet Drivers
    Base
    Pointer Port
    Keyboard Port
    Pointer Class
    Keyboard Class
    Video Init
    Video
    Video Save
    File System
    Event Log
    Streams Drivers
    NDIS Wrapper
    COM Infrastructure
    UIGroup
    LocalValidation
    PlugPlay
    PNP_TDI
    NDIS
    TDI
    NetBIOSGroup
    ShellSvcGroup
    SchedulerGroup
    SpoolerGroup
    AudioGroup
    SmartCardGroup
    NetworkProvider
    RemoteValidation
    NetDDEGroup
    Parallel arbitrator
    Extended Base
    PCI Configuration
    MS Transactions
    ASCTRM
    Network
    Pnp Filter
    SD / MMC
    MemoryStick
    SmartMedia/XD

    ~~~ LoadOrderGroup Members ~~~

    Service: Array_Utility_Service8.2.0.32
    LoadOrderGroup: PCI Configuration

    Service: AudioSrv
    LoadOrderGroup: AudioGroup

    Service: DcomLaunch
    LoadOrderGroup: Event Log

    Service: Dhcp
    LoadOrderGroup: TDI

    Service: Dnscache
    LoadOrderGroup: TDI

    Service: Dot3svc
    LoadOrderGroup: TDI

    Service: Eventlog
    LoadOrderGroup: Event log

    Service: EventSystem
    LoadOrderGroup: Network

    Service: lanmanworkstation
    LoadOrderGroup: NetworkProvider

    Service: LmHosts
    LoadOrderGroup: TDI

    Service: MSDTC
    LoadOrderGroup: MS Transactions

    Service: NetDDE
    LoadOrderGroup: NetDDEGroup

    Service: Netlogon
    LoadOrderGroup: RemoteValidation

    Service: PlugPlay
    LoadOrderGroup: PlugPlay

    Service: RpcSs
    LoadOrderGroup: COM Infrastructure

    Service: S24EventMonitor
    LoadOrderGroup: PNP_TDI

    Service: SamSs
    LoadOrderGroup: LocalValidation

    Service: SCardSvr
    LoadOrderGroup: SmartCardGroup

    Service: Schedule
    LoadOrderGroup: SchedulerGroup

    Service: SENS
    LoadOrderGroup: Network

    Service: ShellHWDetection
    LoadOrderGroup: ShellSvcGroup

    Service: SmcService
    LoadOrderGroup: NDIS

    Service: Spooler
    LoadOrderGroup: SpoolerGroup

    Service: Themes
    LoadOrderGroup: UIGroup

    Service: WebClient
    LoadOrderGroup: NetworkProvider

    Service: WudfSvc
    LoadOrderGroup: PlugPlay

    Service: WZCSVC
    LoadOrderGroup: TDI


    ~~~End of Report~~~
     
  15. 2008/05/13
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Wow ....... look at the number of services that load under that process.

    PID: 1004
    Windows Audio
    Background Intelligent Transfer Service
    Computer Browser
    Cryptographic Services
    DHCP Client
    Logical Disk Manager
    Error Reporting Service
    COM+ Event System
    Fast User Switching Compatibility
    Help and Support
    HID Input Service
    Server
    Workstation
    Network Connections
    Network Location Awareness (NLA)
    Remote Access Connection Manager
    Task Scheduler
    Secondary Logon
    System Event Notification
    Windows Firewall/Internet Connection Sharing (ICS)
    Shell Hardware Detection
    System Restore Service
    Telephony
    Themes
    Distributed Link Tracking Client
    Windows Time
    Windows Management Instrumentation
    Security Center
    Automatic Updates
    Wireless Zero Configuration

    Any one of those could be culprit. I've marked in red the ones I would check first, by setting the service to disabled then reboot or whatever other method you can invoke the cpu usage with. Do not stop anything in blue.

    Have a look in the event viewer as well. Suggest you clear the logs and see what events are logged, if any, at the time the usage is high. Note the time when you kill the svchost process, as it will likely produce a number of events that are not only expected, but not what we're interested in.
     
  16. 2008/05/14
    RCS-Joe

    RCS-Joe Well-Known Member Thread Starter

    Joined:
    2002/11/18
    Messages:
    22
    Likes Received:
    2
    update - problem resolved (I think)

    Well, I dunno why I didn't think of it sooner, but on the laptop I had lots of old system restore points... so I used one back from May 1... which was before the problem appeared, before early may Windows updates and well before SP3.

    Bingo! The problem is gone. Now what was causing it??? That question still remains... I'll have to see whether I have some system restore points on the desktop from April as I was gone for a few weeks and so it was never turned on from late april to early may. Hopefully I do... otherwise well I may have to do an image restore back to first part of the year.... a lot easier than reformatting anyhow. But I'm hoping I have some restore points from april on the desktop, as system restore seems to have totally done the trick on this laptop.

    For the sake of comparison here's the log file for the same svchost process now with no CPU issues. any distinct differences>?

    Process PID CPU Description Company Name
    System Idle Process 0 84.81
    Interrupts n/a 0.63 Hardware Interrupts
    DPCs n/a Deferred Procedure Calls
    System 4
    smss.exe 824 Windows NT Session Manager Microsoft Corporation
    csrss.exe 1160 Client Server Runtime Process Microsoft Corporation
    winlogon.exe 1560 Windows NT Logon Application Microsoft Corporation
    services.exe 1712 0.63 Services and Controller app Microsoft Corporation
    svchost.exe 1244 Generic Host Process for Win32 Services Microsoft Corporation
    wmiprvse.exe 2696 WMI Microsoft Corporation
    svchost.exe 948 Generic Host Process for Win32 Services Microsoft Corporation
    svchost.exe 288 Generic Host Process for Win32 Services Microsoft Corporation
    wuauclt.exe 3372 Windows Update Automatic Updates Microsoft Corporation
    wuauclt.exe 2620 Windows Update Automatic Updates Microsoft Corporation
    EvtEng.exe 1184 Intel(R) PROSet/Wireless Event Log Intel Corporation
    S24EvMon.exe 1968 Wireless Management Service Intel Corporation
    Smc.exe 576 Sygate Personal Firewall Sygate Technologies, Inc.
    svchost.exe 968 Generic Host Process for Win32 Services Microsoft Corporation
    svchost.exe 1376 Generic Host Process for Win32 Services Microsoft Corporation
    spoolsv.exe 2044 Spooler SubSystem App Microsoft Corporation
    arr_isrv.exe 3088 Array SSL VPN Installation Service Array Networks, Inc.
    schedul2.exe 3704 Acronis Scheduler 2 Acronis
    arr_srvs.exe 3964 Array SSL VPN L3 Client Service Array Networks, Inc.
    isafe.exe 2136 CA ISafe Service Computer Associates International, Inc.
    DiskMgkS.exe 848 DiskMagik Defrag Service RoseCity Software
    DUMeterSvc.exe 2936 DU Meter Service Hagel Technologies Ltd
    svchost.exe 3900 Generic Host Process for Win32 Services Microsoft Corporation
    nvsvc32.exe 2144 NVIDIA Driver Helper Service, Version 84.69 NVIDIA Corporation
    RegSrvc.exe 2880 Intel(R) PROSet/Wireless Registry Service Intel Corporation
    vetmsg.exe 3452 CA Anti-Virus Realtime Messaging Service CA, Inc.
    wmpnetwk.exe 988 Windows Media Player Network Sharing Service Microsoft Corporation
    ccprovsp.exe 3896 CCProvSP CA, Inc.
    alg.exe 2644 Application Layer Gateway Service Microsoft Corporation
    lsass.exe 1784 1.27 LSA Shell (Export Version) Microsoft Corporation
    explorer.exe 1720 Windows Explorer Microsoft Corporation
    rundll32.exe 1088 Run a DLL as an App Microsoft Corporation
    stsystra.exe 1188 Sigmatel Audio system tray application SigmaTel, Inc.
    ZCfgSvc.exe 1484 ZeroCfgSvc MFC Application Intel Corporation
    iFrmewrk.exe 1464 Intel Framework MFC Application Intel Corporation
    EOUWiz.exe 1676 Ease Of Use Wizard Application Intel Corporation
    Matrox.PowerDesk SE.exe 1804 PowerDesk-SE Application Matrox Graphics Inc.
    schedhlp.exe 1960 Acronis Scheduler Helper Acronis
    cavrid.exe 356 CA Anti-Virus Realtime Infection Report CA, Inc.
    TMTray.exe 860 TweakMASTER PRO Agent Hagel Technologies Ltd
    DLACTRLW.EXE 1076 Drive Letter Access Component Sonic Solutions
    ExSpinDn.exe 1432 WD Spindown Utility Western Digital Technologies, Inc.
    SynTPEnh.exe 1548 Synaptics TouchPad Enhancements Synaptics, Inc.
    jusched.exe 1856 Java(TM) 2 Platform Standard Edition binary Sun Microsystems, Inc.
    rfagent.exe 304 Registry First Aid Platinum, the easy powerful registry cleanup program KsL Software
    TrueImageMonitor.exe 688 Acronis True Image Monitor Acronis
    TimounterMonitor.exe 1004 Monitor for Acronis True Image Backup Archive Explorer Acronis
    ipoint.exe 1148 IPoint.exe Microsoft Corporation
    dpupdchk.exe 1392 dpupdchk.exe Microsoft Corporation
    cctray.exe 1612 CA Common Tray CA, Inc.
    Sticky32.exe 532 Magic Notes for Windows 9x/ME/NT/2000/XP Eskil Software
    lsmon.exe 1064
    ctfmon.exe 1752 CTF Loader Microsoft Corporation
    wmpnscfg.exe 548 Windows Media Player Network Sharing Service Configuration Application Microsoft Corporation
    DUMeter.exe 1072 DU Meter Monitor Hagel Technologies Ltd
    taskbarshuffle.exe 1584 Taskbar Shuffle Jay Elaraj
    Calendar.exe 1880 AMP Calendar Alberto Martínez Pérez
    clipc.exe 2100 ClipCache clipboard extender & enhancer XRayz Software
    KEYEXP.EXE 2172
    lnkstash.exe 2236 LinkStash John Williams / XRayz Software
    procexp.exe 3048 12.66 Sysinternals Process Explorer Sysinternals - www.sysinternals.com

    Process: svchost.exe Pid: 288

    Type Name
    Desktop \Default
    Desktop \SADesktop
    Desktop \Default
    Directory \KnownDlls
    Directory \Windows
    Directory \BaseNamedObjects
    Event \BaseNamedObjects\DINPUTWINMM
    Event \BaseNamedObjects\userenv: User Profile setup event
    Event \BaseNamedObjects\DHCPNEWIPADDRESS
    Event \BaseNamedObjects\wkssvc: MUP finished initializing event
    Event \BaseNamedObjects\crypt32LogoffEvent
    Event \BaseNamedObjects\WkssvcToAgentStopEvent
    Event \BaseNamedObjects\WkssvcToAgentStartEvent
    Event \BaseNamedObjects\AgentToWkssvcEvent
    Event \BaseNamedObjects\WIRELESS_POLICY_CHANGE_EVENT
    Event \BaseNamedObjects\{FFCD855B-55E6-437A-B876-259E60BCF2C9}ShellHWDetection
    Event \BaseNamedObjects\{FFCD855B-55E6-437A-B876-259E60BCF2C9}ShellHWDetection
    Event \BaseNamedObjects\SAConEvt
    Event \BaseNamedObjects\PrefetchOverrideIdle
    Event \BaseNamedObjects\PrefetchProcessingComplete
    Event \BaseNamedObjects\PrefetchTracesReady
    Event \BaseNamedObjects\PrefetchParametersChanged
    Event \BaseNamedObjects\ReSyncKernel
    Event \Device\DmControl\VxKernel2VoldEvent
    Event \BaseNamedObjects\WinSta0_DesktopSwitch
    Event \LanmanServerAnnounceEvent
    Event \BaseNamedObjects\SENS Started Event
    Event \BaseNamedObjects\SRCounter
    Event \BaseNamedObjects\SRStopEvent
    Event \BaseNamedObjects\SRInitEvent
    Event \BaseNamedObjects\SRIdleReqEvent
    Event \Security\TRKWKS_EVENT
    Event \BaseNamedObjects\WINMGMT_COREDLL_CANSHUTDOWN
    Event \BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
    Event \BaseNamedObjects\WMI_SysEvent_LodCtr
    Event \BaseNamedObjects\WMI_SysEvent_UnLodCtr
    Event \BaseNamedObjects\WMI_RevAdap_Set
    Event \BaseNamedObjects\WMI_RevAdap_ACK
    Event \BaseNamedObjects\WMI_ProcessIdleTasksStart
    Event \BaseNamedObjects\WMI_ProcessIdleTasksComplete
    Event \BaseNamedObjects\W32TIME_NAMED_EVENT_SYSTIME_NOT_CORRECT
    Event \BaseNamedObjects\userenv: Machine Group Policy has been applied
    Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
    Event \BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
    Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
    Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
    Event \BaseNamedObjects\EVENT_READYROOT/CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
    Event \BaseNamedObjects\EVENT_READYROOT/CIMV2PROVIDERSUBSYSTEM
    Event \BaseNamedObjects\EVENT_READYROOT/CIMV2SCM EVENT PROVIDER
    Event \BaseNamedObjects\SC_AutoStartComplete
    Event \BaseNamedObjects\IPNAT
    Event \BaseNamedObjects\Go0: ESENT Performance Data Schema Version 40
    Event \BaseNamedObjects\Ready0: ESENT Performance Data Schema Version 40
    File C:\WINDOWS\system32
    File \Device\KsecDD
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
    File \Device\NamedPipe\net\NtControlPipe4
    File \Device\Tcp
    File \Device\Ip
    File \Device\Tcp
    File \Device\Ip
    File \Device\Ip
    File \Device\Ip
    File \Device\WMIDataDevice
    File \Device\WMIDataDevice
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
    File \Device\Ndisuio
    File C:\WINDOWS\SchedLgU.Txt
    File \Device\NamedPipe\atsvc
    File \Device\NamedPipe\atsvc
    File C:\WINDOWS\Tasks
    File \Device\LanmanRedirector
    File \Device\LanmanDatagramReceiver
    File \Device\Afd\Endpoint
    File C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    File C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    File \Device\NamedPipe\keysvc
    File \Device\NamedPipe\keysvc
    File \Device\NamedPipe\PCHHangRepExecPipe
    File \Device\NamedPipe\PCHFaultRepExecPipe
    File \Device\00000091
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
    File C:\WINDOWS\pchealth\helpctr\batch
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
    File \Device\LanmanServer
    File \Device\NamedPipe\srvsvc
    File \FileSystem\Filters\SystemRestore
    File \Device\HarddiskVolume1
    File \Device\HarddiskVolume2
    File \Device\NamedPipe\trkwks
    File \Device\NamedPipe\trkwks
    File X:\$Extend\$ObjId
    File C:\WINDOWS\system32\wbem\mof
    File C:\WINDOWS\WindowsUpdate.log
    File \Device\NamedPipe\W32TIME
    File \Device\NamedPipe\W32TIME
    File C:\WINDOWS\WindowsUpdate.log
    File \Device\Udp
    File \Device\Afd\Endpoint
    File \Device\Udp
    File \Device\Afd\Endpoint
    File X:\System Volume Information\tracking.log
    File C:\$Extend\$ObjId
    File C:\System Volume Information\tracking.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File \Device\Afd\Endpoint
    File C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP
    File C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
    File C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
    File C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
    File C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
    File C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
    File C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
    File \Device\NamedPipe\EVENTLOG
    File \Device\LanmanDatagramReceiver
    File C:\WINDOWS\system32\h323log.txt
    File \Device\NamedPipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
    File \Device\NamedPipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
    File \Device\NamedPipe\ROUTER
    File \Device\IPNAT
    File \Device\NamedPipe\ROUTER
    File C:\WINDOWS\SoftwareDistribution\ReportingEvents.log
    File \Device\Afd\Endpoint
    File \Device\NdisWan
    File \Device\NamedPipe\wkssvc
    File \Device\NamedPipe\ROUTER
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
    File \Device\NdisTapi
    File \Device\NdisTapi
    File \Device\NDProxy
    File \Device\NDProxy
    File \Device\NamedPipe\ROUTER
    File \Device\NamedPipe\ROUTER
    File \Device\WANARP
    File \Device\NamedPipe\ROUTER
    File \Device\Tcp
    File \Device\NamedPipe\browser
    File \Device\Afd\Endpoint
    File \Device\NamedPipe\ROUTER
    File \Device\IPNAT
    File \Device\NamedPipe\wkssvc
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
    File \Device\Tcp
    File \Device\IPNAT
    File \Device\NamedPipe\srvsvc
    File \Device\NamedPipe\browser
    File \Device\IPNAT
    File \Device\NamedPipe\Winsock2\CatalogChangeListener-120-0
    File C:\WINDOWS\system32\CatRoot2\edb.log
    File C:\WINDOWS\system32\CatRoot2\tmp.edb
    File \Device\Afd\Endpoint
    File \Device\Udp
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
    File \Device\Afd\AsyncConnectHlp
    File C:\Documents and Settings\JB\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    File C:\Documents and Settings\NetworkService\Cookies\index.dat
    File C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
    File \Device\NamedPipe\wkssvc
    File \Device\NamedPipe\srvsvc
    Job \BaseNamedObjects\WmiProviderSubSystemHostJob
    Key HKLM
    Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
    Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
    Key HKLM\SYSTEM\ControlSet002\Services\Tcpip\Linkage
    Key HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters
    Key HKLM\SYSTEM\ControlSet002\Services\NetBT\Parameters\Interfaces
    Key HKLM\SYSTEM\ControlSet002\Services\NetBT\Parameters
    Key HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9
    Key HKLM\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5
    Key HKLM\SYSTEM\ControlSet002\Services\Dhcp\Parameters
    Key HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters
    Key HKLM\SYSTEM\ControlSet002\Services\Dhcp\Parameters\Options
    Key HKLM\SYSTEM\ControlSet002\Services
    Key HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DNSRegisteredAdapters
    Key HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{43C85A68-6D7C-49BF-AB75-7F92B9065027}
    Key HKU
    Key HKLM\SOFTWARE\Microsoft\Tracing\WZCTrace
    Key HKLM\SOFTWARE\Microsoft\Tracing\EAPOL
    Key HKCR
    Key HKCR
    Key HKU\.DEFAULT
    Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASTLS
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKLM\SOFTWARE\Microsoft\Tracing\Wlpolicy
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASCHAP
    Key HKU
    Key HKCR
    Key HKU
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKCR\CLSID
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKU
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKCR\CLSID
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Control\NetworkProvider\HwOrder
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
    Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher
    Key HKLM\SYSTEM\ControlSet002\Services\lanmanworkstation\parameters
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Policies
    Key HKLM\SYSTEM\ControlSet002\Control\Terminal Server
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Services\lanmanserver\parameters
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions
    Key HKLM\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses
    Key HKCR
    Key HKLM\SYSTEM\Setup
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\H323TSP
    Key HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{FE1E8395-B44C-449C-954C-E63A17A7C040}\Connection
    Key HKLM\SOFTWARE\Microsoft\Tracing\IPNATHLP
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\tapisrv
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI
    Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache
    Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam
    Key HKLM\SYSTEM\ControlSet002\Control\Lsa\Audit
    Key HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Epoch
    Key HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy
    Key HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters
    Key HKLM\SOFTWARE\Microsoft\Security Center
    Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
    Key HKLM\SOFTWARE\Microsoft\Tracing\tapi32
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache
    Key HKLM\SOFTWARE\Microsoft\Tracing\KMDDSP
    Key HKLM\SOFTWARE\Microsoft\Security Center\Monitoring
    Key HKLM\SOFTWARE\Microsoft\Tracing\NDPTSP
    Key HKLM\SOFTWARE\Microsoft\Tracing\conftsp
    Key HKLM\SYSTEM\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASMAN
    Key HKLM\SOFTWARE\Microsoft\Tracing\PPP
    Key HKLM\SOFTWARE\Microsoft\Tracing\BAP
    Key HKLM\SYSTEM\ControlSet002\Services\RasMan\PPP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASSPAP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASPAP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASEAP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASCCP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASBACP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASIPHLP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASIPCP
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Control\Network\Connections
    Key HKCR
    Key HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
    Key HKLM\SOFTWARE\Microsoft\Tracing\NETMAN
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASDLG
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{43C85A68-6D7C-49BF-AB75-7F92B9065027}\Connection
    Key HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{98DA5B6C-3734-4C86-A15C-31BE4F87A2E0}\Connection
    Key HKCR
    Key HKLM\SYSTEM\ControlSet002\Services\Browser\Parameters
    Key HKLM\SYSTEM\ControlSet002\Control\Nls\Locale
    Key HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Epoch
    Key HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{A3DE016D-302B-41C4-B8D7-9FCE7354CACB}\Connection
    Key HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Epoch
    Key HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Epoch
    Key HKLM\SYSTEM\ControlSet002\Control\Nls\Language Groups
    Key HKLM\SYSTEM\ControlSet002\Control\Nls\Locale\Alternate Sorts
    Key HKCR
    Key HKLM\SOFTWARE\Policies
    Key HKU\.DEFAULT\Software\Policies
    Key HKU\.DEFAULT\Software
    Key HKLM\SOFTWARE
    Key HKU\.DEFAULT\Software
    Key HKLM\SOFTWARE
    Key HKU\.DEFAULT\Software\Policies
    Key HKLM\SOFTWARE\Policies
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
    Mutant \BaseNamedObjects\SHIMLIB_LOG_MUTEX
    Mutant \BaseNamedObjects\RasPbFile
    Mutant \BaseNamedObjects\0CADFD67AF62496dB34264F000F5624A
    Mutant \BaseNamedObjects\4FCC0DEFE22C4f138FB9D5AF25FD9398
    Mutant \BaseNamedObjects\238FAD3109D3473aB4764B20B3731840
    Mutant \BaseNamedObjects\OOC State Mutex
    Mutant \BaseNamedObjects\SRDataStore
    Mutant \BaseNamedObjects\SRDataStore
    Mutant \BaseNamedObjects\WindowsUpdateTracingMutex
    Mutant \BaseNamedObjects\DBWinMutex
    Mutant \BaseNamedObjects\RAS_MO_02
    Mutant \BaseNamedObjects\RAS_MO_01
    Mutant \BaseNamedObjects\RasPbFile
    Mutant \BaseNamedObjects\Instance0: ESENT Performance Data Schema Version 40
    Mutant \BaseNamedObjects\ZonesCacheCounterMutex
    Mutant \BaseNamedObjects\ZonesLockedCacheCounterMutex
    Mutant \BaseNamedObjects\ZonesCounterMutex
    Mutant \BaseNamedObjects\_!MSFTHISTORY!_
    Mutant \BaseNamedObjects\c:!documents and settings!jb!local settings!temporary internet files!content.ie5!
    Mutant \BaseNamedObjects\c:!documents and settings!networkservice!cookies!
    Mutant \BaseNamedObjects\c:!documents and settings!networkservice!local settings!history!history.ie5!
    Mutant \BaseNamedObjects\WininetStartupMutex
    Mutant \BaseNamedObjects\WininetProxyRegistryMutex
    Mutant \BaseNamedObjects\ShimCacheMutex
    Port \ThemeApiPort
    Port \RPC Control\dhcpcsvc
    Port \RPC Control\wzcsvc
    Port \RPC Control\OLE72043A3F17974B93A550856199EF
    Port \RPC Control\AudioSrv
    Port \RPC Control\keysvc
    Port \XactSrvLpcPort
    Port \RPC Control\SECLOGON
    Port \RPC Control\senssvc
    Port \RPC Control\srrpc
    Port \RPC Control\trkwks
    Port \RPC Control\tapsrvlpc
    Port \RPC Control\unimdmsvc
    Port \FusApiPort
    Process winlogon.exe(1560)
    Process winlogon.exe(1560)
    Process winlogon.exe(1560)
    Process winlogon.exe(1560)
    Process iFrmewrk.exe(1464)
    Process S24EvMon.exe(1968)
    Process Smc.exe(576)
    Process svchost.exe(288)
    Process explorer.exe(1720)
    Process explorer.exe(1720)
    Process stsystra.exe(1188)
    Process rundll32.exe(1088)
    Process ZCfgSvc.exe(1484)
    Process schedhlp.exe(1960)
    Process EOUWiz.exe(1676)
    Process DLACTRLW.EXE(1076)
    Process TMTray.exe(860)
    Process clipc.exe(2100)
    Process cavrid.exe(356)
    Process SynTPEnh.exe(1548)
    Process ExSpinDn.exe(1432)
    Process jusched.exe(1856)
    Process TrueImageMonitor.exe(688)
    Process rfagent.exe(304)
    Process TimounterMonitor.exe(1004)
    Process ipoint.exe(1148)
    Process cctray.exe(1612)
    Process lsmon.exe(1064)
    Process ctfmon.exe(1752)
    Process Sticky32.exe(532)
    Process wmpnscfg.exe(548)
    Process Calendar.exe(1880)
    Process DUMeter.exe(1072)
    Process taskbarshuffle.exe(1584)
    Process KEYEXP.EXE(2172)
    Process lnkstash.exe(2236)
    Process nvsvc32.exe(2144)
    Process vetmsg.exe(3452)
    Process wuauclt.exe(2620)
    Process svchost.exe(288)
    Process procexp.exe(3048)
    Process svchost.exe(288)
    Process Smc.exe(576)
    Process lsass.exe(1784)
    Process svchost.exe(288)
    Process svchost.exe(1376)
    Process Matrox.PowerDesk SE.exe(1804)
    Process arr_srvs.exe(3964)
    Process wmiprvse.exe(2696)
    Process wuauclt.exe(2620)
    Section \BaseNamedObjects\mmGlobalPnpInfo
    Section \BaseNamedObjects\SENS Information Cache
    Section \BaseNamedObjects\RotHintTable
    Section \BaseNamedObjects\Wmi Provider Sub System Counters
    Section \BaseNamedObjects\Debug.Memory.120
    Section \BaseNamedObjects\ShimSharedMemory
    Section \BaseNamedObjects\IDA0: ESENT Performance Data Schema Version 40
    Section \BaseNamedObjects\GDA: ESENT Performance Data Schema Version 40
    Section \BaseNamedObjects\C:_Documents and Settings_JB_Local Settings_Temporary Internet Files_Content.IE5_index.dat_65536
    Section \BaseNamedObjects\C:_Documents and Settings_NetworkService_Cookies_index.dat_16384
    Section \BaseNamedObjects\C:_Documents and Settings_NetworkService_Local Settings_History_History.IE5_index.dat_16384
    Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
    Semaphore \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
    Semaphore \BaseNamedObjects\PowerProfileRegistrySemaphore
    Thread svchost.exe(288): 296
    Thread svchost.exe(288): 744
    Thread svchost.exe(288): 1788
    Thread svchost.exe(288): 748
    Thread svchost.exe(288): 820
    Thread svchost.exe(288): 900
    Thread svchost.exe(288): 900
    Thread svchost.exe(288): 1024
    Thread svchost.exe(288): 2224
    Thread svchost.exe(288): 944
    Thread svchost.exe(288): 1764
    Thread svchost.exe(288): 1772
    Thread svchost.exe(288): 1820
    Thread svchost.exe(288): 1772
    Thread svchost.exe(288): 1840
    Thread svchost.exe(288): 1928
    Thread svchost.exe(288): 1936
    Thread svchost.exe(288): 1944
    Thread svchost.exe(288): 1948
    Thread svchost.exe(288): 1948
    Thread svchost.exe(288): 1972
    Thread svchost.exe(288): 1972
    Thread svchost.exe(288): 1976
    Thread svchost.exe(288): 1996
    Thread svchost.exe(288): 384
    Thread svchost.exe(288): 1840
    Thread svchost.exe(288): 1212
    Thread explorer.exe(1720): 624
    Thread svchost.exe(288): 2060
    Thread svchost.exe(288): 2640
    Thread svchost.exe(288): 2060
    Thread svchost.exe(288): 3792
    Thread svchost.exe(288): 2332
    Thread svchost.exe(288): 4052
    Thread svchost.exe(288): 3800
    Thread svchost.exe(288): 4052
    Thread svchost.exe(288): 4048
    Thread svchost.exe(288): 4072
    Thread svchost.exe(288): 1180
    Thread svchost.exe(288): 1592
    Thread svchost.exe(288): 3436
    Thread svchost.exe(288): 2212
    Thread svchost.exe(288): 3824
    Thread svchost.exe(288): 3696
    Thread svchost.exe(288): 3060
    Thread svchost.exe(288): 1040
    Thread svchost.exe(288): 1044
    Thread svchost.exe(288): 1044
    Thread svchost.exe(288): 3612
    Thread svchost.exe(288): 3612
    Thread svchost.exe(288): 3060
    Thread svchost.exe(288): 2216
    Thread svchost.exe(288): 2220
    Thread svchost.exe(288): 2220
    Thread svchost.exe(288): 2352
    Thread svchost.exe(288): 2352
    Thread svchost.exe(288): 3616
    Thread svchost.exe(288): 3616
    Thread svchost.exe(288): 924
    Thread svchost.exe(288): 1444
    Thread svchost.exe(288): 3068
    Thread svchost.exe(288): 3312
    Thread svchost.exe(288): 3316
    Thread svchost.exe(288): 3320
    Thread svchost.exe(288): 3316
    Thread svchost.exe(288): 3312
    Thread svchost.exe(288): 452
    Thread svchost.exe(288): 3688
    Thread svchost.exe(288): 3396
    Thread svchost.exe(288): 660
    Thread svchost.exe(288): 2756
    Thread svchost.exe(288): 3876
    Thread svchost.exe(288): 1356
    Thread svchost.exe(288): 3616
    Thread svchost.exe(288): 1032
    Thread svchost.exe(288): 280
    Thread svchost.exe(288): 280
    Thread svchost.exe(288): 1192
    Thread svchost.exe(288): 1328
    Thread svchost.exe(288): 1192
    Thread svchost.exe(288): 2840
    Thread svchost.exe(288): 3056
    Thread svchost.exe(288): 3220
    Thread svchost.exe(288): 3220
    Thread svchost.exe(288): 3244
    Thread svchost.exe(288): 3168
    Thread svchost.exe(288): 3252
    Thread svchost.exe(288): 3152
    Thread svchost.exe(288): 3168
    Thread svchost.exe(288): 3308
    Thread svchost.exe(288): 3640
    Thread svchost.exe(288): 2380
    Thread svchost.exe(288): 3628
    Thread svchost.exe(288): 3628
    Thread svchost.exe(288): 3084
    Thread svchost.exe(288): 3736
    Thread svchost.exe(288): 3956
    Thread svchost.exe(288): 4000
    Thread svchost.exe(288): 4000
    Thread svchost.exe(288): 2840
    Thread svchost.exe(288): 2972
    Thread svchost.exe(288): 3100
    Thread svchost.exe(288): 1512
    Thread svchost.exe(288): 2164
    Thread svchost.exe(288): 1512
    Thread svchost.exe(288): 2184
    Thread svchost.exe(288): 2184
    Thread svchost.exe(288): 748
    Thread svchost.exe(288): 2352
    Thread svchost.exe(288): 1512
    Thread svchost.exe(288): 2788
    Thread svchost.exe(288): 1956
    Thread svchost.exe(288): 1404
    Thread svchost.exe(288): 660
    Thread svchost.exe(288): 3152
    Thread svchost.exe(288): 2788
    Thread svchost.exe(288): 2552
    Thread svchost.exe(288): 748
    Thread svchost.exe(288): 1820
    Thread svchost.exe(288): 2552
    Thread svchost.exe(288): 1404
    Thread svchost.exe(288): 1744
    Thread svchost.exe(288): 280
    Thread svchost.exe(288): 3224
    Thread svchost.exe(288): 3216
    Thread svchost.exe(288): 3240
    Thread svchost.exe(288): 3256
    Thread svchost.exe(288): 3396
    Thread svchost.exe(288): 3256
    Thread svchost.exe(288): 2184
    Thread svchost.exe(288): 2788
    Thread svchost.exe(288): 1744
    Thread svchost.exe(288): 2956
    Thread svchost.exe(288): 2952
    Thread svchost.exe(288): 1428
    Thread svchost.exe(288): 2956
    Thread svchost.exe(288): 1428
    Thread svchost.exe(288): 1428
    Thread svchost.exe(288): 2952
    Thread svchost.exe(288): 2952
    Thread svchost.exe(288): 3616
    Thread svchost.exe(288): 2724
    Thread svchost.exe(288): 2724
    Thread svchost.exe(288): 280
    Thread svchost.exe(288): 2724
    Thread svchost.exe(288): 2788
    Thread svchost.exe(288): 3060
    Token NT AUTHORITY\SYSTEM:3e7
    Token JB3\Joe:14c16
    Token JB3\Joe:14c16
    Token NT AUTHORITY\NETWORK SERVICE:3e4
    Token JB3\Joe:14c16
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\LOCAL SERVICE:3e5
    Token NT AUTHORITY\NETWORK SERVICE:3e4
    Token JB3\Joe:14c16
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\SYSTEM:3e7
    Token JB3\Joe:14c16
    Token JB3\Joe:14c16
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\LOCAL SERVICE:3e5
    Token JB3\Joe:14c16
    Token JB3\Joe:14c16
    Token NT AUTHORITY\NETWORK SERVICE:3e4
    Token NT AUTHORITY\LOCAL SERVICE:3e5
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\NETWORK SERVICE:3e4
    WaitablePort \Security\TRKWKS_PORT
    WaitablePort \NLAPrivatePort
    WaitablePort \NLAPublicPort
    WindowStation \Windows\WindowStations\Service-0x0-3e7$
    WindowStation \Windows\WindowStations\SAWinSta
    WindowStation \Windows\WindowStations\WinSta0
    WindowStation \Windows\WindowStations\WinSta0
    File \Device\NamedPipe\lsarpc
     
  17. 2008/05/14
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Hi Joe,

    Glad to hear SR seems to have cured the problem for you, though it would be nice to get to the bottom of the cause. :cool:

    After comparing the scvhost logs, only two differences of note.

    1. only difference in Processes is that Courier.exe is running in the first two, not in the last

    2. The below entries do not appear in the last log, but do in both of the first two (grouped together).

    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT
    Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\CA
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\CA
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
    Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\Root
    Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
    Key HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates
    Key HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\trust
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\trust
    Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\My
    Key HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates
    Key HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates

    In fact, the last log has no entries for any certificates. I don't have any sort of explanation for that however ....... just an observation. I do wonder if there's any connection between the courier process and access to the Certificates keys though. :confused:
     
  18. 2008/05/15
    RCS-Joe

    RCS-Joe Well-Known Member Thread Starter

    Joined:
    2002/11/18
    Messages:
    22
    Likes Received:
    2
    courier

    Hi... it's a logical assumption that Sourier might be at fault, but no I can assure you that is not it. I have been using this email client for 6-7 years and I know it intimately. It has its issues and can produce a resources leak if it is run for many hours viewing and composing hundreds of emails, but the problem I was having occurred at first boot up, even often before opening courier or anything else... so no, the problem was definitely not courier... I have now had courier running all day today with no issues at all. I'm not sure what to make of all those certificate entries in the log, maybe SP3 related? no idea. It would indeed be nice to know what caused the issue especially if I do not have an old enough system restore point on the desktop when I get back home. But that may not be for another couple weeks. Meanwhile however, at least my laptop is cured and working flawlessly agin. I won't be installing SP3 any time soon, that's for sure. If anyone has any other ideas that migh be helpful to try on mydesktop if there's no restore poitn to go bac to, then I woudl like to hear it... otherwise thanks to all for your help on this.

    joe
     
  19. 2008/05/30
    RCS-Joe

    RCS-Joe Well-Known Member Thread Starter

    Joined:
    2002/11/18
    Messages:
    22
    Likes Received:
    2
    back home on desktop

    Well I'm back in the office now on my desktop and the problem still exists here but with a difference... when I first boot up, everything is ok for maybe a minute... watching process explorer after the first minute or so sunddenly svchost jumps to about 50% CPU usage and bounces around in the area for several minutes... the PID was 1724. And then it falls off to nothing and the system is normal. As with the laptop, killing that process restores full CPU functionality immediately, but then the windows sound functionality is killed. Merely waiting the couple minutes until the CPU hogging disappears allows the system to then work normally all day. Unlike the laptop I have no windows restore point to revert to that eliminates the condition. And all the utilities running have been running for at least a year with no ill effects... I'm referring to those listed like CA Anti-Virus, Realtek HD Audio Control Panel, Acronis True Image, CA Anti-Virus Realtime, WD Spindown Utility, Registry First Aid, TweakMASTER Agent, Taskbar Shuffle, Magic Notes, DU Meter, lsmon.exe, AMP Calendar, ClipCache, KEYEXP.EXE, LinkStash,OneNote Quick Launcher, Sygate Personal Firewall, Array SSL VPN Installation Service, DiskMagik Defrag Service, DUMeterSvc.exe. Nothing new there and none of the utils have been updated. And remember this one is an ULTRA fast new Quad core with 4 mb RAM, etc. So I can live with this condition but I'm curious if anyone has any otherclues here, so here's the PE log:
    Process PID CPU Description Company Name Handles I/O Reads I/O Writes CPU History
    System Idle Process 0 97.10 0 0 0
    Interrupts n/a Hardware Interrupts 0 0 0
    DPCs n/a Deferred Procedure Calls 0 0 0
    System 4 1,111 3,408 584
    smss.exe 1084 Windows NT Session Manager Microsoft Corporation 21 544 4
    csrss.exe 1432 Client Server Runtime Process Microsoft Corporation 545 4,916 0
    winlogon.exe 1824 Windows NT Logon Application Microsoft Corporation 508 4,197 111
    services.exe 2024 Services and Controller app Microsoft Corporation 309 992 417
    svchost.exe 1288 Generic Host Process for Win32 Services Microsoft Corporation 201 718 10
    svchost.exe 960 Generic Host Process for Win32 Services Microsoft Corporation 297 692 6
    svchost.exe 1724 Generic Host Process for Win32 Services Microsoft Corporation 1,655 1,913,820 540
    Smc.exe 404 Sygate Personal Firewall Sygate Technologies, Inc. 223 8,840 95
    svchost.exe 1904 Generic Host Process for Win32 Services Microsoft Corporation 87 650 6
    svchost.exe 1456 Generic Host Process for Win32 Services Microsoft Corporation 257 644 20
    spoolsv.exe 1128 Spooler SubSystem App Microsoft Corporation 121 568 7
    arr_isrv.exe 876 Array SSL VPN Installation Service Array Networks, Inc. 73 322 2
    schedul2.exe 1300 Acronis Scheduler 2 Acronis 55 115 3
    arr_srvs.exe 1412 Array SSL VPN L3 Client Service Array Networks, Inc. 169 835 7
    isafe.exe 1572 CA ISafe Service Computer Associates International, Inc. 104 2,439 46
    DiskMgkS.exe 1736 DiskMagik Defrag Service RoseCity Software 80 440 16
    DUMeterSvc.exe 1968 DU Meter Service Hagel Technologies Ltd 179 1,032 505
    nvsvc32.exe 1060 NVIDIA Driver Helper Service, Version 163.71 NVIDIA Corporation 123 1,478 11
    svchost.exe 1524 Generic Host Process for Win32 Services Microsoft Corporation 120 340 11
    vetmsg.exe 1520 CA Anti-Virus Realtime Messaging Service CA, Inc. 141 737 6
    alg.exe 2436 Application Layer Gateway Service Microsoft Corporation 107 1,529 4
    ccprovsp.exe 3528 CCProvSP CA, Inc. 82 1,005 4
    lsass.exe 368 LSA Shell (Export Version) Microsoft Corporation 366 5,242 3,727
    explorer.exe 2564 Windows Explorer Microsoft Corporation 368 47,327 15
    RTHDCPL.exe 2912 Realtek HD Audio Control Panel Realtek Semiconductor Corp. 141 1,221 3
    rundll32.exe 3168 Run a DLL as an App Microsoft Corporation 41 833 0
    PDVDServ.exe 3208 PowerDVD RC Service Cyberlink Corp. 81 275 1
    TrueImageMonitor.exe 3360 Acronis True Image Monitor Acronis 73 422 7
    schedhlp.exe 3740 Acronis Scheduler Helper Acronis 38 2,405 7
    TimounterMonitor.exe 3456 Monitor for Acronis True Image Backup Archive Explorer Acronis 57 2,448 1
    cavrid.exe 3628 CA Anti-Virus Realtime Infection Report CA, Inc. 56 1,214 0
    ExSpinDn.exe 3800 WD Spindown Utility Western Digital Technologies, Inc. 57 1,139 2
    rfagent.exe 2688 Registry First Aid, the easy powerful registry cleanup program KsL Software 136 1,172 13
    TMTray.exe 3844 TweakMASTER Agent Hagel Technologies Ltd 64 1,039 2
    jusched.exe 420 Java(TM) Platform SE binary Sun Microsystems, Inc. 33 648 2
    WrtMon.exe 2484 NsWrtMon Microsoft Base Class Application 31 840 0
    WrtProc.exe 2128 NsWrtProc Microsoft Base Clase Application 34 782 0
    cctray.exe 2764 CA Common Tray CA, Inc. 161 2,660 22
    ctfmon.exe 3564 CTF Loader Microsoft Corporation 95 428 0
    taskbarshuffle.exe 3920 Taskbar Shuffle Jay Elaraj 51 300 0
    Sticky32.exe 3032 Magic Notes for Windows 9x/ME/NT/2000/XP Eskil Software 108 2,093 41
    DUMeter.exe 1548 DU Meter Monitor Hagel Technologies Ltd 134 1,727 2
    lsmon.exe 2296 25 510 0
    Calendar.exe 3780 AMP Calendar Alberto Martínez Pérez 32 1,120 0
    clipc.exe 3556 ClipCache clipboard extender & enhancer XRayz Software 114 7,379 15
    KEYEXP.EXE 3816 36 1,188 0
    lnkstash.exe 1536 LinkStash John Williams / XRayz Software 131 1,617 6
    ONENOTEM.EXE 2536 Microsoft Office OneNote Quick Launcher Microsoft Corporation 30 292 0
    procexp.exe 3304 2.90 Sysinternals Process Explorer Sysinternals 284 11,530 36
    qlock.exe 3892 118 367 0
    taskmgr.exe 2380 Windows TaskManager Microsoft Corporation 82 1,423 5

    Process: svchost.exe Pid: 1724

    Type Name
    Desktop \Default
    Desktop \SADesktop
    Directory \KnownDlls
    Directory \Windows
    Directory \BaseNamedObjects
    Event \BaseNamedObjects\DINPUTWINMM
    Event \BaseNamedObjects\userenv: User Profile setup event
    Event \BaseNamedObjects\DHCPNEWIPADDRESS
    Event \BaseNamedObjects\wkssvc: MUP finished initializing event
    Event \BaseNamedObjects\crypt32LogoffEvent
    Event \BaseNamedObjects\WkssvcToAgentStopEvent
    Event \BaseNamedObjects\WkssvcToAgentStartEvent
    Event \BaseNamedObjects\WIRELESS_POLICY_CHANGE_EVENT
    Event \BaseNamedObjects\{6C2C4971-1915-4DCE-B3F3-9AC7430C3C3C}ShellHWDetection
    Event \BaseNamedObjects\AgentToWkssvcEvent
    Event \BaseNamedObjects\{6C2C4971-1915-4DCE-B3F3-9AC7430C3C3C}ShellHWDetection
    Event \BaseNamedObjects\PrefetchOverrideIdle
    Event \BaseNamedObjects\PrefetchProcessingComplete
    Event \BaseNamedObjects\PrefetchTracesReady
    Event \BaseNamedObjects\PrefetchParametersChanged
    Event \BaseNamedObjects\SAConEvt
    Event \BaseNamedObjects\Go0: ESENT Performance Data Schema Version 40
    Event \BaseNamedObjects\Ready0: ESENT Performance Data Schema Version 40
    Event \BaseNamedObjects\ReSyncKernel
    Event \Device\DmControl\VxKernel2VoldEvent
    Event \BaseNamedObjects\userenv: Machine Group Policy has been applied
    Event \BaseNamedObjects\SENS Started Event
    Event \BaseNamedObjects\SRStopEvent
    Event \BaseNamedObjects\SRInitEvent
    Event \BaseNamedObjects\SRCounter
    Event \BaseNamedObjects\SRIdleReqEvent
    Event \Security\TRKWKS_EVENT
    Event \BaseNamedObjects\W32TIME_NAMED_EVENT_SYSTIME_NOT_CORRECT
    Event \BaseNamedObjects\WINMGMT_COREDLL_CANSHUTDOWN
    Event \BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
    Event \BaseNamedObjects\WMI_SysEvent_LodCtr
    Event \BaseNamedObjects\WMI_SysEvent_UnLodCtr
    Event \BaseNamedObjects\WMI_RevAdap_Set
    Event \BaseNamedObjects\WMI_RevAdap_ACK
    Event \BaseNamedObjects\WMI_ProcessIdleTasksStart
    Event \BaseNamedObjects\WMI_ProcessIdleTasksComplete
    Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
    Event \BaseNamedObjects\WINMGMT_PROVIDER_CANSHUTDOWN
    Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
    Event \BaseNamedObjects\WBEM_ESS_OPEN_FOR_BUSINESS
    Event \LanmanServerAnnounceEvent
    Event \BaseNamedObjects\SC_AutoStartComplete
    Event \BaseNamedObjects\EVENT_READYROOT/CIMV2SCM EVENT PROVIDER
    Event \BaseNamedObjects\EVENT_READYROOT/CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
    Event \BaseNamedObjects\EVENT_READYROOT/CIMV2PROVIDERSUBSYSTEM
    Event \BaseNamedObjects\IPNAT
    Event \BaseNamedObjects\userenv: User Group Policy has been applied
    File C:\WINDOWS\system32
    File \Device\KsecDD
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
    File \Device\NamedPipe\net\NtControlPipe4
    File \Device\Tcp
    File \Device\Ip
    File \Device\Tcp
    File \Device\Ip
    File \Device\Ip
    File \Device\Ip
    File Y:\System Volume Information\tracking.log
    File \Device\NamedPipe\keysvc
    File \Device\WMIDataDevice
    File \Device\WMIDataDevice
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
    File \Device\Ndisuio
    File C:\WINDOWS\SchedLgU.Txt
    File \Device\NamedPipe\atsvc
    File \Device\NamedPipe\atsvc
    File C:\WINDOWS\Tasks
    File \Device\LanmanDatagramReceiver
    File \Device\LanmanRedirector
    File \Device\NamedPipe\wkssvc
    File \Device\NamedPipe\keysvc
    File \Device\NamedPipe\lsarpc
    File C:\WINDOWS\system32\CatRoot2\edb.log
    File \Device\NamedPipe\wkssvc
    File \Device\NamedPipe\PCHHangRepExecPipe
    File \Device\NamedPipe\PCHFaultRepExecPipe
    File C:\WINDOWS\pchealth\helpctr\BATCH
    File \Device\NamedPipe\W32TIME
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
    File C:\WINDOWS\system32\CatRoot2\tmp.edb
    File \Device\LanmanServer
    File \Device\NamedPipe\W32TIME
    File \FileSystem\Filters\SystemRestore
    File \Device\NamedPipe\srvsvc
    File \Device\NamedPipe\srvsvc
    File C:\WINDOWS\WindowsUpdate.log
    File \Device\NamedPipe\trkwks
    File \Device\NamedPipe\trkwks
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\system32\wbem\mof
    File \Device\Afd\Endpoint
    File \Device\Udp
    File \Device\Afd\Endpoint
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File \Device\Udp
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File C:\WINDOWS\WindowsUpdate.log
    File Y:\$Extend\$ObjId
    File C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP
    File C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
    File C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
    File C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
    File C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP
    File C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA
    File C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR
    File \Device\Afd\Endpoint
    File \Device\IPNAT
    File \Device\Afd\Endpoint
    File \Device\HarddiskVolume3
    File \Device\NamedPipe\ROUTER
    File \Device\IPNAT
    File \Device\LanmanDatagramReceiver
    File \Device\NamedPipe\EVENTLOG
    File \Device\NDProxy
    File \Device\Tcp
    File \Device\IPNAT
    File \Device\Afd\Endpoint
    File V:\System Volume Information\tracking.log
    File \Device\NamedPipe\Winsock2\CatalogChangeListener-6bc-0
    File \Device\NDProxy
    File \Device\IPNAT
    File \Device\HarddiskVolume4
    File \Device\Tcp
    File C:\System Volume Information\tracking.log
    File \Device\NdisWan
    File \Device\HarddiskVolume1
    File V:\$Extend\$ObjId
    File W:\$Extend\$ObjId
    File \Device\NamedPipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
    File \Device\NamedPipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
    File \Device\HarddiskVolume2
    File \Device\NdisTapi
    File \Device\NdisTapi
    File C:\WINDOWS\system32\h323log.txt
    File \Device\NamedPipe\ROUTER
    File \Device\NamedPipe\ROUTER
    File \Device\NamedPipe\wkssvc
    File \Device\WANARP
    File \Device\NamedPipe\ROUTER
    File \Device\NamedPipe\ROUTER
    File \Device\NamedPipe\ROUTER
    File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03
    File D:\System Volume Information\tracking.log
    File \Device\NamedPipe\ROUTER
    File C:\$Extend\$ObjId
    File X:\$Extend\$ObjId
    File C:\WINDOWS\SoftwareDistribution\ReportingEvents.log
    File D:\$Extend\$ObjId
    File W:\System Volume Information\tracking.log
    File X:\System Volume Information\tracking.log
    File \Device\NamedPipe\browser
    File \Device\NamedPipe\browser
    File \Device\NamedPipe\ROUTER
    File \Device\Afd\Endpoint
    File \Device\Udp
    File \Device\Afd\AsyncConnectHlp
    File \Device\NamedPipe\ROUTER
    File \Device\HarddiskVolume6
    File \Device\NamedPipe\srvsvc
    File \Device\HarddiskVolume5
    File C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My
    File \Device\NetBT_Tcpip_{6F1357B1-8599-40E2-8159-6CCD5751B7CF}
    Job \BaseNamedObjects\WmiProviderSubSystemHostJob
    Key HKLM
    Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
    Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
    Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
    Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
    Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
    Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
    Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
    Key HKLM\SYSTEM\ControlSet001\Services\Dhcp\Parameters
    Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
    Key HKLM\SYSTEM\ControlSet001\Services\Dhcp\Parameters\Options
    Key HKLM\SYSTEM\ControlSet001\Services
    Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters
    Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6F1357B1-8599-40E2-8159-6CCD5751B7CF}
    Key HKLM\SYSTEM\ControlSet001\Services\lanmanworkstation\parameters
    Key HKLM\SOFTWARE\Microsoft\Tracing\WZCTrace
    Key HKLM\SOFTWARE\Microsoft\Tracing\EAPOL
    Key HKU\.DEFAULT
    Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASTLS
    Key HKLM\SOFTWARE\Microsoft\Tracing\Wlpolicy
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASCHAP
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKU
    Key HKCR
    Key HKU
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKCR\CLSID
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKU
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKCR\CLSID
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher
    Key HKU
    Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
    Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale
    Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet001\Control\Terminal Server
    Key HKLM\SOFTWARE\Policies
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\EventClasses
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\EventSystem\{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\Setup
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\COM3
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet001\Services\lanmanserver\parameters
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SYSTEM\ControlSet001\Control\Network\Connections
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\NETMAN
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\IPNATHLP
    Key HKCR
    Key HKLM\SYSTEM\ControlSet001\Control\Lsa\Audit
    Key HKLM\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{F3C51933-9826-4961-8B93-49BBF5FA506C}\Connection
    Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch
    Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy
    Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters
    Key HKCR
    Key HKLM\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{6F1357B1-8599-40E2-8159-6CCD5751B7CF}\Connection
    Key HKLM\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{91582E4C-CEA8-4C33-A085-9D188BE1F7D7}\Connection
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\tapisrv
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam
    Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASTAPI
    Key HKLM\SOFTWARE\Microsoft\Tracing\tapi32
    Key HKLM\SOFTWARE\Microsoft\Tracing\KMDDSP
    Key HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch
    Key HKLM\SOFTWARE\Microsoft\Security Center\Monitoring
    Key HKLM\SOFTWARE\Microsoft\Tracing\NDPTSP
    Key HKLM\SOFTWARE\Microsoft\Security Center
    Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
    Key HKLM\SOFTWARE\Microsoft\Tracing\conftsp
    Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\H323TSP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASMAN
    Key HKLM\SOFTWARE\Microsoft\Tracing\PPP
    Key HKLM\SOFTWARE\Microsoft\Tracing\BAP
    Key HKLM\SYSTEM\ControlSet001\Services\RasMan\PPP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASSPAP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASPAP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASEAP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASCCP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASBACP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASIPHLP
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASIPCP
    Key HKCR
    Key HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
    Key HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Tracing\RASDLG
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache
    Key HKLM\SYSTEM\ControlSet001\Services\Browser\Parameters
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKCR
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\Root
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
    Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\CA
    Key HKU\.DEFAULT
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\CA
    Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
    Key HKU\.DEFAULT
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed
    Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed
    Key HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates
    Key HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\trust
    Key HKU\.DEFAULT
    Key HKLM\SOFTWARE\Microsoft\SystemCertificates\trust
    Key HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust
    Key HKU\.DEFAULT\Software\Microsoft\SystemCertificates\My
    Key HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates
    Key HKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates
    Key HKCR
    Key HKCR
    KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
    Mutant \BaseNamedObjects\SHIMLIB_LOG_MUTEX
    Mutant \BaseNamedObjects\RasPbFile
    Mutant \BaseNamedObjects\Instance0: ESENT Performance Data Schema Version 40
    Mutant \BaseNamedObjects\0CADFD67AF62496dB34264F000F5624A
    Mutant \BaseNamedObjects\4FCC0DEFE22C4f138FB9D5AF25FD9398
    Mutant \BaseNamedObjects\238FAD3109D3473aB4764B20B3731840
    Mutant \BaseNamedObjects\SRDataStore
    Mutant \BaseNamedObjects\SRDataStore
    Mutant \BaseNamedObjects\WindowsUpdateTracingMutex
    Mutant \BaseNamedObjects\RAS_MO_02
    Mutant \BaseNamedObjects\RAS_MO_01
    Mutant \BaseNamedObjects\RasPbFile
    Mutant \BaseNamedObjects\ShimCacheMutex
    Port \ThemeApiPort
    Port \RPC Control\dhcpcsvc
    Port \RPC Control\wzcsvc
    Port \RPC Control\OLE86FF24DB7DB745048DE79ACA3DB9
    Port \RPC Control\AudioSrv
    Port \RPC Control\keysvc
    Port \RPC Control\SECLOGON
    Port \RPC Control\senssvc
    Port \XactSrvLpcPort
    Port \RPC Control\trkwks
    Port \RPC Control\srrpc
    Port \RPC Control\tapsrvlpc
    Port \RPC Control\unimdmsvc
    Port \FusApiPort
    Process winlogon.exe(1824)
    Process winlogon.exe(1824)
    Process winlogon.exe(1824)
    Process winlogon.exe(1824)
    Process Smc.exe(404)
    Process PDVDServ.exe(3208)
    Process svchost.exe(1724)
    Process arr_isrv.exe(876)
    Process svchost.exe(1456)
    Process vetmsg.exe(1520)
    Process arr_srvs.exe(1412)
    Process nvsvc32.exe(1060)
    Process explorer.exe(2564)
    Process explorer.exe(2564)
    Process RTHDCPL.exe(2912)
    Process TrueImageMonitor.exe(3360)
    Process rundll32.exe(3168)
    Process cavrid.exe(3628)
    Process lnkstash.exe(1536)
    Process clipc.exe(3556)
    Process ExSpinDn.exe(3800)
    Process procexp.exe(3304)
    Process KEYEXP.EXE(3816)
    Process qlock.exe(3892)
    Process rfagent.exe(2688)
    Process schedhlp.exe(3740)
    Process TimounterMonitor.exe(3456)
    Process TMTray.exe(3844)
    Process svchost.exe(1724)
    Process jusched.exe(420)
    Process WrtMon.exe(2484)
    Process ctfmon.exe(3564)
    Process lsmon.exe(2296)
    Process taskbarshuffle.exe(3920)
    Process DUMeter.exe(1548)
    Process WrtProc.exe(2128)
    Process Calendar.exe(3780)
    Process cctray.exe(2764)
    Process Sticky32.exe(3032)
    Process svchost.exe(1724)
    Process taskmgr.exe(2380)
    Process ONENOTEM.EXE(2536)
    Process lsass.exe(368)
    Process svchost.exe(1724)
    Process svchost.exe(1456)
    Section \BaseNamedObjects\mmGlobalPnpInfo
    Section \BaseNamedObjects\GDA: ESENT Performance Data Schema Version 40
    Section \BaseNamedObjects\IDA0: ESENT Performance Data Schema Version 40
    Section \BaseNamedObjects\SENS Information Cache
    Section \BaseNamedObjects\RotHintTable
    Section \BaseNamedObjects\Wmi Provider Sub System Counters
    Section \BaseNamedObjects\Debug.Memory.6bc
    Section \BaseNamedObjects\ShimSharedMemory
    Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
    Semaphore \BaseNamedObjects\PowerProfileRegistrySemaphore
    Semaphore \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
    Thread svchost.exe(1724): 1728
    Thread svchost.exe(1724): 1992
    Thread svchost.exe(1724): 1972
    Thread svchost.exe(1724): 1996
    Thread svchost.exe(1724): 500
    Thread svchost.exe(1724): 1716
    Thread svchost.exe(1724): 1716
    Thread svchost.exe(1724): 1956
    Thread svchost.exe(1724): 1908
    Thread svchost.exe(1724): 492
    Thread svchost.exe(1724): 1648
    Thread svchost.exe(1724): 880
    Thread svchost.exe(1724): 888
    Thread svchost.exe(1724): 892
    Thread svchost.exe(1724): 920
    Thread svchost.exe(1724): 892
    Thread svchost.exe(1724): 1044
    Thread svchost.exe(1724): 1108
    Thread svchost.exe(1724): 1116
    Thread svchost.exe(1724): 1024
    Thread svchost.exe(1724): 1120
    Thread svchost.exe(1724): 1120
    Thread svchost.exe(1724): 1156
    Thread svchost.exe(1724): 1156
    Thread svchost.exe(1724): 752
    Thread svchost.exe(1724): 1180
    Thread svchost.exe(1724): 1448
    Thread svchost.exe(1724): 1760
    Thread svchost.exe(1724): 1980
    Thread svchost.exe(1724): 1952
    Thread svchost.exe(1724): 1988
    Thread svchost.exe(1724): 304
    Thread svchost.exe(1724): 304
    Thread svchost.exe(1724): 1760
    Thread svchost.exe(1724): 900
    Thread svchost.exe(1724): 940
    Thread svchost.exe(1724): 956
    Thread svchost.exe(1724): 780
    Thread svchost.exe(1724): 492
    Thread svchost.exe(1724): 1488
    Thread svchost.exe(1724): 1888
    Thread svchost.exe(1724): 936
    Thread svchost.exe(1724): 868
    Thread svchost.exe(1724): 284
    Thread svchost.exe(1724): 1144
    Thread svchost.exe(1724): 1144
    Thread svchost.exe(1724): 1856
    Thread svchost.exe(1724): 1816
    Thread svchost.exe(1724): 1816
    Thread svchost.exe(1724): 2988
    Thread svchost.exe(1724): 1856
    Thread svchost.exe(1724): 436
    Thread svchost.exe(1724): 2836
    Thread svchost.exe(1724): 1880
    Thread svchost.exe(1724): 1868
    Thread svchost.exe(1724): 2072
    Thread svchost.exe(1724): 1268
    Thread svchost.exe(1724): 1880
    Thread svchost.exe(1724): 1044
    Thread svchost.exe(1724): 2448
    Thread svchost.exe(1724): 2640
    Thread svchost.exe(1724): 500
    Thread svchost.exe(1724): 2452
    Thread svchost.exe(1724): 1816
    Thread explorer.exe(2564): 2884
    Thread svchost.exe(1724): 868
    Thread svchost.exe(1724): 3696
    Thread svchost.exe(1724): 924
    Thread svchost.exe(1724): 3600
    Thread svchost.exe(1724): 868
    Thread svchost.exe(1724): 3736
    Thread svchost.exe(1724): 4080
    Thread svchost.exe(1724): 2264
    Thread svchost.exe(1724): 1996
    Thread svchost.exe(1724): 4080
    Thread svchost.exe(1724): 2640
    Thread svchost.exe(1724): 3924
    Thread svchost.exe(1724): 3308
    Thread svchost.exe(1724): 3924
    Thread svchost.exe(1724): 3940
    Thread svchost.exe(1724): 3116
    Thread svchost.exe(1724): 3120
    Thread svchost.exe(1724): 3932
    Thread svchost.exe(1724): 3808
    Thread svchost.exe(1724): 3940
    Thread svchost.exe(1724): 3808
    Thread svchost.exe(1724): 1180
    Thread svchost.exe(1724): 2940
    Thread svchost.exe(1724): 2940
    Thread svchost.exe(1724): 2320
    Thread svchost.exe(1724): 2080
    Thread svchost.exe(1724): 2120
    Thread svchost.exe(1724): 2120
    Thread svchost.exe(1724): 2144
    Thread svchost.exe(1724): 2168
    Thread svchost.exe(1724): 4036
    Thread svchost.exe(1724): 2144
    Thread svchost.exe(1724): 2168
    Thread svchost.exe(1724): 2316
    Thread svchost.exe(1724): 1660
    Thread svchost.exe(1724): 1232
    Thread svchost.exe(1724): 3340
    Thread svchost.exe(1724): 3340
    Thread svchost.exe(1724): 4072
    Thread svchost.exe(1724): 3120
    Thread svchost.exe(1724): 1588
    Thread svchost.exe(1724): 2940
    Thread svchost.exe(1724): 924
    Thread svchost.exe(1724): 2988
    Thread svchost.exe(1724): 2992
    Thread svchost.exe(1724): 1996
    Thread svchost.exe(1724): 1116
    Thread svchost.exe(1724): 2264
    Thread svchost.exe(1724): 2268
    Thread svchost.exe(1724): 2268
    Thread svchost.exe(1724): 2284
    Thread svchost.exe(1724): 2988
    Thread svchost.exe(1724): 1880
    Thread svchost.exe(1724): 1880
    Thread svchost.exe(1724): 1884
    Thread svchost.exe(1724): 3508
    Thread svchost.exe(1724): 1884
    Thread svchost.exe(1724): 1884
    Thread svchost.exe(1724): 2284
    Thread svchost.exe(1724): 924
    Thread svchost.exe(1724): 2236
    Thread svchost.exe(1724): 2188
    Thread svchost.exe(1724): 2176
    Thread svchost.exe(1724): 2236
    Thread svchost.exe(1724): 2188
    Thread svchost.exe(1724): 2188
    Thread svchost.exe(1724): 2320
    Thread svchost.exe(1724): 3576
    Thread svchost.exe(1724): 3576
    Thread svchost.exe(1724): 3576
    Thread svchost.exe(1724): 3576
    Thread svchost.exe(1724): 3308
    Thread svchost.exe(1724): 3576
    Thread svchost.exe(1724): 2940
    Thread svchost.exe(1724): 1908
    Token NT AUTHORITY\SYSTEM:3e7
    Token HQ\Joe:10cbd
    Token NT AUTHORITY\NETWORK SERVICE:3e4
    Token HQ\Joe:10cbd
    Token HQ\Joe:10cbd
    Token NT AUTHORITY\LOCAL SERVICE:3e5
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\SYSTEM:3e7
    Token HQ\Joe:10cbd
    Token NT AUTHORITY\SYSTEM:3e7
    Token NT AUTHORITY\NETWORK SERVICE:3e4
    Token HQ\Joe:10cbd
    Token NT AUTHORITY\LOCAL SERVICE:3e5
    WaitablePort \Security\TRKWKS_PORT
    WaitablePort \NLAPublicPort
    WaitablePort \NLAPrivatePort
    WindowStation \Windows\WindowStations\Service-0x0-3e7$
    WindowStation \Windows\WindowStations\Service-0x0-3e7$
    WindowStation \Windows\WindowStations\SAWinSta
     
  20. 2008/05/30
    poggy

    poggy Inactive

    Joined:
    2008/05/13
    Messages:
    2
    Likes Received:
    0
    I still believe it to be CA

    As I said earlier, my friend was also running CA for years... reluctantly, we uninstalled it, and the problem went away... it's to do with the latest CA updates which is why when you do a roll back, it goes away, and then CA updates, and the problem starts again.
     
  21. 2008/05/30
    mflynn

    mflynn Inactive

    Joined:
    2002/08/14
    Messages:
    4,141
    Likes Received:
    9
    Hi Joe

    Poggy may have something!

    But next time it happens do the below.

    SVCHOST can run many times, can also run many processes within a single entry.

    To see what svchost is running hidden from you copy the text between the lines but not the lines.

    ----------------------------------------------------------
    %SystemRoot%\system32\cmd.exe /c %windir%\system32\tasklist.exe /svc >> "%USERPROFILE% "\Desktop\Tasklist.txt
    ----------------------------------------------------------

    then
    Start-Run
    type cmd
    hit enter or click OK

    rt click in the open cmd screen and rt then paste
    hit enter twice
    close cmd prompt

    Now there is a new icon on the desktop Tasklist.txt.

    This will show what each svchost is running.

    What I would like to see is a run while you have the issue and another one immediately after you kill that process.

    Post it back to us and we may can help.

    Also has this computer ever had Zone Alarm installed?

    Mike
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.