Need some people who liked to test ...

Machiavelli · Oct 30, 2013

Hello and welcome,
I've developed a little tool which lists at the moment only Processes and Services. Also the header can read out some information about the OS. (Architecture, system, ServicePack, etc.)

First, a ToDo List:

~~Processes~~
~~Services~~
Drivers
RegistrySection
FilesSection
FixSection
Expand the Whitelist
Design
Icon

Known Bugs:

Still some file path errors (under Services) - explanation to this will follow tomorrow (29.10.2013)
~~Too high Net.Framework (At the moment 4.5!)~~

Example Log (29.10.2013):

Code:

MVS - Machiavelli's Scanner - Version 1.0.0.0
MVS Logfile created on: 29.10.2013 22:30:03 Logfile saved under = C:\Users\Machiavelli\documents\visual studio 2012\Projects\MVS\MVS\bin\Debug\MVS.txt
Running from C:\Users\Machiavelli\documents\visual studio 2012\Projects\MVS\MVS\bin\Debug\MVS.exe
SYSTEM => Microsoft Windows 8.1 32 bit


=== Processes ===


C:\Users\Machiavelli\Downloads\HoldOn.exe (darkness unlimited)
C:\Program Files (x86)\Microsoft Visual Studio 11.0\Common7\IDE\WDExpress.exe (Microsoft Corporation)
C:\WINDOWS\syswow64\wwahost.exe (Microsoft Corporation)
C:\Users\Machiavelli\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)
C:\Program Files (x86)\Origin\Origin.exe (Electronic Arts)
C:\Users\Machiavelli\documents\visual studio 2012\Projects\MVS\MVS\bin\Debug\MVS.vshost.exe (Microsoft Corporation)
C:\Users\Machiavelli\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)
C:\Users\Machiavelli\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)
C:\Users\Machiavelli\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe (Hewlett-Packard)
C:\Users\Machiavelli\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)
C:\WINDOWS\SysWOW64\DllHost.exe (Microsoft Corporation)
C:\Users\Machiavelli\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)
C:\Program Files (x86)\Internet Explorer\IELowutil.exe (Microsoft Corporation)
C:\Users\Machiavelli\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)
C:\Users\Machiavelli\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)




=== Services ===


SRV - [ AdobeFlashPlayerUpdateSvc | Adobe Flash Player Update Service | Stopped] - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe - [10.09.2013 14:45:42 | 257416 | (Adobe Systems Incorporated)]
SRV - [ Steam Client Service | Steam Client Service | Stopped] - C:\Program Files (x86)\Common Files\Steam\SteamService.exe" /RunAsService - [CTF | FSF | ()]
SRV - [ MozillaMaintenance | Mozilla Maintenance Service | Stopped] - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe - [28.10.2013 11:32:50 | 118680 | (Mozilla Foundation)]
SRV - [ PnkBstrA | PnkBstrA | Running] - C:\WINDOWS\system32\PnkBstrA.exe - [17.07.2013 07:03:47 | 76888 | ()]

Instructions:

Start the program as Administrator
Click on the button Scan
Wait a while
A log is produced in the same location where the exe file is saved
Please post that log

------------------

I try to explain why there are some Errors in the file paths under the Service Section.

Example Line:

Code:

SRV - [ Steam Client Service | Steam Client Service | Stopped] - C:\Program Files (x86)\Common Files\Steam\SteamService.exe" /RunAsService - [CTF | FSF | ()]

There are two - three errors:

CTF = CreationTime Failure
FSF = FileSize Failure
() = No company Name (but this can be also normal)

If three errors occur on one line these can be the possible reasons:

the most probability is that the file path contains some illegal expressions like " or like the above shows /RunAsService. The creation date, file size and company name can only be identified if there is a path without any illegal expression - to fix this I have probably to read some Regex Stuff.
No rights (if the User didn't run it as Administrator)
File is protected by something?!
File doesn't exist.

If one - two errors occur on one line:

Probably no rights (User didn't run as Administrator or the file is protected by something [System File, etc.])
The file doesn'tg have a company name

-------

Thanks!

Download:

View attachment MVS.zip

niemiro · Oct 30, 2013

Hello Machiavelli :)

You have a nice proof of concept there. Obviously, it needs some finessing, but I think you know that, and I can see that this was never intended as a final product, only an initial proof of concept, so it was never meant to be neat or perfected.

It ran nicely on my machine. Personally I would like to see PID to the right of process name, or at the very least padded with spaces, as I find a non-aligned process list harder to read than a nicely aligned process list.

Please talk me through the idea and concept behind this. Obviously, there are many other programs which already exist which do almost exactly the same thing as your tool. Most produce longer logfiles, some use (in some cases extremely highly developed) whitelists, others offer a variety of complementary functionality. Please explain why your program is (will be) special. What's different about it? Why should I use it over one of the alternatives? What sort of situation do you see it being used in?

Thank you, and good luck!

Richard

Machiavelli · Oct 30, 2013

You have a nice proof of concept there. Obviously, it needs some finessing, but I think you know that, and I can see that this was never intended as a final product, only an initial proof of concept, so it was never meant to be neat or perfected.

I did only post it here to expand the Whitelist I use for Services. And of course for the feedback etc. The tool will get much bigger I hope.

It ran nicely on my machine.

Am I allowed to ask you which Operating System you have and which Architecture. It would be also nice if you could post the Logfile to see if there are any things I have to put on the WhiteList etc.

Personally I would like to see PID to the right of process name, or at the very least padded with spaces, as I find a non-aligned process list harder to read than a nicely aligned process list.

OK, thanks - I'll think of that & report back soon.

----

Please talk me through the idea and concept behind this. Obviously, there are many other programs which already exist which do almost exactly the same thing as your tool. Most produce longer logfiles, some use (in some cases extremely highly developed) whitelists, others offer a variety of complementary functionality. Please explain why your program is (will be) special. What's different about it? Why should I use it over one of the alternatives? What sort of situation do you see it being used in?

OK, let's begin.

First, I need to mention, it is a free product, so everbody can use it and that's for free. Also I try to develope a 32bit and 64bit version which doesn't have the tool called OTL because it is a 32bit tool. My concept is to develope a tool with a short Logfile and a easy fixing syntax. For the shortness of the Log I produced already a Whitelist and I hope somebody will test it that I'm able to expand it.

So, a little summary why you should use this tool/ why it is the best:

32bit and 64bit tool
easy and short log
easy fixing syntax (it will be developed at the end stage of the product but I have an idea how to manage all these things)
Nice and structured design
Tool contains a big WhiteList already and I'm also free to expand it!

niemiro · Oct 30, 2013

No problem :)

And log included at bottom of reply.

Gary12345 said:
Also I try to develope a 32bit and 64bit version which doesn't have the tool called OTL because it is a 32bit tool.

I would like to talk about this in particular. You may or may not know that I am the developer of the SFCFix tool (a bad choice of name as it has now expanded far beyond just SFC related work), which basically allows me to perform almost any Windows Update related I like (complex registry repairs, permissions and ownership, replace over reboot, etc. etc. etc.). And I went to great pains whilst coding that tool to make sure it is only compiled in 32bit. For the usage I put that tool to, it would have been very easy for me to create both 32bit and 64bit builds. But I chose to make a 32bit build only, and I went to a lot of trouble to achieve that. Why, you may ask?

Because 32bit builds run on 64bit systems quite happily under a system called Windows 32bit on Windows 64bit (WOW64). I went to great lengths to make a single 32bit .exe which correctly worked on both 32bit and 64bit builds. Now I no longer have to get OPs to find out which architecture they are using, I no longer have to update and maintain two .exe files, and I no longer have to supply two URLs. I simply have a single .exe which does everything, every time, for every user, without fuss.

Having a 32bit build only, provided you test it carefully on 64bit machines, may not be a bad thing. You should consider it.

Richard

Code:

MVS - Machiavelli's Scanner - Version 1.0.0.0
MVS Logfile created on: 30/10/2013 13:12:44 Logfile saved under = D:\Users\Richard\Desktop\MVS.txt
Running from D:\Users\Richard\Desktop\MVS.exe
SYSTEM => Microsoft Windows 7 Home Premium  64 bit Service Pack 1

=== Processes ===

[1144] C:\Windows\system32\NOTEPAD.EXE (Microsoft Corporation)
[4332] C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe (Adobe Systems, Inc.)
[5184] C:\Windows\system32\SearchFilterHost.exe (Microsoft Corporation)
[1768] C:\Windows\system32\CISVC.EXE (Microsoft Corporation)
[1964] C:\Windows\System32\svchost.exe (Microsoft Corporation)
[584] C:\Windows\system32\services.exe (Microsoft Corporation)
[3732] C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe (Microsoft Corp.)
[5500] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[2576] C:\Windows\system32\Dwm.exe (Microsoft Corporation)
[1556] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[6480] C:\Windows\system32\NOTEPAD.EXE (Microsoft Corporation)
[1504] C:\Windows\System32\spoolsv.exe (Microsoft Corporation)
[2340] C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
[4504] C:\Program Files (x86)\Google\Update\1.3.21.165\GoogleCrashHandler64.exe (Google Inc.)
[4552] C:\Windows\SysWOW64\cmd.exe (Microsoft Corporation)
[3316] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[3708] C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe (Microsoft Corporation)
[4888] D:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
[4928] C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\devenv.exe (Microsoft Corporation)
[6068] C:\Windows\System32\WUDFHost.exe (Microsoft Corporation)
[3016] C:\Windows\System32\svchost.exe (Microsoft Corporation)
[352] C:\Windows\System32\svchost.exe (Microsoft Corporation)
[1336] C:\Windows\system32\SearchIndexer.exe (Microsoft Corporation)
[6832] C:\Windows\SysWOW64\cmd.exe (Microsoft Corporation)
[528] C:\Windows\system32\wininit.exe (Microsoft Corporation)
[2316] C:\Windows\System32\svchost.exe (Microsoft Corporation)
[1724] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[6648] C:\Windows\system32\DllHost.exe (Microsoft Corporation)
[2904] C:\Windows\system32\conhost.exe (Microsoft Corporation)
[6448] C:\Windows\system32\cidaemon.exe (Microsoft Corporation)
[1128] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[536] C:\Windows\system32\csrss.exe (Microsoft Corporation)
[140] C:\Windows\System32\svchost.exe (Microsoft Corporation)
[924] C:\Windows\system32\atiesrxx.exe (AMD)
[3484] C:\Windows\system32\mqtgsvc.exe (Microsoft Corporation)
[1848] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[6436] C:\Windows\system32\wbem\wmiprvse.exe (Microsoft Corporation)
[1704] C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
[3080] C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)
[316] C:\Windows\system32\smss.exe (Microsoft Corporation)
[4452] C:\Windows\system32\conhost.exe (Microsoft Corporation)
[708] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[5232] C:\Windows\system32\taskeng.exe (Microsoft Corporation)
[3064] C:\Windows\System32\tcpsvcs.exe (Microsoft Corporation)
[1880] C:\Windows\system32\inetsrv\inetinfo.exe (Microsoft Corporation)
[6016] C:\Windows\system32\SearchProtocolHost.exe (Microsoft Corporation)
[6396] C:\Users\Richard\AppData\Local\Temp\Temp1_MVS.zip\MVS.exe ()
[4872] D:\Users\Richard\Desktop\MVS.exe ()
[5416] C:\Windows\System32\msdtc.exe (Microsoft Corporation)
[880] C:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
[5212] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[4616] C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\vcpackages\VCPkgSrv.exe (Microsoft Corporation)
[3236] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[3036] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[5200] C:\Windows\system32\wuauclt.exe (Microsoft Corporation)
[2440] C:\Windows\system32\taskhost.exe (Microsoft Corporation)
[2636] C:\Windows\Explorer.EXE (Microsoft Corporation)
[6572] C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe (Adobe Systems, Inc.)
[4596] C:\Windows\system32\NOTEPAD.EXE (Microsoft Corporation)
[456] C:\Windows\system32\csrss.exe (Microsoft Corporation)
[440] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[2620] C:\Windows\System32\snmp.exe (Microsoft Corporation)
[5964] C:\Windows\SysWOW64\cmd.exe (Microsoft Corporation)
[5764] C:\Windows\system32\DllHost.exe (Microsoft Corporation)
[2020] C:\Windows\system32\mqsvc.exe (Microsoft Corporation)
[1228] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[6916] D:\Program Files\Mozilla Firefox\plugin-container.exe (Mozilla Corporation)
[6344] C:\Windows\system32\NOTEPAD.EXE (Microsoft Corporation)
[5160] C:\Windows\system32\conhost.exe (Microsoft Corporation)
[3580] C:\Windows\system32\dllhost.exe (Microsoft Corporation)
[1368] C:\Windows\system32\atieclxx.exe (AMD)
[1804] C:\Program Files\DebugDiag\DbgSvc.exe (Microsoft Corporation)
[1212] C:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
[2196] C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
[788] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[612] C:\Windows\system32\lsm.exe (Microsoft Corporation)
[2776] C:\Windows\System32\svchost.exe (Microsoft Corporation)
[608] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[5744] C:\Program Files\Windows Media Player\wmpnetwk.exe (Microsoft Corporation)
[1984] C:\Windows\System32\svchost.exe (Microsoft Corporation)
[604] C:\Windows\system32\lsass.exe (Microsoft Corporation)
[3952] C:\Program Files (x86)\Google\Update\1.3.21.165\GoogleCrashHandler.exe (Google Inc.)
[996] C:\Windows\system32\winlogon.exe (Microsoft Corporation)
[3356] C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE (Microsoft Corp.)
[4140] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)


=== Services ===

SRV - [ AcuWVSSchedulerv8 | Acunetix WVS Scheduler v8 | Stopped] - D:\Program Files (x86)\Acunetix\Web Vulnerability Scanner 8\WVSScheduler.exe - [01/01/1601 00:00:00 | FSF | ()]
SRV - [ AdobeActiveFileMonitor6.0 | Adobe Active File Monitor V6 | Stopped] - D:\Program Files (x86)\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe - [01/01/1601 00:00:00 | FSF | ()]
SRV - [ AdobeFlashPlayerUpdateSvc | Adobe Flash Player Update Service | Stopped] - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe - [01/04/2012 06:50:20 | 257416 | (Adobe Systems Incorporated)]
SRV - [ AppHostSvc | Application Host Helper Service | Running] - C:\Windows\system32\svchost.exe -k apphost - [01/01/1601 00:00:00 | FSF | ()]
SRV - [ Apple Mobile Device | Apple Mobile Device | Stopped] - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe - [21/12/2012 16:27:46 | 57008 | (Apple Inc.)]
SRV - [ AtherosSvc | AtherosSvc | Stopped] - C:\Program Files (x86)\Bluetooth Suite\adminservice.exe - [27/10/2010 16:18:52 | 52896 | (Atheros Commnucations)]
SRV - [ BCUService | Browser Configuration Utility Service | Stopped] - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe - [26/10/2009 12:16:00 | 223464 | (DeviceVM, Inc.)]
SRV - [ Bonjour Service | Bonjour Service | Stopped] - C:\Program Files\Bonjour\mDNSResponder.exe - [31/08/2011 00:05:32 | 462184 | (Apple Inc.)]
SRV - [ CALoadService | CALoadService | Stopped] - D:\Program Files\AMD\CodeAnalyst\bin\CALoadService.exe - [01/01/1601 00:00:00 | FSF | ()]
SRV - [ CISVC | Indexing Service | Running] - C:\Windows\system32\CISVC.EXE - [14/07/2009 01:28:07 | 19456 | (Microsoft Corporation)]
SRV - [ CoordinatorServiceHost | SW Distributed TS Coordinator Service | Stopped] - D:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe - [20/01/2010 00:59:12 | 87336 | (Dassault Systèmes SolidWorks Corp.)]
SRV - [ cphs | Intel(R) Content Protection HECI Service | Stopped] - C:\Windows\SysWow64\IntelCpHeciSvc.exe - [19/03/2012 22:44:20 | 276248 | (Intel Corporation)]
SRV - [ CscService | CscService | Stopped] - C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted - [01/01/1601 00:00:00 | FSF | ()]
SRV - [ DbgSvc | Debug Diagnostic Service | Running] - C:\Program Files\DebugDiag\DbgSvc.exe - [12/07/2011 18:01:38 | 451848 | (Microsoft Corporation)]
SRV - [ DEFRAGSVC | Disk Defragmenter | Stopped] - C:\Windows\System32\svchost.exe -k DEFRAGSVC - [01/01/1601 00:00:00 | FSF | ()]
SRV - [ ehRecvr | Windows Media Center Receiver Service | Stopped] - C:\Windows\ehome\ehRecvr.exe - [21/11/2010 03:24:42 | 696832 | (Microsoft Corporation)]
SRV - [ ehSched | Windows Media Center Scheduler Service | Stopped] - C:\Windows\ehome\ehsched.exe - [14/07/2009 01:24:23 | 127488 | (Microsoft Corporation)]
SRV - [ FLEXnet Licensing Service | FLEXnet Licensing Service | Stopped] - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe - [31/10/2011 17:12:11 | 654848 | (Macrovision Europe Ltd.)]
SRV - [ FLEXnet Licensing Service 64 | FLEXnet Licensing Service 64 | Stopped] - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe - [27/12/2011 16:10:22 | 1431888 | (Flexera Software, Inc.)]
SRV - [ ftpsvc | Microsoft FTP Service | Running] - C:\Windows\system32\svchost.exe -k ftpsvc - [01/01/1601 00:00:00 | FSF | ()]
SRV - [ gupdate | Google Update Service (gupdate) | Stopped] - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc - [CTF | FSF | ()]
SRV - [ gupdatem | Google Update Service (gupdatem) | Stopped] - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc - [CTF | FSF | ()]
SRV - [ IISADMIN | IIS Admin Service | Running] - C:\Windows\system32\inetsrv\inetinfo.exe - [21/11/2010 03:24:38 | 15872 | (Microsoft Corporation)]
SRV - [ iPod Service | iPod Service | Stopped] - C:\Program Files\iPod\bin\iPodService.exe - [31/05/2013 11:56:06 | 641352 | (Apple Inc.)]
SRV - [ iprip | RIP Listener | Running] - C:\Windows\System32\svchost.exe -k ipripsvc - [01/01/1601 00:00:00 | FSF | ()]
SRV - [ LPDSVC | LPD Service | Running] - C:\Windows\System32\svchost.exe -k LPDService - [01/01/1601 00:00:00 | FSF | ()]
SRV - [ Microsoft SharePoint Workspace Audit Service | Microsoft SharePoint Workspace Audit Service | Stopped] - C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice - [CTF | FSF | ()]
SRV - [ MozillaMaintenance | Mozilla Maintenance Service | Stopped] - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe - [16/07/2012 17:56:33 | 118680 | (Mozilla Foundation)]
SRV - [ MsMpSvc | Microsoft Antimalware Service | Running] - C:\Program Files\Microsoft Security Client\MsMpEng.exe - [12/08/2013 14:11:04 | 23808 | (Microsoft Corporation)]
SRV - [ MSMQ | Message Queuing | Running] - C:\Windows\system32\mqsvc.exe - [14/07/2009 01:26:01 | 9216 | (Microsoft Corporation)]
SRV - [ MSMQTriggers | Message Queuing Triggers | Running] - C:\Windows\system32\mqtgsvc.exe - [21/11/2010 03:24:38 | 189440 | (Microsoft Corporation)]
SRV - [ odserv | Microsoft Office Diagnostics Service | Stopped] - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE - [20/07/2011 05:18:24 | 440696 | (Microsoft Corporation)]
SRV - [ osppsvc | Office Software Protection Platform | Stopped] - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE - [09/01/2010 20:34:24 | 4925184 | (Microsoft Corporation)]
SRV - [ PeerDistSvc | PeerDistSvc | Stopped] - C:\Windows\System32\svchost.exe -k PeerDist - [01/01/1601 00:00:00 | FSF | ()]
SRV - [ ReflectService.exe | Macrium Reflect Image Mounting Service | Stopped] - D:\Program Files\Macrium\Reflect\ReflectService.exe - [01/01/1601 00:00:00 | FSF | ()]
SRV - [ sesvc | ShadowExplorer Service | Stopped] - D:\Program Files (x86)\ShadowExplorer\sesvc.exe - [01/01/1601 00:00:00 | FSF | ()]
SRV - [ simptcp | Simple TCP/IP Services | Running] - C:\Windows\System32\tcpsvcs.exe - [14/07/2009 01:10:41 | 10240 | (Microsoft Corporation)]
SRV - [ SkypeUpdate | Skype Updater | Stopped] - C:\Program Files (x86)\Skype\Updater\Updater.exe - [13/07/2012 13:28:36 | 160944 | (Skype Technologies)]
SRV - [ SolidWorks Licensing Service | SolidWorks Licensing Service | Stopped] - C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe - [27/12/2011 16:10:22 | 79360 | (SolidWorks)]
SRV - [ Steam Client Service | Steam Client Service | Stopped] - C:\Program Files (x86)\Common Files\Steam\SteamService.exe /RunAsService - [01/01/1601 00:00:00 | FSF | ()]
SRV - [ systemcmd | systemcmd | Stopped] - cmd /k start - [01/01/1601 00:00:00 | FSF | ()]
SRV - [ testsvc | testsvc | Stopped] - cmd /K start - [01/01/1601 00:00:00 | FSF | ()]
SRV - [ TlntSvr | Telnet | Stopped] - C:\Windows\System32\tlntsvr.exe - [14/07/2009 01:10:55 | 81920 | (Microsoft Corporation)]
SRV - [ W3SVC | World Wide Web Publishing Service | Running] - C:\Windows\system32\svchost.exe -k iissvcs - [01/01/1601 00:00:00 | FSF | ()]
SRV - [ wampapache | wampapache | Stopped] - D:\wamp\bin\apache\apache2.4.2\bin\httpd.exe" -k runservice - [CTF | FSF | ()]
SRV - [ wampmysqld | wampmysqld | Stopped] - D:\wamp\bin\mysql\mysql5.5.24\bin\mysqld.exe wampmysqld - [01/01/1601 00:00:00 | FSF | ()]
SRV - [ WAS | Windows Process Activation Service | Running] - C:\Windows\system32\svchost.exe -k iissvcs - [01/01/1601 00:00:00 | FSF | ()]
SRV - [ WMSVC | Web Management Service | Stopped] - C:\Windows\system32\inetsrv\wmsvc.exe - [14/07/2009 01:26:14 | 10752 | (Microsoft Corporation)]

Machiavelli · Oct 30, 2013

Hi,

I'll write a PM to you soon. Don't wonder why

Having a 32bit build only, provided you test it carefully on 64bit machines, may not be a bad thing. You should consider it.

Please take a look from there: I need testers, please! - Geeks to Go Forums This version right now is compatible two 64bit and 32bit because I use for listing Services and Processes The ServiceController class and the Process class and so far I know there aren't any bugs using this on 64bit system, more see here ServiceController-Klasse (System.ServiceProcess) and here Process-Klasse (System.Diagnostics). Only I have to pay attention on the Registry part, there are some mysteries.

And the 32bit and 64bit version only because I have to pay attention to the 32bit registry part on 64bit machines. There is a discussion on GeekU, sadly you can't see it

- Before I begin writing code for the registry part I like to clear up some questions and maybe this forum will be my first place to ask. Thanks! And also I should not forget I like to read the Regex stuff to fix some bugs in the file paths under Services. (Why are there bugs? The value ImaginePath for each service contains sometimes illegal expressions like " or /runAsService etc.) . Being honest I have to read much stuff about 32bit and 64bit (especially their differences). Maybe you have special reading stuff? Also, one thing would interest me, which language are you using?

Also I will look at your tool - I never heard of it being honest so I like to test it (Maybe I'm using it later). Like DonnaB said to me your a great programmer.

---
Lets swich to part two. In your log I see some things I have to Whitelist - so thanks for it :) I'll come with an update later.

niemiro · Oct 30, 2013

Hello again :)

There is nothing that you are doing which cannot be done on a 64bit system from a 32bit application. Trust me on that :)

However, it won't work out of the box. You must make some tweaks to get it to work. For example, it sounds like you might be getting hit by file system/registry redirection policies. This means that when you try to open a 64bit file or key on a 64bit computer from a 32bit application, you get redirected elsewhere (to the 32bit key). But if you really want, you can ask Windows not to redirect you. This is what I do in SFCFix. Literally everywhere (although I actually have only a couple of helper functions do most of the work for me). If you do choose to go down a 32bit only build, and want any help, do not hesitate to ask. :)

As for RegEx, my favourite tutorial on it is here: The 30 Minute Regex Tutorial - CodeProject

But you do not need to use RegEx for what you are going to use it for. You can, and it's a good method, but it's not the only method.

Instead, you could consider something like this:

In services key, all paths with spaces must be quoted. Otherwise they don't need to be.

If first character is double quotes ("), read up to second double quotes for path. If first character is NOT double quotes, read up to first space for path. (EDIT: also check scenario when no space or quotes) Voila!

I'll talk more about redirection and System32 later today when I have a little more time. As for what language, I can code in C#, and I certainly used to a lot a couple of years ago (don't worry, I can still remember it!), but now (and for SFCFix) I use exclusively C++.

Richard

EDIT: Back on file paths, expand environment variables AFTER extracting the path. This avoids space issues. Some environment variables contain spaces. If you expand too early, you will have issues.

Expanding late (correct):

Code:

%ProgramFiles%\Example /argument

Check first character for double quotes. Not there. So path up to space:

Code:

%ProgramFiles%\Example

and expand environment variable:

Code:

C:\Program Files\Example

Expanding early (incorrect):

Code:

%ProgramFiles%\Example /argument

Expand:

Code:

C:\Program Files\Example /argument

Check first character for double quotes. Not there. So path up to space:

Code:

C:\Program

Incorrect!!!!

satrow · Oct 30, 2013

Hi guys, in the interests of computer science (or MS's version of it), here's my log:

Code:

MVS - Machiavelli's Scanner - Version 1.0.0.0
MVS Logfile created on: 10/30/2013 14:51:33 Logfile saved under = K:\Downloads\MVS\MVS.txt
Running from K:\Downloads\MVS\MVS.exe
SYSTEM => Microsoft Windows 7 Home Premium  64 bit Service Pack 1

=== Processes ===

[800] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[1244] C:\Windows\system32\atieclxx.exe (AMD)
[2756] C:\Windows\system32\taskmgr.exe (Microsoft Corporation)
[708] C:\Windows\system32\lsm.exe (Microsoft Corporation)
[1584] C:\Windows\system32\taskhost.exe (Microsoft Corporation)
[1680] C:\Users\RoLY\APPDATA\LOCAL\FLUXSOFTWARE\FLUX\FLUX.EXE (Flux Software LLC)
[700] C:\Windows\system32\lsass.exe (Microsoft Corporation)
[3636] C:\Windows\system32\wbem\wmiprvse.exe (Microsoft Corporation)
[428] C:\Windows\system32\smss.exe (Microsoft Corporation)
[516] C:\Windows\System32\svchost.exe (Microsoft Corporation)
[3076] C:\PROGRAM FILES\MICROSOFT XBOX 360 ACCESSORIES\XBOXSTAT.EXE (Microsoft Corporation)
[1136] C:\Program Files\Pale Moon\palemoon.exe (Moonchild Productions)
[1220] C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
[684] C:\Windows\system32\services.exe (Microsoft Corporation)
[2196] C:\Program Files\Marcs Updater\Marcs Updater.exe (Marc Hörsken)
[3416] C:\Program Files (x86)\WSCC\wscc.exe (KirySoft)
[1744] C:\Windows\System32\svchost.exe (Microsoft Corporation)
[1476] C:\Windows\Explorer.EXE (Microsoft Corporation)
[940] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[3520] C:\Windows\system32\mmc.exe (Microsoft Corporation)
[3276] K:\Downloads\MVS\MVS.exe ()
[1956] C:\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe (H.D.S. Hungary)
[756] C:\Windows\System32\svchost.exe (Microsoft Corporation)
[488] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[2444] C:\PROGRAM FILES\SOFTPERFECT WIFI GUARD\WIFIGUARD.EXE (SoftPerfect Research)
[3824] C:\Program Files (x86)\Steam\Steam.exe (Valve Corporation)
[2620] C:\PROGRAM FILES (X86)\PIDGIN\PIDGIN.EXE (The Pidgin developer community)
[1816] C:\Windows\system32\taskeng.exe (Microsoft Corporation)
[836] C:\Windows\system32\winlogon.exe (Microsoft Corporation)
[2348] C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe (BillP Studios)
[1012] C:\Windows\system32\atiesrxx.exe (AMD)
[1544] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[564] C:\Windows\system32\csrss.exe (Microsoft Corporation)
[2544] C:\Program Files\AVAST Software\Avast\avastui.exe (AVAST Software)
[1984] C:\Program Files (x86)\ASRock Utility\AXTU\Bin\AsrXTU.exe ()
[2004] C:\Program Files\BotRevolt\BotRevolt.exe (BotRevolt.COM)
[3312] C:\Program Files (x86)\Sysinternals Suite\Autoruns.exe (Sysinternals - www.sysinternals.com)
[640] C:\Windows\system32\csrss.exe (Microsoft Corporation)
[2344] C:\PROGRAM FILES (X86)\INTEL\INTEL(R) USB 3.0 EXTENSIBLE HOST CONTROLLER DRIVER\APPLICATION\IUSB3MON.EXE (Intel Corporation)
[2240] C:\PROGRAM FILES\MARCS UPDATER\MARCS UPDATER.EXE (Marc Hörsken)
[1972] C:\Program Files (x86)\Sapphire TRIXX\TRIXX.exe ()
[2944] C:\Program Files\Pale Moon\plugin-container.exe (Mozilla Corporation)
[3104] C:\PROGRAM FILES (X86)\XFASTUSB\XFASTUSB.EXE (FNet Co., Ltd.)
[632] C:\Windows\system32\wininit.exe (Microsoft Corporation)
[1164] C:\Windows\system32\svchost.exe (Microsoft Corporation)
[548] C:\Program Files\Opera x64\Opera.exe (Opera Software)


=== Services ===

SRV - [ Adobe LM Service | Adobe LM Service | Stopped] - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe - [1/1/1601 00:00:00 | FSF | ()]
SRV - [ ArcService | Arc Service | Stopped] - C:\Program Files (x86)\Perfect World Entertainment\Arc\ArcService.exe - [8/15/2013 16:01:36 | 88424 | (Perfect World Entertainment Inc)]
SRV - [ avast! Antivirus | avast! Antivirus | Running] - C:\Program Files\AVAST Software\Avast\AvastSvc.exe - [10/22/2013 09:35:41 | 50344 | (AVAST Software)]
SRV - [ bgsvcgen | B's Recorder GOLD Library General Service | Stopped] - C:\Windows\SysWOW64\bgsvcgen.exe - [1/1/1601 00:00:00 | FSF | ()]
SRV - [ Creative Audio Engine Licensing Service | Creative Audio Engine Licensing Service | Stopped] - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe - [6/8/2013 20:31:22 | 79360 | (Creative Labs)]
SRV - [ CTAudSvcService | Creative Audio Service | Stopped] - C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe - [6/8/2013 20:31:11 | 307200 | (Creative Technology Ltd)]
SRV - [ Desura Install Service | Desura Install Service | Stopped] - C:\Program Files (x86)\Common Files\Desura\desura_service.exe - [6/12/2013 19:55:25 | 131912 | (Desura Pty Ltd)]
SRV - [ gupdate | Google Update Service (gupdate) | Stopped] - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc - [CTF | FSF | ()]
SRV - [ gupdatem | Google Update Service (gupdatem) | Stopped] - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc - [CTF | FSF | ()]
SRV - [ IDriverT | InstallDriver Table Manager | Stopped] - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe - [11/14/2005 00:06:04 | 69632 | (Macrovision Corporation)]
SRV - [ jswpsapi | JumpStart Wi-Fi Protected Setup | Stopped] - C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\WPS\jswpsapi.exe - [3/8/2013 19:01:52 | 954368 | (Wireless)]
SRV - [ MaConfigAgent | Ma-Config Agent | Stopped] - C:\Program Files\ma-config.com\MaConfigAgent.exe - [6/9/2013 12:16:54 | 2635600 | (CybelSoft)]
SRV - [ Marcs Updater | Marcs Updater | Running] - C:\Program Files\Marcs Updater\Marcs Updater.exe /service - [1/1/1601 00:00:00 | FSF | ()]
SRV - [ MozillaMaintenance | Mozilla Maintenance Service | Stopped] - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe - [9/4/2013 01:35:44 | 112880 | (Mozilla Foundation)]
SRV - [ PnkBstrA | PnkBstrA | Stopped] - C:\Windows\system32\PnkBstrA.exe - [1/1/1601 00:00:00 | FSF | ()]
SRV - [ ReflectService.exe | Macrium Reflect Image Mounting Service | Stopped] - C:\Program Files\Macrium\Reflect\ReflectService.exe - [9/25/2013 22:01:46 | 907384 | ()]
SRV - [ rpcapd | Remote Packet Capture Protocol v.0 (experimental) | Stopped] - C:\Program Files (x86)\WinPcap\rpcapd.exe" -d -f "C:\Program Files (x86)\WinPcap\rpcapd.ini - [CTF | FSF | ()]
SRV - [ Secunia PSI Agent | Secunia PSI Agent | Stopped] - C:\Program Files (x86)\Secunia\PSI\PSIA.exe" --start-service - [CTF | FSF | ()]
SRV - [ Secunia Update Agent | Secunia Update Agent | Stopped] - C:\Program Files (x86)\Secunia\PSI\sua.exe" --start-service - [CTF | FSF | ()]
SRV - [ Steam Client Service | Steam Client Service | Stopped] - C:\Program Files (x86)\Common Files\Steam\SteamService.exe" /RunAsService - [CTF | FSF | ()]
SRV - [ TeamViewer8 | TeamViewer 8 | Stopped] - C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe - [7/25/2013 01:55:38 | 5071712 | (TeamViewer GmbH)]
SRV - [ TurboBoost | Intel(R) Turbo Boost Technology Monitor 2.6 | Stopped] - C:\Program Files\Intel\TurboBoost\TurboBoost.exe - [5/30/2012 13:11:34 | 149544 | (Intel(R) Corporation)]
SRV - [ USBDLM | USBDLM | Stopped] - C:\Program Files\USBDLM\USBDLM.exe - [7/1/2013 17:06:58 | 428480 | (Uwe Sieber - www.uwe-sieber.de)]
SRV - [ WiseBootAssistant | Wise Boot Assistant | Stopped] - C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe - [1/1/1601 00:00:00 | FSF | ()]

If nothing else, it's highlighted for me some dead Service entries - now I need to eliminate them :)

Machiavelli · Oct 30, 2013

However, it won't work out of the box. You must make some tweaks to get it to work. For example, it sounds like you might be getting hit by file system/registry redirection policies. This means that when you try to open a 64bit file or key on a 64bit computer from a 32bit application, you get redirected elsewhere (to the 32bit key). But if you really want, you can ask Windows not to redirect you. This is what I do in SFCFix. Literally everywhere (although I actually have only a couple of helper functions do most of the work for me). If you do choose to go down a 32bit only build, and want any help, do not hesitate to ask. :)

Thanks for all that - I'll think of it and report back later.

I'll talk more about redirection and System32 later today

That would be very nice!

And of course many thanks for all of these tips! They helped me a lot!

@satrow)
Thanks for testing! You helped me a lot!

Machiavelli · Oct 30, 2013

I can't edit my Post.

---

New version released! The filepaths under Services should work now! Please test!

Download: View attachment MVS.zip

satrow · Oct 30, 2013

Output looks more useful to humans now, less effort required to translate it

Alignment would make a big difference to speed-reading whilst scrolling (already mentioned by Richard (niemiro)).

Code:

MVS - Machiavelli's Scanner - Version 1.0.0.0
MVS Logfile created on: 10/30/2013 19:50:52 Logfile saved under = K:\Downloads\MVS\MVS.txt
Running from K:\Downloads\MVS\MVS.exe
SYSTEM => Microsoft Windows 7 Home Premium  64 bit Service Pack 1

=== Processes ===

C:\Windows\system32\svchost.exe [ 800 ]  (Microsoft Corporation)
C:\Windows\system32\atieclxx.exe [ 1244 ]  (AMD)
C:\Windows\system32\taskmgr.exe [ 2756 ]  (Microsoft Corporation)
C:\Windows\system32\lsm.exe [ 708 ]  (Microsoft Corporation)
C:\Windows\system32\taskhost.exe [ 1584 ]  (Microsoft Corporation)
C:\Users\RoLY\APPDATA\LOCAL\FLUXSOFTWARE\FLUX\FLUX.EXE [ 1680 ]  (Flux Software LLC)
C:\Windows\system32\lsass.exe [ 700 ]  (Microsoft Corporation)
C:\Windows\system32\smss.exe [ 428 ]  (Microsoft Corporation)
C:\Windows\System32\svchost.exe [ 516 ]  (Microsoft Corporation)
C:\PROGRAM FILES\MICROSOFT XBOX 360 ACCESSORIES\XBOXSTAT.EXE [ 3076 ]  (Microsoft Corporation)
C:\Program Files\Pale Moon\palemoon.exe [ 1136 ]  (Moonchild Productions)
C:\Program Files\7-Zip\7zFM.exe [ 3892 ]  (Igor Pavlov)
C:\Windows\system32\wbem\wmiprvse.exe [ 3980 ]  (Microsoft Corporation)
C:\Program Files\AVAST Software\Avast\AvastSvc.exe [ 1220 ]  (AVAST Software)
C:\Windows\system32\services.exe [ 684 ]  (Microsoft Corporation)
C:\Program Files\Marcs Updater\Marcs Updater.exe [ 2196 ]  (Marc Hörsken)
C:\Windows\system32\NOTEPAD.EXE [ 3232 ]  (Microsoft Corporation)
C:\Program Files\ma-config.com\MaConfigAgent.exe [ 2576 ]  (CybelSoft)
C:\Program Files (x86)\WSCC\wscc.exe [ 3416 ]  (KirySoft)
C:\Windows\System32\svchost.exe [ 1744 ]  (Microsoft Corporation)
C:\Windows\Explorer.EXE [ 1476 ]  (Microsoft Corporation)
C:\Windows\system32\svchost.exe [ 940 ]  (Microsoft Corporation)
C:\Windows\system32\mmc.exe [ 3520 ]  (Microsoft Corporation)
C:\Program Files (x86)\Hard Disk Sentinel\HDSentinel.exe [ 1956 ]  (H.D.S. Hungary)
C:\Windows\System32\svchost.exe [ 756 ]  (Microsoft Corporation)
C:\Windows\system32\svchost.exe [ 488 ]  (Microsoft Corporation)
C:\PROGRAM FILES\SOFTPERFECT WIFI GUARD\WIFIGUARD.EXE [ 2444 ]  (SoftPerfect Research)
C:\Program Files (x86)\Steam\Steam.exe [ 3824 ]  (Valve Corporation)
C:\PROGRAM FILES (X86)\PIDGIN\PIDGIN.EXE [ 2620 ]  (The Pidgin developer community)
C:\Windows\system32\taskeng.exe [ 1816 ]  (Microsoft Corporation)
C:\Windows\system32\winlogon.exe [ 836 ]  (Microsoft Corporation)
C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe [ 2348 ]  (BillP Studios)
C:\Windows\system32\atiesrxx.exe [ 1012 ]  (AMD)
C:\Windows\system32\svchost.exe [ 1544 ]  (Microsoft Corporation)
C:\Windows\system32\csrss.exe [ 564 ]  (Microsoft Corporation)
C:\Program Files\AVAST Software\Avast\avastui.exe [ 2544 ]  (AVAST Software)
C:\Program Files (x86)\ASRock Utility\AXTU\Bin\AsrXTU.exe [ 1984 ]  ()
K:\Downloads\MVS\MVS.exe [ 3644 ]  ()
C:\Program Files\BotRevolt\BotRevolt.exe [ 2004 ]  (BotRevolt.COM)
C:\Program Files (x86)\Sysinternals Suite\Autoruns.exe [ 3312 ]  (Sysinternals - www.sysinternals.com)
C:\Windows\system32\csrss.exe [ 640 ]  (Microsoft Corporation)
C:\PROGRAM FILES (X86)\INTEL\INTEL(R) USB 3.0 EXTENSIBLE HOST CONTROLLER DRIVER\APPLICATION\IUSB3MON.EXE [ 2344 ]  (Intel Corporation)
C:\PROGRAM FILES\MARCS UPDATER\MARCS UPDATER.EXE [ 2240 ]  (Marc Hörsken)
C:\Program Files (x86)\Sapphire TRIXX\TRIXX.exe [ 1972 ]  ()
C:\Program Files\Pale Moon\plugin-container.exe [ 2944 ]  (Mozilla Corporation)
C:\PROGRAM FILES (X86)\XFASTUSB\XFASTUSB.EXE [ 3104 ]  (FNet Co., Ltd.)
C:\Windows\system32\wininit.exe [ 632 ]  (Microsoft Corporation)
C:\Windows\system32\svchost.exe [ 1164 ]  (Microsoft Corporation)
C:\Program Files\Opera x64\Opera.exe [ 548 ]  (Opera Software)


=== Services ===

SRV - [ Adobe LM Service | Adobe LM Service | Stopped] - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe - [1/1/1601 00:00:00 | FSF | ()] => File not found
SRV - [ ArcService | Arc Service | Stopped] - C:\Program Files (x86)\Perfect World Entertainment\Arc\ArcService.exe - [8/15/2013 16:01:36 | 88424 | (Perfect World Entertainment Inc)]
SRV - [ avast! Antivirus | avast! Antivirus | Running] - C:\Program Files\AVAST Software\Avast\AvastSvc.exe - [10/22/2013 09:35:41 | 50344 | (AVAST Software)]
SRV - [ bgsvcgen | B's Recorder GOLD Library General Service | Stopped] - C:\Windows\SysWOW64\bgsvcgen.exe - [1/1/1601 00:00:00 | FSF | ()] => File not found
SRV - [ Creative Audio Engine Licensing Service | Creative Audio Engine Licensing Service | Stopped] - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe - [6/8/2013 20:31:22 | 79360 | (Creative Labs)]
SRV - [ CTAudSvcService | Creative Audio Service | Stopped] - C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe - [6/8/2013 20:31:11 | 307200 | (Creative Technology Ltd)]
SRV - [ Desura Install Service | Desura Install Service | Stopped] - C:\Program Files (x86)\Common Files\Desura\desura_service.exe - [6/12/2013 19:55:25 | 131912 | (Desura Pty Ltd)]
SRV - [ gupdate | Google Update Service (gupdate) | Stopped] - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe - [4/4/2013 17:58:26 | 116648 | (Google Inc.)]
SRV - [ gupdatem | Google Update Service (gupdatem) | Stopped] - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe - [4/4/2013 17:58:26 | 116648 | (Google Inc.)]
SRV - [ IDriverT | InstallDriver Table Manager | Stopped] - C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe - [11/14/2005 00:06:04 | 69632 | (Macrovision Corporation)]
SRV - [ jswpsapi | JumpStart Wi-Fi Protected Setup | Stopped] - C:\Program Files (x86)\TP-LINK\TP-LINK Wireless Configuration Utility\WPS\jswpsapi.exe - [3/8/2013 19:01:52 | 954368 | (Wireless)]
SRV - [ Marcs Updater | Marcs Updater | Running] - C:\Program Files\Marcs Updater\Marcs Updater.exe /service - [1/1/1601 00:00:00 | FSF | ()] => File not found
SRV - [ MozillaMaintenance | Mozilla Maintenance Service | Stopped] - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe - [9/4/2013 01:35:44 | 112880 | (Mozilla Foundation)]
SRV - [ ReflectService.exe | Macrium Reflect Image Mounting Service | Stopped] - C:\Program Files\Macrium\Reflect\ReflectService.exe - [9/25/2013 22:01:46 | 907384 | ()]
SRV - [ rpcapd | Remote Packet Capture Protocol v.0 (experimental) | Stopped] - C:\Program Files (x86)\WinPcap\rpcapd.exe - [6/25/2010 18:07:20 | 117264 | (CACE Technologies, Inc.)]
SRV - [ Secunia PSI Agent | Secunia PSI Agent | Stopped] - C:\Program Files (x86)\Secunia\PSI\PSIA.exe - [7/3/2013 09:32:44 | 1228504 | (Secunia)]
SRV - [ Secunia Update Agent | Secunia Update Agent | Stopped] - C:\Program Files (x86)\Secunia\PSI\sua.exe - [7/3/2013 09:32:44 | 660184 | (Secunia)]
SRV - [ Steam Client Service | Steam Client Service | Stopped] - C:\Program Files (x86)\Common Files\Steam\SteamService.exe - [9/22/2012 21:18:15 | 565672 | (Valve Corporation)]
SRV - [ TeamViewer8 | TeamViewer 8 | Stopped] - C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe - [7/25/2013 01:55:38 | 5071712 | (TeamViewer GmbH)]
SRV - [ TurboBoost | Intel(R) Turbo Boost Technology Monitor 2.6 | Stopped] - C:\Program Files\Intel\TurboBoost\TurboBoost.exe - [5/30/2012 13:11:34 | 149544 | (Intel(R) Corporation)]
SRV - [ USBDLM | USBDLM | Stopped] - C:\Program Files\USBDLM\USBDLM.exe - [7/1/2013 17:06:58 | 428480 | (Uwe Sieber - www.uwe-sieber.de)]
SRV - [ WinDefend | Windows Defender | Stopped] - C:\Windows\System32\svchost.exe -k secsvcs - [1/1/1601 00:00:00 | FSF | ()] => File not found
SRV - [ WiseBootAssistant | Wise Boot Assistant | Stopped] - C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe - [1/1/1601 00:00:00 | FSF | ()] => File not found
SRV - [ MaConfigAgent | Ma-Config Agent | Running] - C:\Program Files\ma-config.com\MaConfigAgent.exe - [10/25/2013 19:08:12 | 2768208 | (CybelSoft)]

Running this prompted me to take another look at MaConfigAgent, you guys might want to check it for yourselves, if you're not aware of it (FR-based): Easily explore your PC (though the BSOD analysis aspect of it won't be up to Sysnative standards). I checked the 4x main executables for the newest version with Virustotal and they have a clean sheet, it seems McAfee classed it as a trojan a short time ago: https://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=3920993#none (what self-respecting trojan would attempt to connect to Windows Update ... ?), VT result for the main exe: https://www.virustotal.com/en/file/...0a2e468f511b8a1a5068eb8e/analysis/1383163640/

niemiro · Oct 30, 2013

Hello again :)

Don't worry about posting multiple times in a row. In actual fact I prefer it, as then I get a notification of your new post vs. no notification for an edit.

As promised, a little talk on redirection. First, let's discuss file system redirection. We will come onto registry later. If you don't understand any part of this, feel completely free to ask me about it. Also, I do not know what you do and do not know, so I have included pretty much everything. It will also help future readers.

System32 vs. SysWOW64 vs. Sysnative

Finally, although you may already know this, I would like to briefly talk about these folders. All three of them exist on a 64bit computer under %SystemRoot% (C:\Windows)(although you will not be able to find Sysnative using explorer.exe), however, only System32 exists on a 32bit computer.

The names of these folder are slightly counterintuitive, however, it is done for compatibility reasons with old programs.

On a 32bit computer, everything is nice and simple. There is only one set of Windows files, and they are compiled for a 32bit architecture. They are stored under winsxs with the prefix x86_ and the active version of each file is linked into the System32 folder.

On a 64bit computer, everything is not quite so nice and simple. First, Microsoft realised that many programs had hardcoded the path C:\Windows\System32 rather than using some form of expansion variable such as an environmental variable. This meant that they couldn't just move everything to System64, as then all those old programs would break. The System32 name had to stick, or at least be redirected.

But there is another difficulty. Microsoft also wished for legacy 32bit programs to still work on the 64bit architecture. To achieve this, they implemented something called WOW64. Now all of a sudden, two sets of each Windows file exists: the 64bit files (winsxs prefix of amd64_) and the 32bit files (winsxs prefix of wow64_ [or occasionally x86_ - technicality]).

The next point of note is the wow64 files. Contrary to much of the misinformation currently available on the internet, these 32bit copies of the files do not actually contain full sets of the code. In fact, they are merely redirection shells. When a legacy 32bit application makes a call to a Windows .dll, it is sent a reference to the 32bit copy of the .dll file. However, this 32bit copy of the .dll does not actually process the call. Instead, it converts all of the 32bit data types from the 32bit application to 64bit, calls the 64bit copy of the .dll with this converted data which does the actual processing, and then takes the returned 64bit datatypes from the 64bit .dll, converts them back to 32bit before returning them to the application as though the 64bit .dll had never been invoked. This is what is actually going on.

So where are the active versions of these wow64 files linked? Well, they're linked in a new folder called SysWOW64. And then the truly 64bit copies of the files are stored in the System32 folder to maintain compatibility with legacy applications for the reasons already given. But this leads to another problem: what happens if a 32bit legacy application directly calls C:\Windows\System32\example.dll? Well then it gets sent a 64bit .dll file, which won't work. So to solve this, 32bit applications which directly call System32 get silently redirected to the 32bit copy in SysWOW64.

But this doesn't completely solve the problem. What if a 32bit application explicitly wants to access the 64bit copy of the file directly? Well, Microsoft have provided several different solutions to this problem any one of which can be used, but perhaps the simplest is the virtual Sysnative folder. This folder isn't real. It doesn't contain anything, it's just a link to another folder. And for 32bit applications, it links to the 64bit System32. So Sysnative may be used to bypass normal System32 direction and actually get access to System32. This is why you won't be able to find this folder in explorer.exe: it doesn't really exist. But there's another reason too. This sort of redirection doesn't make sense in 64bit. 64bit applications can already access the 64bit copies of the files through System32, and they can access the 32bit copies of the files through SysWOW64. So there's no need for Sysnative, so Sysnative doesn't work in 64bit applications.

Wow, that's long and confusing. What about a nice summary?

In summary:
System32 holds 32bit copies of files on 32bit computers, and 64bit copies of files on a 64bit computer.
SysWOW64 holds wow64/32bit copies of files on a 64bit computer, and doesn't exist on a 32bit computer.
Sysnative is a virtual redirection directory which doesn't exist except under legacy 32bit applications on a 64bit computer.

32bit application on 32bit computer:
System32 --> no redirection --> System32
SysWOW64 --> doesn't exist
Sysnative --> doesn't exist

64bit application on 64bit computer:
System32 --> no redirection --> System32
SysWOW64 --> no redirection --> SysWOW64
Sysnative --> doesn't exist

32bit application on 64bit computer:
System32 --> redirection --> SysWOW64
SysWOW64 --> no redirection --> SysWOW64
Sysnative --> redirection --> System32

So, hopefully you understand a little more about the System32, SysWOW64, and Sysnative folders, and why they were created as they are.

So, now let's say you want to access C:\Windows\System32\example.dll (no redirection, actually in System32).
On a 32bit computer, it's very simple: Just access C:\Windows\System32\example.dll. On a 64bit app on a 64bit computer, again just access C:\Windows\System32\example.dll. But on a 32bit app on a 64bit computer, you must access C:\Windows\Sysnative\example.dll.

So, if you are writing a permanently 32bit app, and you want to access the real C:\Windows\System32\example.dll, you must first check whether the system is 32bit or 64bit. If it is 32bit, you directly access C:\Windows\System32\example.dll, and if it's 64bit you change the request and access C:\Windows\Sysnative\example.dll.

What about the registry? Well, a very similar thing occurs. This time, if you want to access the other architecture of a registry value you have a magical registry key called Wow6432Node. But things are a little different this time.

The 64bit copy of the key on 64bit OS or 32bit copy of the key on 32bit OS is stored where it should be, e.g. HKEY_LOCAL_MACHINE\Software. However, for 64bit OS, the 32bit copy of the key is stored at HKEY_LOCAL_MACHINE\Software\Wow6432Node.

Normally, a 32bit app on a 64bit computer which tries to access HKEY_LOCAL_MACHINE\Software is silently redirected to HKEY_LOCAL_MACHINE\Software\Wow6432Node. A 64bit app on a 64bit computer can access either HKEY_LOCAL_MACHINE\Software or HKEY_LOCAL_MACHINE\Wow6432Node directly, with no redirection. But there's a problem. What about 32bit app on 64bit computer accessing 64bit key? There's no second magic key for that. Hmmmmm... This situation is a bit like having System32 and SysWOW64, but no Sysnative. Big hmmmmmm.

Fortunately, there's a solution. We can ask Windows not to redirect us. You can use (in C#) RegistryKey.OpenBaseKey with HKEY_LOCAL_MACHINE\Software, and with view (RegistryView Enumeration (Microsoft.Win32)) set to either Registry32 or Registry64 to access exactly what you want.

And in C++ (and I assume via P/Invoke C# also), for those few exceptionally rare times when you cannot ask Windows not to redirect you, can you globally and temporarily disable redirection entirely using Wow64DisableWow64FsRedirection function (Windows) and Wow64RevertWow64FsRedirection function (Windows).

You should not need to use these.

There is only one scenario I know of where all of these techniques fail, and that involves a very specific and extremely complex operation on the Volume Shadow Copy Service, where you simply have to drop a 64bit exe on the 64bit computer, and run that.

I hope this helps, but suspect it will only confuse further

Richard

Laxer · Oct 30, 2013

All of this is over my head but, here is my log :lolg:

Code:

MVS - Machiavelli's Scanner - Version 1.0.0.0
MVS Logfile created on: 10/30/2013 3:57:11 PM Logfile saved under = C:\Users\Geoff\Desktop\MVS\MVS.txt
Running from C:\Users\Geoff\Desktop\MVS\MVS.exe
SYSTEM => Microsoft Windows 8 Pro 64 bit 

=== Processes ===

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [ 4924 ]  (ATI Technologies Inc.)
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [ 2952 ]  (TeamViewer GmbH)
C:\Windows\system32\DllHost.exe [ 2360 ]  (Microsoft Corporation)
C:\Windows\system32\smss.exe [ 388 ]  (Microsoft Corporation)
C:\Program Files (x86)\PowerISO\PWRISOVM.EXE [ 4380 ]  (PowerISO Computing, Inc.)
C:\Windows\system32\DllHost.exe [ 5304 ]  (Microsoft Corporation)
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe [ 4512 ]  (Microsoft Corporation)
C:\Windows\system32\SearchFilterHost.exe [ 3132 ]  (Microsoft Corporation)
C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe [ 2540 ]  (SEIKO EPSON CORPORATION)
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [ 3720 ]  (Microsoft Corporation)
C:\Program Files (x86)\MediaMall\PlayOn.exe [ 4900 ]  (MediaMall Technologies, Inc.)
C:\Windows\system32\csrss.exe [ 564 ]  (Microsoft Corporation)
C:\Program Files (x86)\Corsair SSD Toolbox\CSSDTService.exe [ 2136 ]  (Corsair)
C:\Windows\system32\taskhostex.exe [ 2640 ]  (Microsoft Corporation)
C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe [ 4688 ]  (Logitech Inc.)
C:\Windows\system32\svchost.exe [ 944 ]  (Microsoft Corporation)
C:\Windows\system32\svchost.exe [ 1532 ]  (Microsoft Corporation)
C:\Windows\system32\lsass.exe [ 740 ]  (Microsoft Corporation)
C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [ 2708 ]  (Microsoft Corporation)
C:\Windows\system32\svchost.exe [ 2900 ]  (Microsoft Corporation)
C:\Windows\system32\services.exe [ 732 ]  (Microsoft Corporation)
C:\Windows\system32\dwm.exe [ 532 ]  (Microsoft Corporation)
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [ 1084 ]  (Google Inc.)
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [ 2496 ]  (ESET)
C:\Program Files (x86)\DisplayFusion\DisplayFusionAppHook.exe [ 5252 ]  (Binary Fortress Software)
C:\Windows\system32\SearchProtocolHost.exe [ 1652 ]  (Microsoft Corporation)
C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [ 2688 ]  (Microsoft Corporation)
C:\Program Files\Classic Shell\ClassicStartMenu.exe [ 1500 ]  (IvoSoft)
C:\Program Files (x86)\MSI Afterburner\MSIAfterburner.exe [ 2680 ]  ()
C:\Windows\system32\svchost.exe [ 512 ]  (Microsoft Corporation)
C:\Program Files\iPod\bin\iPodService.exe [ 4844 ]  (Apple Inc.)
C:\Windows\system32\wbem\wmiprvse.exe [ 4252 ]  (Microsoft Corporation)
C:\Windows\System32\svchost.exe [ 1060 ]  (Microsoft Corporation)
C:\Windows\system32\winlogon.exe [ 896 ]  (Microsoft Corporation)
C:\Program Files (x86)\iTunes\iTunesHelper.exe [ 5032 ]  (Apple Inc.)
C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe [ 4684 ]  (Logitech Inc.)
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [ 3728 ]  (Google Inc.)
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe [ 3844 ]  (Advanced Micro Devices Inc.)
C:\Windows\system32\DllHost.exe [ 4040 ]  (Microsoft Corporation)
C:\Program Files (x86)\SpeedFan\speedfan.exe [ 2660 ]  (Almico Software (www.almico.com))
C:\Windows\system32\csrss.exe [ 684 ]  (Microsoft Corporation)
C:\Windows\system32\atieclxx.exe [ 1076 ]  (AMD)
C:\Windows\System32\WUDFHost.exe [ 3240 ]  (Microsoft Corporation)
C:\Windows\servicing\TrustedInstaller.exe [ 1268 ]  (Microsoft Corporation)
C:\Windows\system32\svchost.exe [ 868 ]  (Microsoft Corporation)
C:\Windows\System32\svchost.exe [ 276 ]  (Microsoft Corporation)
C:\Program Files\Windows Media Player\wmpnetwk.exe [ 5592 ]  (Microsoft Corporation)
C:\Program Files\Classic Shell\ClassicShellService.exe [ 1408 ]  (IvoSoft)
C:\Windows\system32\wininit.exe [ 664 ]  (Microsoft Corporation)
C:\Windows\Explorer.EXE [ 1844 ]  (Microsoft Corporation)
C:\Program Files\Bonjour\mDNSResponder.exe [ 1448 ]  (Apple Inc.)
C:\Windows\system32\svchost.exe [ 852 ]  (Microsoft Corporation)
C:\Program Files (x86)\EPSON Software\Event Manager\EEventManager.exe [ 4192 ]  (SEIKO EPSON CORPORATION)
C:\Windows\system32\DllHost.exe [ 3600 ]  (Microsoft Corporation)
C:\Windows\system32\dashost.exe [ 2220 ]  (Microsoft Corporation)
C:\Program Files (x86)\MediaMall\MediaMallServer.exe [ 2612 ]  (MediaMall Technologies, Inc.)
C:\Program Files\Rainmeter\Rainmeter.exe [ 4384 ]  ()
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [ 4972 ]  (Realtek Semiconductor)
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [ 2016 ]  (Apple Inc.)
C:\Program Files (x86)\DisplayFusion\DisplayFusion.exe [ 4772 ]  (Binary Fortress Software)
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.2.9200.16683_none_62280e15510f8e79\TiWorker.exe [ 3784 ]  (Microsoft Corporation)
C:\Windows\system32\SearchIndexer.exe [ 3384 ]  (Microsoft Corporation)
C:\Users\Geoff\Desktop\MVS\MVS.exe [ 3468 ]  ()
C:\Program Files (x86)\DisplayFusion\DisplayFusionService.exe [ 2196 ]  (Binary Fortress Software)
C:\Windows\system32\atiesrxx.exe [ 1008 ]  (AMD)
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [ 4748 ]  (ESET)
C:\Windows\system32\EscSvc64.exe [ 2580 ]  (Seiko Epson Corporation)
C:\Windows\system32\wbem\wmiprvse.exe [ 2892 ]  (Microsoft Corporation)
C:\Windows\System32\spoolsv.exe [ 1732 ]  (Microsoft Corporation)
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [ 1984 ]  (Advanced Micro Devices, Inc.)
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [ 2876 ]  (Google Inc.)
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [ 4148 ]  (Google Inc.)
C:\Windows\system32\svchost.exe [ 1776 ]  (Microsoft Corporation)
C:\Windows\system32\svchost.exe [ 3548 ]  (Microsoft Corporation)


=== Services ===

SRV - [ AMD FUEL Service | AMD FUEL Service | Running] - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe /launchService - [12/31/1600 4:00:00 PM | FSF | ()] => File not found
SRV - [ Apple Mobile Device | Apple Mobile Device | Running] - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe - [9/7/2013 9:13:38 AM | 55624 | (Apple Inc.)]
SRV - [ Bonjour Service | Bonjour Service | Running] - C:\Program Files\Bonjour\mDNSResponder.exe - [8/30/2011 11:05:32 PM | 462184 | (Apple Inc.)]
SRV - [ ClassicShellService | Classic Shell Service | Running] - C:\Program Files\Classic Shell\ClassicShellService.exe - [6/29/2013 10:49:28 AM | 68608 | (IvoSoft)]
SRV - [ CorsairSSDToolBox | Corsair SSD ToolBox | Running] - C:\Program Files (x86)\Corsair SSD Toolbox\CSSDTService.exe - [8/6/2013 12:54:48 AM | 1838352 | (Corsair)]
SRV - [ DisplayFusionService | DisplayFusionService | Running] - C:\Program Files (x86)\DisplayFusion\DisplayFusionService.exe - [7/8/2013 12:39:22 AM | 1498000 | (Binary Fortress Software)]
SRV - [ ekrn | ESET Service | Running] - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe - [3/21/2013 3:19:46 PM | 1341664 | (ESET)]
SRV - [ EpsonCustomerParticipation | EpsonCustomerParticipation | Running] - C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe - [5/1/2013 4:00:00 PM | 651328 | (SEIKO EPSON CORPORATION)]
SRV - [ EpsonScanSvc | Epson Scanner Service | Running] - C:\Windows\system32\EscSvc64.exe - [9/8/2013 1:34:11 PM | 144560 | (Seiko Epson Corporation)]
SRV - [ gupdate | Google Update Service (gupdate) | Stopped] - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe - [7/7/2013 10:48:56 PM | 116648 | (Google Inc.)]
SRV - [ gupdatem | Google Update Service (gupdatem) | Stopped] - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe - [7/7/2013 10:48:56 PM | 116648 | (Google Inc.)]
SRV - [ iPod Service | iPod Service | Running] - C:\Program Files\iPod\bin\iPodService.exe - [10/23/2013 5:31:10 PM | 641352 | (Apple Inc.)]
SRV - [ MediaMall Server | MediaMall Server | Running] - C:\Program Files (x86)\MediaMall\MediaMallServer.exe - [5/14/2013 5:26:06 PM | 4038448 | (MediaMall Technologies, Inc.)]
SRV - [ Microsoft SharePoint Workspace Audit Service | Microsoft SharePoint Workspace Audit Service | Stopped] - C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE - [9/20/2012 1:28:48 PM | 30785672 | (Microsoft Corporation)]
SRV - [ osppsvc | Office Software Protection Platform | Running] - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE - [1/9/2010 8:34:24 PM | 4925184 | (Microsoft Corporation)]
SRV - [ Steam Client Service | Steam Client Service | Stopped] - C:\Program Files (x86)\Common Files\Steam\SteamService.exe - [7/7/2013 10:50:05 PM | 565672 | (Valve Corporation)]
SRV - [ SwitchBoard | Adobe SwitchBoard | Stopped] - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe - [2/19/2010 12:37:14 PM | 517096 | (Adobe Systems Incorporated)]
SRV - [ TeamViewer8 | TeamViewer 8 | Running] - C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe - [7/7/2013 10:50:29 PM | 4150112 | (TeamViewer GmbH)]
SRV - [ WinDefend | Windows Defender Service | Stopped] - C:\Program Files\Windows Defender\MsMpEng.exe - [8/13/2013 8:43:45 PM | 16048 | (Microsoft Corporation)]

AceInfinity · Oct 30, 2013

Machiavelli said:
So, a little summary why you should use this tool/ why it is the best:

32bit and 64bit tool

easy and short log

easy fixing syntax (it will be developed at the end stage of the product but I have an idea how to manage all these things)

Nice and structured design

Tool contains a big WhiteList already and I'm also free to expand it!

Unfortunately this is only a 32 bit tool, it can run on a 64 bit machine because 32 bit is compatible on the 64 bit architecture. This program isn't compiled as 64 bit however.

There are some issues with the code that I reflected however. I could help you with optimizing this, specifically instances of classes that encapsulate only functions, where static or Shared (in VB.net) keyword could be used. Redundant ToString() calls, insufficient error handling, etc... I would also recommend that your safelist is read from a text file. This makes it configurable, because that safelist will not always be only those same strings that you have hardcoded into the program within a few years.

Good little tool though. Nice idea :thumbsup2:

Machiavelli · Oct 31, 2013

@AceInfinity)
I know there are some issues with the Code. I'll of course change that to a better code, but it was a short idea to see if I'm able to program something like that. I'll come with an update some time later to show a better Code. If I have question I'll ask you! :)

@Niemiro)
I'll read your great tutorial later! :)

@Laxer)
Thanks!

Machiavelli · Oct 31, 2013

I removed the Classes.vb and the functions are now in a Module (I think it's better). I also removed now needless ToString() converts.

Unfortunately this is only a 32 bit tool, it can run on a 64 bit machine because 32 bit is compatible on the 64 bit architecture. This program isn't compiled as 64 bit however.

You are right! If you like I can compile it to a 64bit version.

Download:
View attachment MVS_Test.zip

The Code should now be better. I'll hopefully find a way to make the Code better looking.

Only one question left: Why insufficient error handling ?

AceInfinity · Oct 31, 2013

Machiavelli said:
I removed the Classes.vb and the functions are now in a Module (I think it's better). I also removed now needless ToString() converts.

Unfortunately this is only a 32 bit tool, it can run on a 64 bit machine because 32 bit is compatible on the 64 bit architecture. This program isn't compiled as 64 bit however.

Click to expand...

You are right! If you like I can compile it to a 64bit version.

Download:
View attachment 5719

The Code should now be better. I'll hopefully find a way to make the Code better looking.

Only one question left: Why insufficient error handling ?

A module is essentially just a class with all static methods in VB.net. Static in VB.net has another name though; Shared. This is much better though if that's what you're doing, it's what I would've recommended instead of regular classes.

I posted about insufficient error handling because you are using Try/Catch statements everywhere! This is definitely not good... Catching exceptions and 'ignoring' them is not a very good idea. Here is a link I'll post for you, this is a good reference for why I say this: Handling and Throwing Exceptions, Best Practices for Handling Exceptions

For instance, instead of using Convert.ToInt32() and catching an exception if the conversion can't be made, avoid the possibility of having an exception thrown by using Integer.TryParse() instead. An application throwing an exception is a downgrade in performance. Catching an exception doesn't mean that the exception doesn't get thrown.

Basic rule of thumb, Avoid Try/Catch statements whenever possible. Handle the possibility of an exception being thrown by taking care of what causes that exception to be thrown if possible.

Machiavelli · Nov 1, 2013

Hello,

sorry for the delay. I'm feeling sick today.

Here's the new version & many thanks to you! You don't know how much you helped me!

Download:
View attachment MVS.zip

Machiavelli · Nov 1, 2013

Now I had the time to read your tutorial , Niemiro, and it's great! You really helped me a lot.

Tekno Venus · Nov 1, 2013

My output :)

Code:

MVS - Machiavelli's Scanner - Version 1.0.0.0
MVS Logfile created on: 01/11/2013 09:23:13 PM Logfile saved under = C:\Users\Stephen\Desktop\MVS.txt
Running from C:\Users\Stephen\Desktop\MVS.exe
SYSTEM => Microsoft Windows 7 Home Premium  64 bit Service Pack 1

=== Processes ===

C:\Windows\System32\svchost.exe [ 4200 ]  (Microsoft Corporation)
C:\Users\Stephen\APPDATA\LOCAL\MICROSOFT\SKYDRIVE\SKYDRIVE.EXE [ 4724 ]  (Microsoft Corporation)
C:\Program Files\Everything\Everything.exe [ 6692 ]  ()
C:\PROGRAM FILES (X86)\CINTANOTES\CINTANOTES.EXE [ 1568 ]  (Cinta Software)
C:\Windows\system32\taskhost.exe [ 2748 ]  (Microsoft Corporation)
C:\Windows\system32\csrss.exe [ 580 ]  (Microsoft Corporation)
C:\PROGRAM FILES (X86)\SKYPE\PHONE\SKYPE.EXE [ 2144 ]  (Skype Technologies S.A.)
C:\Windows\system32\svchost.exe [ 576 ]  (Microsoft Corporation)
C:\Program Files\Dell\QuickSet\quickset.exe [ 3992 ]  (Dell Inc.)
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer.exe [ 3132 ]  (TeamViewer GmbH)
C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [ 1356 ]  (ESET)
C:\Users\Stephen\AppData\Roaming\Spotify\Data\SpotifyHelper.exe [ 3128 ]  ()
C:\Program Files\ESET\ESET Smart Security\egui.exe [ 4112 ]  (ESET)
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe [ 1544 ]  (NVIDIA Corporation)
C:\Program Files (x86)\TeamViewer\Version8\tv_x64.exe [ 3904 ]  (TeamViewer GmbH)
C:\Windows\system32\wbem\wmiprvse.exe [ 6660 ]  (Microsoft Corporation)
C:\Windows\system32\nvvsvc.exe [ 152 ]  (NVIDIA Corporation)
C:\Windows\system32\csrss.exe [ 748 ]  (Microsoft Corporation)
C:\PROGRAM FILES (X86)\SCREENSHOTCAPTOR\SCREENSHOTCAPTOR.EXE [ 2632 ]  (DonationCoder)
C:\Windows\system32\svchost.exe [ 1728 ]  (Microsoft Corporation)
C:\Windows\system32\taskeng.exe [ 5356 ]  (Microsoft Corporation)
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe [ 1528 ]  (Adobe Systems, Inc.)
C:\Program Files (x86)\Aurora\firefox.exe [ 5664 ]  (Mozilla Corporation)
C:\Program Files (x86)\TeamViewer\Version8\tv_w32.exe [ 3888 ]  (TeamViewer GmbH)
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [ 144 ]  (NVIDIA Corporation)
C:\Users\Stephen\AppData\Roaming\Dropbox\bin\Dropbox.exe [ 4340 ]  (Dropbox, Inc.)
C:\Windows\system32\svchost.exe [ 924 ]  (Microsoft Corporation)
C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\FF_Protection.exe [ 2696 ]  ()
C:\Windows\system32\wininit.exe [ 724 ]  (Microsoft Corporation)
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_9_900_117.exe [ 2496 ]  (Adobe Systems, Inc.)
C:\Program Files\Everything\Everything.exe [ 1844 ]  ()
C:\Program Files (x86)\Cobian Backup 11\cbService.exe [ 1416 ]  (Luis Cobian, CobianSoft)
C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe [ 1900 ]  (CobianSoft, Luis Cobian)
C:\Program Files (x86)\ShadowExplorer\sesvc.exe [ 2096 ]  (www.shadowexplorer.com)
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe [ 5660 ]  (Intel Corporation)
C:\Windows\System32\spoolsv.exe [ 1700 ]  (Microsoft Corporation)
C:\Windows\system32\conhost.exe [ 5568 ]  (Microsoft Corporation)
C:\Windows\system32\DllHost.exe [ 6224 ]  (Microsoft Corporation)
C:\Program Files (x86)\Monkeymatt\Big Stretch\bigstretch.exe [ 4252 ]  (BigStretch)
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [ 5840 ]  (Apple Inc.)
C:\Windows\system32\svchost.exe [ 1092 ]  (Microsoft Corporation)
C:\Windows\Explorer.EXE [ 2864 ]  (Microsoft Corporation)
C:\Windows\system32\svchost.exe [ 3256 ]  (Microsoft Corporation)
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [ 1876 ]  (Andrea Electronics Corporation)
C:\Windows\system32\wbem\wmiprvse.exe [ 3844 ]  (Microsoft Corporation)
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [ 2660 ]  (VMware, Inc.)
C:\Windows\System32\svchost.exe [ 2068 ]  (Microsoft Corporation)
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [ 5808 ]  (Adobe Systems Incorporated)
C:\Program Files\Logitech\SetPointP\SetPoint.exe [ 3836 ]  (Logitech, Inc.)
C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe [ 4228 ]  (BillP Studios)
C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [ 2256 ]  (TeamViewer GmbH)
C:\Windows\system32\SearchFilterHost.exe [ 5620 ]  (Microsoft Corporation)
C:\Windows\system32\svchost.exe [ 1068 ]  (Microsoft Corporation)
C:\Users\Stephen\AppData\Roaming\Spotify\Data\SpotifyHelper.exe [ 6932 ]  ()
C:\Windows\System32\alg.exe [ 3228 ]  (Microsoft Corporation)
C:\Program Files\7-Zip\7zFM.exe [ 936 ]  (Igor Pavlov)
C:\Windows\system32\svchost.exe [ 1216 ]  (Microsoft Corporation)
C:\Windows\system32\SearchProtocolHost.exe [ 6180 ]  (Microsoft Corporation)
C:\Users\Stephen\Desktop\MVS.exe [ 6944 ]  ()
C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe [ 4208 ]  (Dominik Reichl)
C:\Users\Stephen\AppData\Roaming\Spotify\Data\SpotifyHelper.exe [ 6368 ]  ()
C:\Program Files\7-Zip\7zFM.exe [ 3768 ]  (Igor Pavlov)
C:\Windows\system32\svchost.exe [ 1444 ]  (Microsoft Corporation)
C:\Windows\system32\DllHost.exe [ 5580 ]  (Microsoft Corporation)
C:\Users\Stephen\APPDATA\LOCAL\FLUXSOFTWARE\FLUX\FLUX.EXE [ 4988 ]  (Flux Software LLC)
C:\Windows\system32\DllHost.exe [ 5816 ]  (Microsoft Corporation)
C:\Windows\SysWOW64\vmnetdhcp.exe [ 2620 ]  (VMware, Inc.)
C:\Program Files\Bonjour\mDNSResponder.exe [ 3604 ]  (Apple Inc.)
C:\Windows\system32\services.exe [ 792 ]  (Microsoft Corporation)
C:\Windows\system32\svchost.exe [ 1040 ]  (Microsoft Corporation)
C:\Windows\system32\cmd.exe [ 5964 ]  (Microsoft Corporation)
C:\Windows\system32\conhost.exe [ 1628 ]  (Microsoft Corporation)
C:\Windows\System32\svchost.exe [ 2020 ]  (Microsoft Corporation)
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [ 4184 ]  (Intel Corporation)
C:\Windows\SysWOW64\svchost.exe [ 4972 ]  (Microsoft Corporation)
C:\Users\Stephen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SynTPEnh.exe [ 4380 ]  (Synaptics Incorporated)
C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe [ 3000 ]  (VMware, Inc.)
C:\Windows\system32\WLANExt.exe [ 1620 ]  (Microsoft Corporation)
C:\Windows\System32\svchost.exe [ 1028 ]  (Microsoft Corporation)
C:\Program Files\Microsoft Office\Office15\MsoSync.exe [ 5952 ]  (Microsoft Corporation)
C:\Users\Stephen\AppData\Roaming\Spotify\Data\SpotifyHelper.exe [ 6340 ]  ()
C:\Windows\system32\svchost.exe [ 2328 ]  (Microsoft Corporation)
C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe [ 4568 ]  (Luis Cobian, CobianSoft)
C:\Windows\SysWOW64\vmnat.exe [ 2400 ]  (VMware, Inc.)
C:\Windows\system32\svchost.exe [ 3580 ]  (Microsoft Corporation)
C:\Users\Stephen\AppData\Roaming\Spotify\Data\SpotifyHelper.exe [ 6332 ]  ()
C:\Windows\system32\nvvsvc.exe [ 1556 ]  (NVIDIA Corporation)
C:\Windows\system32\lsm.exe [ 816 ]  (Microsoft Corporation)
C:\Windows\system32\Dwm.exe [ 2804 ]  (Microsoft Corporation)
C:\Windows\system32\SearchIndexer.exe [ 3652 ]  (Microsoft Corporation)
C:\Windows\System32\svchost.exe [ 812 ]  (Microsoft Corporation)
C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE15\CSISYN~1.EXE [ 5736 ]  (Microsoft Corporation)
C:\Program Files (x86)\Aurora\plugin-container.exe [ 1204 ]  (Mozilla Corporation)
C:\Windows\system32\lsass.exe [ 808 ]  (Microsoft Corporation)
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE [ 1392 ]  (Logitech, Inc.)
C:\Windows\system32\winlogon.exe [ 996 ]  (Microsoft Corporation)
C:\Users\Stephen\AppData\Roaming\Spotify\spotify.exe [ 2768 ]  (Spotify Ltd)
C:\Windows\system32\svchost.exe [ 2176 ]  (Microsoft Corporation)
C:\Windows\system32\smss.exe [ 400 ]  (Microsoft Corporation)


=== Services ===

SRV - [ AdobeFlashPlayerUpdateSvc | Adobe Flash Player Update Service | Stopped] - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe - [13/11/2012 06:51:26 PM | 257416 | (Adobe Systems Incorporated)]
SRV - [ AERTFilters | Andrea RT Filters Service | Running] - C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe - [28/01/2012 02:34:59 PM | 98208 | (Andrea Electronics Corporation)]
SRV - [ AMPPALR3 | Intel® Centrino® Wireless Bluetooth® + High Speed Service | Stopped] - C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe - [01/03/2012 10:35:24 AM | 659976 | (Intel Corporation)]
SRV - [ Apple Mobile Device | Apple Mobile Device | Running] - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe - [21/12/2012 04:27:46 PM | 57008 | (Apple Inc.)]
SRV - [ Bluetooth Device Monitor | Bluetooth Device Monitor | Stopped] - C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe - [24/01/2011 09:33:30 PM | 901184 | (Intel Corporation)]
SRV - [ Bluetooth Media Service | Bluetooth Media Service | Stopped] - C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe - [24/01/2011 09:34:04 PM | 1298496 | (Intel Corporation)]
SRV - [ Bluetooth OBEX Service | Bluetooth OBEX Service | Stopped] - C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe - [24/01/2011 09:34:06 PM | 991296 | (Intel Corporation)]
SRV - [ Bonjour Service | Bonjour Service | Running] - C:\Program Files\Bonjour\mDNSResponder.exe - [31/08/2011 12:05:32 AM | 462184 | (Apple Inc.)]
SRV - [ BTHSSecurityMgr | Intel(R) Centrino(R) Wireless Bluetooth(R) + High Speed Security Service | Stopped] - C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe - [08/03/2012 11:19:40 AM | 135952 | (Intel(R) Corporation)]
SRV - [ cbVSCService11 | Cobian Backup 11 Volume Shadow Copy Requester | Running] - C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe - [20/09/2013 05:54:40 PM | 67584 | (CobianSoft, Luis Cobian)]
SRV - [ CLKMSVC10_9EC60124 | CyberLink Product - 2012/01/28 07:38:48 | Stopped] - c:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe - [11/08/2011 07:04:58 PM | 248304 | (CyberLink)]
SRV - [ CobianBackup11 | Cobian Backup 11 Gravity | Running] - C:\Program Files (x86)\Cobian Backup 11\cbService.exe - [20/09/2013 05:54:39 PM | 1131008 | (Luis Cobian, CobianSoft)]
SRV - [ ehRecvr | Windows Media Center Receiver Service | Stopped] - C:\Windows\ehome\ehRecvr.exe - [21/11/2010 03:24:42 AM | 696832 | (Microsoft Corporation)]
SRV - [ ehSched | Windows Media Center Scheduler Service | Stopped] - C:\Windows\ehome\ehsched.exe - [14/07/2009 01:24:23 AM | 127488 | (Microsoft Corporation)]
SRV - [ ekrn | ESET Service | Running] - C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe - [08/07/2013 02:41:14 PM | 1338264 | (ESET)]
SRV - [ Everything | Everything | Running] - C:\Program Files\Everything\Everything.exe - [17/08/2013 05:38:01 PM | 1357824 | ]
SRV - [ EvtEng | Intel(R) PROSet/Wireless Event Log | Stopped] - C:\Program Files\Intel\WiFi\bin\EvtEng.exe - [17/04/2012 07:20:36 PM | 626960 | (Intel(R) Corporation)]
SRV - [ FLEXnet Licensing Service | FLEXnet Licensing Service | Stopped] - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe - [01/08/2013 07:50:54 PM | 1044816 | (Flexera Software, Inc.)]
SRV - [ gupdate | Google Update Service (gupdate) | Stopped] - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe - [02/03/2013 08:30:58 PM | 116648 | (Google Inc.)]
SRV - [ gupdatem | Google Update Service (gupdatem) | Stopped] - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe - [02/03/2013 08:30:58 PM | 116648 | (Google Inc.)]
SRV - [ hpqddsvc | HP CUE DeviceDiscovery Service | Running] - C:\Windows\system32\svchost.exe -k hpdevmgmt => File not found!
SRV - [ HPSLPSVC | HP Network Devices Support | Running] - C:\Windows\system32\svchost.exe -k HPService => File not found!
SRV - [ iPod Service | iPod Service | Stopped] - C:\Program Files\iPod\bin\iPodService.exe - [31/05/2013 11:56:06 AM | 641352 | (Apple Inc.)]
SRV - [ LBTServ | Logitech Bluetooth Service | Stopped] - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe - [08/02/2013 06:30:42 PM | 359664 | (Logitech, Inc.)]
SRV - [ Microsoft SharePoint Workspace Audit Service | Microsoft SharePoint Workspace Audit Service | Stopped] - C:\Program Files\Microsoft Office\Office14\GROOVE.EXE - [08/03/2013 11:13:18 PM | 50921648 | (Microsoft Corporation)]
SRV - [ MozillaMaintenance | Mozilla Maintenance Service | Stopped] - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe - [28/04/2012 05:58:36 PM | 119408 | (Mozilla Foundation)]
SRV - [ MyWiFiDHCPDNS | Wireless PAN DHCP Server | Stopped] - C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe - [17/04/2012 07:20:42 PM | 273168 | ]
SRV - [ NVSvc | NVIDIA Display Driver Service | Running] - C:\Windows\system32\nvvsvc.exe - [22/04/2011 03:35:40 AM | 889664 | (NVIDIA Corporation)]
SRV - [ nvUpdatusService | NVIDIA Update Service Daemon | Stopped] - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe - [03/03/2012 06:30:52 PM | 2348352 | (NVIDIA Corporation)]
SRV - [ ogmservice | Online Games Manager | Stopped] - C:\Program Files (x86)\Online Games Manager\ogmservice.exe - [08/08/2013 03:18:38 PM | 559552 | (RealNetworks, Inc.)]
SRV - [ ose64 | Office 64 Source Engine | Stopped] - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE - [01/10/2012 08:34:38 PM | 178824 | (Microsoft Corporation)]
SRV - [ osppsvc | Office Software Protection Platform | Stopped] - C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE - [01/10/2012 08:34:38 PM | 5132888 | (Microsoft Corporation)]
SRV - [ RapiMgr | Windows Mobile-based device connectivity | Stopped] - C:\Windows\system32\svchost.exe -k WindowsMobile => File not found!
SRV - [ ReflectService.exe | Macrium Reflect Image Mounting Service | Stopped] - C:\Program Files\Macrium\Reflect\ReflectService.exe - [31/01/2013 02:17:17 PM | 302200 | ]
SRV - [ RegSrvc | Intel(R) PROSet/Wireless Registry Service | Stopped] - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe - [17/04/2012 07:20:32 PM | 148752 | (Intel(R) Corporation)]
SRV - [ RichVideo | Cyberlink RichVideo Service(CRVS) | Stopped] - C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe - [18/02/2012 02:12:56 PM | 247152 | ]
SRV - [ sesvc | ShadowExplorer Service | Running] - C:\Program Files (x86)\ShadowExplorer\sesvc.exe - [25/10/2013 02:21:37 PM | 9216 | (www.shadowexplorer.com)]
SRV - [ SftService | SoftThinks Agent Service | Stopped] - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE - [28/01/2012 01:30:28 PM | 1692480 | (SoftThinks SAS)]
SRV - [ SkypeUpdate | Skype Updater | Stopped] - C:\Program Files (x86)\Skype\Updater\Updater.exe - [05/09/2013 10:34:30 AM | 171680 | (Skype Technologies)]
SRV - [ Stereo Service | NVIDIA Stereoscopic 3D Driver Service | Running] - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe - [09/02/2012 08:05:32 PM | 382272 | (NVIDIA Corporation)]
SRV - [ SwitchBoard | SwitchBoard | Stopped] - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe - [19/02/2010 01:37:14 PM | 517096 | (Adobe Systems Incorporated)]
SRV - [ TeamViewer8 | TeamViewer 8 | Running] - C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe - [22/12/2012 08:43:56 PM | 5087584 | (TeamViewer GmbH)]
SRV - [ TurboBoost | Intel(R) Turbo Boost Technology Monitor 2.0 | Stopped] - C:\Program Files\Intel\TurboBoost\TurboBoost.exe - [29/11/2010 09:00:56 PM | 149504 | (Intel(R) Corporation)]
SRV - [ UNS | Intel(R) Management and Security Application User Notification Service | Running] - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe - [28/01/2012 01:13:57 PM | 2656280 | (Intel Corporation)]
SRV - [ VMAuthdService | VMware Authorization Service | Running] - C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe - [27/08/2013 11:50:10 AM | 86096 | (VMware, Inc.)]
SRV - [ VMnetDHCP | VMware DHCP Service | Running] - C:\Windows\system32\vmnetdhcp.exe => File not found!
SRV - [ VMUSBArbService | VMware USB Arbitration Service | Running] - C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe - [26/08/2013 11:33:42 PM | 904248 | (VMware, Inc.)]
SRV - [ VMware NAT Service | VMware NAT Service | Running] - C:\Windows\system32\vmnat.exe => File not found!
SRV - [ WcesComm | Windows Mobile-2003-based device connectivity | Stopped] - C:\Windows\system32\svchost.exe -k WindowsMobile => File not found!
SRV - [ WinDefend | Windows Defender | Stopped] - C:\Windows\System32\svchost.exe -k secsvcs => File not found!
SRV - [ WMZuneComm | Zune Windows Mobile Connectivity Service | Stopped] - C:\Program Files\Zune\WMZuneComm.exe - [05/08/2011 12:53:12 PM | 306400 | (Microsoft Corporation)]
SRV - [ ZeroConfigService | Intel(R) PROSet/Wireless Zero Configuration Service | Stopped] - C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe - [17/04/2012 07:20:50 PM | 2671376 | (Intel® Corporation)]
SRV - [ ZuneNetworkSvc | Zune Network Sharing Service | Stopped] - C:\Program Files\Zune\ZuneNss.exe - [05/08/2011 12:53:06 PM | 8277728 | (Microsoft Corporation)]
SRV - [ ZuneWlanCfgSvc | Zune Wireless Configuration Service | Stopped] - C:\Program Files\Zune\ZuneWlanCfgSvc.exe - [05/08/2011 12:53:12 PM | 467680 | (Microsoft Corporation)]

Machiavelli · Nov 2, 2013

Thanks. You're great!

Need some people who liked to test ...

Security Analyst

Senior Administrator, Windows Update Expert

Security Analyst

Senior Administrator, Windows Update Expert

Security Analyst

Senior Administrator, Windows Update Expert

Moderator

Security Analyst

Security Analyst

Moderator

Senior Administrator, Windows Update Expert

Co-FounderSenior Administrator

Emeritus, Contributor

Security Analyst

Security Analyst

Emeritus, Contributor

Security Analyst

Security Analyst

Senior Administrator, Developer

Security Analyst

Co-Founder
Senior Administrator