Guest Dave Onex Posted September 13, 2008 Posted September 13, 2008 Hi Folks; I'm troubleshooting a problem with my laptop's hard drive not going to sleep after 5 minutes. To that end I broke out Process Monitor to take a look at what is accessing the hard drive. What I'm finding is repeated attempts to CreateFile; C:\Documents and Settings\All Users\Application Data\Microsoft\Provisioning\store.xml that results in a NAME NOT FOUND error or NAME COLLISION. I actually created a store.xml file in that directory thinking that would make it go away - it hasn't. Does anyone know why svchost.exe is continually trying to create a file called store.xml and how can I stop it? Thanks! Dave
Guest nass Posted September 13, 2008 Posted September 13, 2008 RE: svchost.exe & store.xml - Laptop Hard Drive "Dave Onex" wrote: > Hi Folks; > > I'm troubleshooting a problem with my laptop's hard drive not going to sleep > after 5 minutes. To that end I broke out Process Monitor to take a look at > what is accessing the hard drive. > > What I'm finding is repeated attempts to CreateFile; > > C:\Documents and Settings\All Users\Application > Data\Microsoft\Provisioning\store.xml > > that results in a NAME NOT FOUND error or NAME COLLISION. I actually created > a store.xml file in that directory thinking that would make it go away - it > hasn't. > > Does anyone know why svchost.exe is continually trying to create a file > called store.xml and how can I stop it? > > Thanks! > Dave You can use Filemon to track down the causer of this..note it can be a program need to access the internet to update or refresh its contacts like Messenger or an AV. FileMon for Windows v7.04 http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx Back ground about the Provisioning service: Wireless Network Provisioning http://msdn.microsoft.com/en-us/library/ms806463.aspx You can stop this service from the services control panel and see if that will help to stop this activities. HTH, nass --- http://www.nasstec.co.uk
Guest Dave Onex Posted September 13, 2008 Posted September 13, 2008 Re: svchost.exe & store.xml - Laptop Hard Drive "nass" <nass@discussions.microsoft.com> wrote in message news:355D480F-215F-4456-8AF1-038E6F973650@microsoft.com... > > > "Dave Onex" wrote: > > > Hi Folks; > > > > I'm troubleshooting a problem with my laptop's hard drive not going to sleep > > after 5 minutes. To that end I broke out Process Monitor to take a look at > > what is accessing the hard drive. > > > > What I'm finding is repeated attempts to CreateFile; > > > > C:\Documents and Settings\All Users\Application > > Data\Microsoft\Provisioning\store.xml > > > > that results in a NAME NOT FOUND error or NAME COLLISION. I actually created > > a store.xml file in that directory thinking that would make it go away - it > > hasn't. > > > > Does anyone know why svchost.exe is continually trying to create a file > > called store.xml and how can I stop it? > > > > Thanks! > > Dave > > You can use Filemon to track down the causer of this..note it can be a > program need to access the internet to update or refresh its contacts like > Messenger or an AV. > FileMon for Windows v7.04 > http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx > > Back ground about the Provisioning service: > Wireless Network Provisioning > http://msdn.microsoft.com/en-us/library/ms806463.aspx > > You can stop this service from the services control panel and see if that > will help to stop this activities. > HTH, > nass > --- > http://www.nasstec.co.uk > Hi Nass; Thanks for the reply - after much searching I could find zero information on this issue although several have reported it. I am using Process Monitor to see what's accessing the disk - that's how I found out about C:\Documents and Settings\All Users\Application Data\Microsoft\Provisioning\store.xml What I didn't know is what it was related to and thanks to your help I do :-) I've checked the Network Provisioning Service in XP (Pro) and it was not running. I've since disabled it but I'm still seeing something (it?) trying to access/write to C:\Documents and Settings\All Users\Application Data\Microsoft\Provisioning\store.xml I'm sure we're on the right track and this is the only thing left that Process Monitor shows is accessing the disk so it's just a matter of shutting the darn thing down. Any other ideas? Thanks! Dave
Guest PA Bear [MS MVP] Posted September 14, 2008 Posted September 14, 2008 Re: svchost.exe & store.xml - Laptop Hard Drive Always state your full Windows version (e.g., WinXP SP3) when posting to this newsgroup, please. What anti-virus application or security suite is installed? What anti-spyware applications (other than Defender)? What third-party firewall (if any)? -- ~Robear Dyer (PA Bear) MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 AumHa VSOP & Admin http://aumha.net DTS-L http://dts-l.net/ Dave Onex wrote: > I'm troubleshooting a problem with my laptop's hard drive not going to > sleep > after 5 minutes. To that end I broke out Process Monitor to take a look at > what is accessing the hard drive. > > What I'm finding is repeated attempts to CreateFile; > > C:\Documents and Settings\All Users\Application > Data\Microsoft\Provisioning\store.xml > > that results in a NAME NOT FOUND error or NAME COLLISION. I actually > created > a store.xml file in that directory thinking that would make it go away - > it > hasn't. > > Does anyone know why svchost.exe is continually trying to create a file > called store.xml and how can I stop it?
Guest Dave Onex Posted September 14, 2008 Posted September 14, 2008 Re: svchost.exe & store.xml - Laptop Hard Drive "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message news:O7ySBXgFJHA.3392@TK2MSFTNGP06.phx.gbl... > Always state your full Windows version (e.g., WinXP SP3) when posting to > this newsgroup, please. > > What anti-virus application or security suite is installed? What > anti-spyware applications (other than Defender)? What third-party firewall > (if any)? > -- > ~Robear Dyer (PA Bear) > MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 > AumHa VSOP & Admin http://aumha.net > DTS-L http://dts-l.net/ > > > Dave Onex wrote: > > I'm troubleshooting a problem with my laptop's hard drive not going to > > sleep > > after 5 minutes. To that end I broke out Process Monitor to take a look at > > what is accessing the hard drive. > > > > What I'm finding is repeated attempts to CreateFile; > > > > C:\Documents and Settings\All Users\Application > > Data\Microsoft\Provisioning\store.xml > > > > that results in a NAME NOT FOUND error or NAME COLLISION. I actually > > created > > a store.xml file in that directory thinking that would make it go away - > > it > > hasn't. > > > > Does anyone know why svchost.exe is continually trying to create a file > > called store.xml and how can I stop it? > Hi Robear; It's XP Pro SP#3 with all updates. There are no anti-virus applications installed. I've been using Process Monitor to show each (and all) applications that are accessing the drive in real-time. The only thing left is the Wireless Network Provisioning service (that's been disabled) trying to access C:\Documents and Settings\All Users\Application\Data\Microsoft\Provisioning\store.xml As far as we can see it shouldn't be doing that given that the service is disabled. I've confirmed it in another fashion - by turning off the WiFi card it stops trying to write/create/access that file. Thanks; Dave
Guest nass Posted September 14, 2008 Posted September 14, 2008 Re: svchost.exe & store.xml - Laptop Hard Drive "Dave Onex" wrote: > > "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message > news:O7ySBXgFJHA.3392@TK2MSFTNGP06.phx.gbl... > > Always state your full Windows version (e.g., WinXP SP3) when posting to > > this newsgroup, please. > > > > What anti-virus application or security suite is installed? What > > anti-spyware applications (other than Defender)? What third-party > firewall > > (if any)? > > -- > > ~Robear Dyer (PA Bear) > > MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 > > AumHa VSOP & Admin http://aumha.net > > DTS-L http://dts-l.net/ > > > > > > Dave Onex wrote: > > > I'm troubleshooting a problem with my laptop's hard drive not going to > > > sleep > > > after 5 minutes. To that end I broke out Process Monitor to take a look > at > > > what is accessing the hard drive. > > > > > > What I'm finding is repeated attempts to CreateFile; > > > > > > C:\Documents and Settings\All Users\Application > > > Data\Microsoft\Provisioning\store.xml > > > > > > that results in a NAME NOT FOUND error or NAME COLLISION. I actually > > > created > > > a store.xml file in that directory thinking that would make it go away - > > > it > > > hasn't. > > > > > > Does anyone know why svchost.exe is continually trying to create a file > > > called store.xml and how can I stop it? > > > > Hi Robear; > > It's XP Pro SP#3 with all updates. There are no anti-virus applications > installed. > > I've been using Process Monitor to show each (and all) applications that are > accessing the drive in real-time. The only thing left is the Wireless > Network Provisioning service (that's been disabled) trying to access > C:\Documents and Settings\All > Users\Application\Data\Microsoft\Provisioning\store.xml > > As far as we can see it shouldn't be doing that given that the service is > disabled. I've confirmed it in another fashion - by turning off the WiFi > card it stops trying to write/create/access that file. > > Thanks; > Dave Running without AV not a good idea or a Firewall! Go through these Cleaning steps: 1... First, try to clean up your caches, Internet files and delete cookies by doing this: Click Start >> Control Panel >> Double click Network and Internet Connections >> Double click Internet Options. On the IE properties windows you will see these Tabs: General | Security | Privacy | Content | Connections | Programs | Advanced Under General Tab clear your History, Internet Files and Cookies. Then click on Advanced tab and scroll down to under the Browsing Option: [&] Browsing [ ] Enable Third-Party browser extensions (Req Rest) uncheck this box. Then click on Programs Tab and click Manage Add-Ons and Disable all non Verified Add-Ons (You should Renable them later one-by-one and see the culprit and update it or remove it. How to manage Add-Ons: http://support.microsoft.com/kb/883256 Scan for malware from here: SuperAntispyware - Free http://www.superantispyware.com/superantispywarefreevspro.html http://www.malwarebytes.org/rr-update/rr-free-setup.exe http://www.malwarebytes.org/rr-update/rr-free-setup.exe http://onecare.live.com/site/en-gb/default.htm?s_cid=sah http://onecare.live.com/standard/en-gb/default.htm Run a scan from here on-line: http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym http://www3.ca.com/securityadvisor/virusinfo/scan.aspx Download Avast Cleaner (offline scanner) from here: http://www.avast.com/eng/avast-virus-cleaner.html Comodo BOClean : Anti-Malware Version 4.27 http://www.comodo.com/boclean/boclean.html Run disk cleanup and also this tool: http://www.ccleaner.com/download/builds/downloading-slim download Hijackthis and send me the log. (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php) Send me copy to my address is : to_you_ross(at remove this and repalce with the obvious)yahoo.co.uk ( _ is underscore) HTH nass -- http://www.nasstec.co.uk
Guest Dave Onex Posted September 14, 2008 Posted September 14, 2008 Re: svchost.exe & store.xml - Laptop Hard Drive "nass" <nass@discussions.microsoft.com> wrote in message news:240F9B64-82AF-404E-960F-539615715768@microsoft.com... > > > "Dave Onex" wrote: > > > > > "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message > > news:O7ySBXgFJHA.3392@TK2MSFTNGP06.phx.gbl... > > > Always state your full Windows version (e.g., WinXP SP3) when posting to > > > this newsgroup, please. > > > > > > What anti-virus application or security suite is installed? What > > > anti-spyware applications (other than Defender)? What third-party > > firewall > > > (if any)? > > > -- > > > ~Robear Dyer (PA Bear) > > > MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 > > > AumHa VSOP & Admin http://aumha.net > > > DTS-L http://dts-l.net/ > > > > > > > > > Dave Onex wrote: > > > > I'm troubleshooting a problem with my laptop's hard drive not going to > > > > sleep > > > > after 5 minutes. To that end I broke out Process Monitor to take a look > > at > > > > what is accessing the hard drive. > > > > > > > > What I'm finding is repeated attempts to CreateFile; > > > > > > > > C:\Documents and Settings\All Users\Application > > > > Data\Microsoft\Provisioning\store.xml > > > > > > > > that results in a NAME NOT FOUND error or NAME COLLISION. I actually > > > > created > > > > a store.xml file in that directory thinking that would make it go away - > > > > it > > > > hasn't. > > > > > > > > Does anyone know why svchost.exe is continually trying to create a file > > > > called store.xml and how can I stop it? > > > > > > > Hi Robear; > > > > It's XP Pro SP#3 with all updates. There are no anti-virus applications > > installed. > > > > I've been using Process Monitor to show each (and all) applications that are > > accessing the drive in real-time. The only thing left is the Wireless > > Network Provisioning service (that's been disabled) trying to access > > C:\Documents and Settings\All > > Users\Application\Data\Microsoft\Provisioning\store.xml > > > > As far as we can see it shouldn't be doing that given that the service is > > disabled. I've confirmed it in another fashion - by turning off the WiFi > > card it stops trying to write/create/access that file. > > > > Thanks; > > Dave > > Running without AV not a good idea or a Firewall! > Go through these Cleaning steps: > 1... First, try to clean up your caches, Internet files and delete cookies > by doing this: > Click Start >> Control Panel >> Double click Network and Internet > Connections >> Double click Internet Options. > On the IE properties windows you will see these Tabs: > General | Security | Privacy | Content | Connections | Programs | > Advanced > Under General Tab clear your History, Internet Files and Cookies. > Then click on Advanced tab and scroll down to under the Browsing Option: > [&] Browsing > [ ] Enable Third-Party browser extensions (Req Rest) uncheck this box. > Then click on Programs Tab and click Manage Add-Ons and Disable all non > Verified Add-Ons (You should Renable them later one-by-one and see the > culprit and update it or remove it. > How to manage Add-Ons: > http://support.microsoft.com/kb/883256 > Scan for malware from here: > SuperAntispyware - Free > http://www.superantispyware.com/superantispywarefreevspro.html > http://www.malwarebytes.org/rr-update/rr-free-setup.exe > http://www.malwarebytes.org/rr-update/rr-free-setup.exe > http://onecare.live.com/site/en-gb/default.htm?s_cid=sah > http://onecare.live.com/standard/en-gb/default.htm > > Run a scan from here on-line: > http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym > http://www3.ca.com/securityadvisor/virusinfo/scan.aspx > Download Avast Cleaner (offline scanner) from here: > http://www.avast.com/eng/avast-virus-cleaner.html > Comodo BOClean : Anti-Malware Version 4.27 > http://www.comodo.com/boclean/boclean.html > Run disk cleanup and also this tool: > http://www.ccleaner.com/download/builds/downloading-slim > download Hijackthis and send me the log. > (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php) > Send me copy to my address is : to_you_ross(at remove this and repalce with > the obvious)yahoo.co.uk > > ( _ is underscore) > HTH > nass > -- > http://www.nasstec.co.uk Hi guys; I don't know how we got sidetracked into this whole spyware/firewall issue when the issue has been that the hard drive fails to power down due to writes to C:\Documents and Settings\All Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless provisioning service. =>That's the issue - not a malware infection. <= If you must know the system runs behind ISA 2004 and the notebook does have it's native firewall enabled as well. It's not infected - period. We've been sidetracked by Pa Bear so let's come back to the original issue at hand: Why is ProcMon reporting access to C:\Documents and Settings\All Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless provisioning service when the service is disabled? If you'll read my previous post this activity stops if I remove the wireless card. So, again, Why is ProcMon reporting access to C:\Documents and Settings\All Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless provisioning service when the service is disabled? And more importantly, how can I stop this behavior? Thanks; Dave BTW, I have a really great spyware/virus section (http://www.asksomeone.net/forums/index.php?showforum=20) here. There's a lot of great reference material there :-)
Guest PA Bear [MS MVP] Posted September 14, 2008 Posted September 14, 2008 Re: svchost.exe & store.xml - Laptop Hard Drive Dave Onex wrote: >>> I'm troubleshooting a problem with my laptop's hard drive not going to >>> sleep >>> after 5 minutes. To that end I broke out Process Monitor to take a look >>> at >>> what is accessing the hard drive. >>> >>> What I'm finding is repeated attempts to CreateFile; >>> >>> C:\Documents and Settings\All Users\Application >>> Data\Microsoft\Provisioning\store.xml >>> >>> that results in a NAME NOT FOUND error or NAME COLLISION. I actually >>> created >>> a store.xml file in that directory thinking that would make it go away - >>> it >>> hasn't. >>> >>> Does anyone know why svchost.exe is continually trying to create a file >>> called store.xml and how can I stop it? >> >> Always state your full Windows version (e.g., WinXP SP3) when posting to >> this newsgroup, please. >> >> What anti-virus application or security suite is installed? What >> anti-spyware applications (other than Defender)? What third-party >> firewall >> (if any)? > > Hi Robear; > > It's XP Pro SP#3 with all updates. There are no anti-virus applications > installed... <snip> That 's enough. Time to wipe 'n reload: http://www.dslreports.com/faq/10063 Protect Your PC! http://www.microsoft.com/athome/security/computer/default.mspx -- ~PA Bear
Guest The Real Truth MVP Posted September 14, 2008 Posted September 14, 2008 Re: svchost.exe & store.xml - Laptop Hard Drive Viruses and Spyware can cause that, it is the way they work and considering you have none installed you are probably infected. How do you know you are not infected without protection software to tell you that you are? -- Ignore any posts made by the Stalker Leythos, he's still in love with me. He started stalking me after I spurned his advances towards me. He said he would stop Stalking me If I stopped mentioning his name. As you can see that does not work. He is a sick obsessive STALKER. "Dave Onex" <dave@onex.com> wrote in message news:%236kpjEqFJHA.3392@TK2MSFTNGP06.phx.gbl... > > "nass" <nass@discussions.microsoft.com> wrote in message > news:240F9B64-82AF-404E-960F-539615715768@microsoft.com... >> >> >> "Dave Onex" wrote: >> >> > >> > "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message >> > news:O7ySBXgFJHA.3392@TK2MSFTNGP06.phx.gbl... >> > > Always state your full Windows version (e.g., WinXP SP3) when posting > to >> > > this newsgroup, please. >> > > >> > > What anti-virus application or security suite is installed? What >> > > anti-spyware applications (other than Defender)? What third-party >> > firewall >> > > (if any)? >> > > -- >> > > ~Robear Dyer (PA Bear) >> > > MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 >> > > AumHa VSOP & Admin http://aumha.net >> > > DTS-L http://dts-l.net/ >> > > >> > > >> > > Dave Onex wrote: >> > > > I'm troubleshooting a problem with my laptop's hard drive not going > to >> > > > sleep >> > > > after 5 minutes. To that end I broke out Process Monitor to take a > look >> > at >> > > > what is accessing the hard drive. >> > > > >> > > > What I'm finding is repeated attempts to CreateFile; >> > > > >> > > > C:\Documents and Settings\All Users\Application >> > > > Data\Microsoft\Provisioning\store.xml >> > > > >> > > > that results in a NAME NOT FOUND error or NAME COLLISION. I >> > > > actually >> > > > created >> > > > a store.xml file in that directory thinking that would make it go > away - >> > > > it >> > > > hasn't. >> > > > >> > > > Does anyone know why svchost.exe is continually trying to create a > file >> > > > called store.xml and how can I stop it? >> > > >> > >> > Hi Robear; >> > >> > It's XP Pro SP#3 with all updates. There are no anti-virus applications >> > installed. >> > >> > I've been using Process Monitor to show each (and all) applications >> > that > are >> > accessing the drive in real-time. The only thing left is the Wireless >> > Network Provisioning service (that's been disabled) trying to access >> > C:\Documents and Settings\All >> > Users\Application\Data\Microsoft\Provisioning\store.xml >> > >> > As far as we can see it shouldn't be doing that given that the service > is >> > disabled. I've confirmed it in another fashion - by turning off the >> > WiFi >> > card it stops trying to write/create/access that file. >> > >> > Thanks; >> > Dave >> >> Running without AV not a good idea or a Firewall! >> Go through these Cleaning steps: >> 1... First, try to clean up your caches, Internet files and delete >> cookies >> by doing this: >> Click Start >> Control Panel >> Double click Network and Internet >> Connections >> Double click Internet Options. >> On the IE properties windows you will see these Tabs: >> General | Security | Privacy | Content | Connections | Programs | >> Advanced >> Under General Tab clear your History, Internet Files and Cookies. >> Then click on Advanced tab and scroll down to under the Browsing Option: >> [&] Browsing >> [ ] Enable Third-Party browser extensions (Req Rest) uncheck this box. >> Then click on Programs Tab and click Manage Add-Ons and Disable all non >> Verified Add-Ons (You should Renable them later one-by-one and see the >> culprit and update it or remove it. >> How to manage Add-Ons: >> http://support.microsoft.com/kb/883256 >> Scan for malware from here: >> SuperAntispyware - Free >> http://www.superantispyware.com/superantispywarefreevspro.html >> http://www.malwarebytes.org/rr-update/rr-free-setup.exe >> http://www.malwarebytes.org/rr-update/rr-free-setup.exe >> http://onecare.live.com/site/en-gb/default.htm?s_cid=sah >> http://onecare.live.com/standard/en-gb/default.htm >> >> Run a scan from here on-line: >> http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym >> http://www3.ca.com/securityadvisor/virusinfo/scan.aspx >> Download Avast Cleaner (offline scanner) from here: >> http://www.avast.com/eng/avast-virus-cleaner.html >> Comodo BOClean : Anti-Malware Version 4.27 >> http://www.comodo.com/boclean/boclean.html >> Run disk cleanup and also this tool: >> http://www.ccleaner.com/download/builds/downloading-slim >> download Hijackthis and send me the log. >> (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php) >> Send me copy to my address is : to_you_ross(at remove this and repalce > with >> the obvious)yahoo.co.uk >> >> ( _ is underscore) >> HTH >> nass >> -- >> http://www.nasstec.co.uk > > Hi guys; > > I don't know how we got sidetracked into this whole spyware/firewall issue > when the issue has been that the hard drive fails to power down due to > writes to C:\Documents and Settings\All > Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless > provisioning service. > > =>That's the issue - not a malware infection. <= > > If you must know the system runs behind ISA 2004 and the notebook does > have > it's native firewall enabled as well. It's not infected - period. > We've been sidetracked by Pa Bear so let's come back to the original issue > at hand: > > Why is ProcMon reporting access to C:\Documents and Settings\All > Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless > provisioning service when the service is disabled? > > If you'll read my previous post this activity stops if I remove the > wireless > card. So, again, > > Why is ProcMon reporting access to C:\Documents and Settings\All > Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless > provisioning service when the service is disabled? > And more importantly, how can I stop this behavior? > > Thanks; > Dave > > BTW, I have a really great spyware/virus section > (http://www.asksomeone.net/forums/index.php?showforum=20) here. There's a > lot of great reference material there :-) > > >
Guest Dave Onex Posted September 14, 2008 Posted September 14, 2008 Re: svchost.exe & store.xml - Laptop Hard Drive "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message news:eRCJ8aqFJHA.5572@TK2MSFTNGP03.phx.gbl... > Dave Onex wrote: > >>> I'm troubleshooting a problem with my laptop's hard drive not going to > >>> sleep > >>> after 5 minutes. To that end I broke out Process Monitor to take a look > >>> at > >>> what is accessing the hard drive. > >>> > >>> What I'm finding is repeated attempts to CreateFile; > >>> > >>> C:\Documents and Settings\All Users\Application > >>> Data\Microsoft\Provisioning\store.xml > >>> > >>> that results in a NAME NOT FOUND error or NAME COLLISION. I actually > >>> created > >>> a store.xml file in that directory thinking that would make it go away - > >>> it > >>> hasn't. > >>> > >>> Does anyone know why svchost.exe is continually trying to create a file > >>> called store.xml and how can I stop it? > >> > >> Always state your full Windows version (e.g., WinXP SP3) when posting to > >> this newsgroup, please. > >> > >> What anti-virus application or security suite is installed? What > >> anti-spyware applications (other than Defender)? What third-party > >> firewall > >> (if any)? > > > > Hi Robear; > > > > It's XP Pro SP#3 with all updates. There are no anti-virus applications > > installed... > <snip> > > That 's enough. Time to wipe 'n reload: http://www.dslreports.com/faq/10063 > > Protect Your PC! > http://www.microsoft.com/athome/security/computer/default.mspx > -- > ~PA Bear > You've got to be kidding me - you're a Microsoft MVP? Your recommendation is a format? Do you even know what Process Monitor is or does? I sure hope you don't 'help' too many others with advice like that. I've got a squeaky clean laptop with only one process that's writing to the drive and keeping it from entering sleep mode and you're advice is to format it? I guess you don't understand the value in that. It's unfortunate that you've hijacked a solution that was right on track with Nass and turned it (and Nass) in completely the wrong direction - and then recommend a format? I really wish you hadn't jumped into this thread at all. Now that you have, please check out the BTW, at the bottom of this post - that's MY site and it will help you to actually help others remove infections - without formatting the hard drive. Now, hopefully, you'll go away so that I can come back to the actual isue with nass... If nass is still out there and has any valuable input (as he did at the start); Hi guys; I don't know how we got sidetracked into this whole spyware/firewall issue when the issue has been that the hard drive fails to power down due to writes to C:\Documents and Settings\All Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless provisioning service. =>That's the issue - not a malware infection. <= If you must know the system runs behind ISA 2004 and the notebook does have it's native firewall enabled as well. It's not infected - period. We've been sidetracked by Pa Bear so let's come back to the original issue at hand: Why is ProcMon reporting access to C:\Documents and Settings\All Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless provisioning service when the service is disabled? If you'll read my previous post this activity stops if I remove the wireless card. So, again, Why is ProcMon reporting access to C:\Documents and Settings\All Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless provisioning service when the service is disabled? And more importantly, how can I stop this behavior? Thanks; Dave BTW, I have a really great spyware/virus section (http://www.asksomeone.net/forums/index.php?showforum=20) here. There's a lot of great reference material there :-)
Guest PA Bear [MS MVP] Posted September 14, 2008 Posted September 14, 2008 Re: svchost.exe & store.xml - Laptop Hard Drive Dave Onex wrote: <snip> >>> It's XP Pro SP#3 with all updates. There are no anti-virus applications >>> installed... >> <snip> >> >> That 's enough. Time to wipe 'n reload: > http://www.dslreports.com/faq/10063 >> >> Protect Your PC! >> http://www.microsoft.com/athome/security/computer/default.mspx >> -- >> ~PA Bear >> > You've got to be kidding me - you're a Microsoft MVP? Your recommendation > is > a format? Do you even know what Process Monitor is or does?... Did you even bother to read http://www.dslreports.com/faq/10063? I'm certainly familiar with Process Monitor and many other utilities that no one's yet mentioned in this thread. If you've been running without a functional and fully-updated anti-virus application, God only knows how the machine may be compromised. You certainly cannot trust the security of this machine IMHO. Doing a wipe & reload's gonna take you much less time than trying to detect the cause of this behavior and address it. Feel free to ignore my posts.
Guest Dave Onex Posted September 14, 2008 Posted September 14, 2008 Re: svchost.exe & store.xml - Laptop Hard Drive "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message news:u9zhn5qFJHA.1272@TK2MSFTNGP05.phx.gbl... > Dave Onex wrote: > <snip> > >>> It's XP Pro SP#3 with all updates. There are no anti-virus applications > >>> installed... > >> <snip> > >> > >> That 's enough. Time to wipe 'n reload: > > http://www.dslreports.com/faq/10063 > >> > >> Protect Your PC! > >> http://www.microsoft.com/athome/security/computer/default.mspx > >> -- > >> ~PA Bear > >> > > You've got to be kidding me - you're a Microsoft MVP? Your recommendation > > is > > a format? Do you even know what Process Monitor is or does?... > > Did you even bother to read http://www.dslreports.com/faq/10063? > > I'm certainly familiar with Process Monitor and many other utilities that no > one's yet mentioned in this thread. > > If you've been running without a functional and fully-updated anti-virus > application, God only knows how the machine may be compromised. You > certainly cannot trust the security of this machine IMHO. > > Doing a wipe & reload's gonna take you much less time than trying to detect > the cause of this behavior and address it. > > Feel free to ignore my posts. > I can tell you right now what I'm going to find with a wipe and reload - the exact same thing. While each of these protected machines is backed up daily to tape library - I'm certainly not willing to take what will amount to a day long detour to come back to the exact same issue. I realize that most users are unaware of what's going on with their computers and as indicated by the several thousand people that have had their malware removed on my own personal site (hint hint) - without a format. We have several severs, none of which are protected by anti-virus/spyware and all have been running for +4 years that way. We have an enterprise firewall installed (ISA 2004) and the few users we have are all well versed in malware and well able to remove any infections that they might have - all on their own accord. Security is not something I take lightly, our VPN is a L2TP VPN and we run our own Certificate server. We also run our own Windows Update Servers and I could go on in depth for many hours about our network design, the levels of security behind it, etc - but the fact of the matter is that I've now taken a several hour long detour into an irrelevant area when the very first reply to this thread was going directly to the heart of the problem... If you want to gage my level of knowledge then spend a few hours on my site. The reason I came here is in the hopes to meet up with someone (like nass) who immediately pointed me in the right direction. I doubt I would ever have determined that the issue is related to the Wireless Network Provisioning service without his input. Unfortunately, this thread got quickly hijacked into the wrong direction and the fact that I'm spending an inordinate amount of time explaining my network's security design is just further proof of that. Please, I would ask that if anyone has more information that relates directly to the issue of my laptop's hard drive not going to sleep because of repeated access by the Wireless Network Provisioning service (that's been disabled) trying to access C:\Documents and Settings\All Users\Application\Data\Microsoft\Provisioning\store.xml I would greatly appreciate it. Best & Thanks; Dave
Guest nass Posted September 14, 2008 Posted September 14, 2008 Re: svchost.exe & store.xml - Laptop Hard Drive "Dave Onex" wrote: > > "nass" <nass@discussions.microsoft.com> wrote in message > news:240F9B64-82AF-404E-960F-539615715768@microsoft.com... > > > > > > "Dave Onex" wrote: > > > > > > > > "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message > > > news:O7ySBXgFJHA.3392@TK2MSFTNGP06.phx.gbl... > > > > Always state your full Windows version (e.g., WinXP SP3) when posting > to > > > > this newsgroup, please. > > > > > > > > What anti-virus application or security suite is installed? What > > > > anti-spyware applications (other than Defender)? What third-party > > > firewall > > > > (if any)? > > > > -- > > > > ~Robear Dyer (PA Bear) > > > > MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 > > > > AumHa VSOP & Admin http://aumha.net > > > > DTS-L http://dts-l.net/ > > > > > > > > > > > > Dave Onex wrote: > > > > > I'm troubleshooting a problem with my laptop's hard drive not going > to > > > > > sleep > > > > > after 5 minutes. To that end I broke out Process Monitor to take a > look > > > at > > > > > what is accessing the hard drive. > > > > > > > > > > What I'm finding is repeated attempts to CreateFile; > > > > > > > > > > C:\Documents and Settings\All Users\Application > > > > > Data\Microsoft\Provisioning\store.xml > > > > > > > > > > that results in a NAME NOT FOUND error or NAME COLLISION. I actually > > > > > created > > > > > a store.xml file in that directory thinking that would make it go > away - > > > > > it > > > > > hasn't. > > > > > > > > > > Does anyone know why svchost.exe is continually trying to create a > file > > > > > called store.xml and how can I stop it? > > > > > > > > > > Hi Robear; > > > > > > It's XP Pro SP#3 with all updates. There are no anti-virus applications > > > installed. > > > > > > I've been using Process Monitor to show each (and all) applications that > are > > > accessing the drive in real-time. The only thing left is the Wireless > > > Network Provisioning service (that's been disabled) trying to access > > > C:\Documents and Settings\All > > > Users\Application\Data\Microsoft\Provisioning\store.xml > > > > > > As far as we can see it shouldn't be doing that given that the service > is > > > disabled. I've confirmed it in another fashion - by turning off the WiFi > > > card it stops trying to write/create/access that file. > > > > > > Thanks; > > > Dave > Hi guys; > > I don't know how we got sidetracked into this whole spyware/firewall issue > when the issue has been that the hard drive fails to power down due to > writes to C:\Documents and Settings\All > Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless > provisioning service. > > =>That's the issue - not a malware infection. <= > > If you must know the system runs behind ISA 2004 and the notebook does have > it's native firewall enabled as well. It's not infected - period. > We've been sidetracked by Pa Bear so let's come back to the original issue > at hand: > > Why is ProcMon reporting access to C:\Documents and Settings\All > Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless > provisioning service when the service is disabled? > > If you'll read my previous post this activity stops if I remove the wireless > card. So, again, > > Why is ProcMon reporting access to C:\Documents and Settings\All > Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless > provisioning service when the service is disabled? > And more importantly, how can I stop this behavior? > > Thanks; > Dave > > BTW, I have a really great spyware/virus section > (http://www.asksomeone.net/forums/index.php?showforum=20) here. There's a > lot of great reference material there :-) Do you know the the ISA have the feature to connect to WPS and update the Xml file and also the DHCP? the store.xml check for new domain or update the data with the ISA and DHCP server, this why you getting the Activities. Also if you have the roaming profile on this machine enabled and the Bluetooth connection and previously connected to a hotspot wifi station? Try to disble it in the registry in : HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services = And also in the policies: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy Name the new value EnableWPSCompatibility and set the data value to 1 to enable it. You can disable it by setting the value to 0. Rename the Store.xml to Store.xml .old and reboot your machine and see if the ProcMon will show activities for the WNP service. Make sure you logged ad admin to perform these steps and diable the Service. BTW does the service still disabled innthe Services control panel or enabled back again? Let us know your wireless make/model and the Laptop model and what wireless management utilty you are using is it the W Card or the windows WZC in your next post if the above didn't help.
Guest Leythos Posted September 15, 2008 Posted September 15, 2008 Re: svchost.exe & store.xml - Laptop Hard Drive In article <Amezk.256$W06.65@flpi148.ffdc.sbc.com>, toidi@tpap.com says... > Ignore any posts made by the Stalker Leythos, he's still in love with me. > He started stalking me after I spurned his advances towards me. > He said he would stop Stalking me If I stopped mentioning his name. > As you can see that does not work. He is a sick obsessive STALKER. > Stalking, even in usenet is a crime, there are enough pages from your filthy site to prove you're stalking me in your posts, I have them documented and certified authentic - it's your call now Stalker. -- Leythos - spam999free@rrohio.com (remove 999 to email me) Public Service Warning: Learn about PCButts before you trust: http://www.velocityreviews.com/forums/t513604-author-of-removeit.html http://www.google.com/search?hl=en&q=pcbutts1+thief
Guest Dave Onex Posted September 17, 2008 Posted September 17, 2008 Re: svchost.exe & store.xml - Laptop Hard Drive Edited in-line... Do you know the the ISA have the feature to connect to WPS and update the > Xml file and also the DHCP? > the store.xml check for new domain or update the data with the ISA and > DHCP > server, this why you getting the Activities. I think you might be confusing IAS (Internet Authentication Service) with ISA (Internet and Security Accelerator) I'm not using IAS or Radius for authentication. > Also if you have the roaming profile on this machine enabled and the > Bluetooth connection and previously connected to a hotspot wifi station? > Try to disble it in the registry in : > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services = > And also in the policies: > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy > > Name the new value EnableWPSCompatibility and set the data value to 1 to > enable it. You can disable it by setting the value to 0. > Rename the Store.xml to Store.xml .old and reboot your machine and see if > the ProcMon will show activities for the WNP service. This machine is using a local profile - I believe the other settings relate to IAS (which we're not using) > Make sure you logged ad admin to perform these steps and diable the > Service. > BTW does the service still disabled innthe Services control panel or > enabled > back again? Yes, even with the service disabled there is still activity to that file. Upon closer examination though I'm not seeing disk activity (the HDD light) when that file is accessed. After watching the laptop for some time it seems to be powering down the drive now :-) I think it may be fixed and that the access to that file is not actually accessing the disk (even though Procmon shows that it is). > Let us know your wireless make/model and the Laptop model and what > wireless > management utilty you are using is it the W Card or the windows WZC in > your > next post if the above didn't help. > For future reference it's a Presario 900 with a LinkSys WPC54GX4 PCMCIA wifi card. Only the driver is loaded for the card (no other software) and I'm using WZC. I think the issue might be fixed. Even though Procmon still shows regular access (about once each minute) to C:\Documents and Settings\All Users\Application Data\Microsoft\Provisioning\store.xml it might be accessing cached data as opposed to operating the drive. Either way, the laptop is powering down the hard drive so I think we're all set :-) Thanks very much for your help with this Nass! Best; Dave
Recommended Posts