Jump to content
Sign in to follow this  
buttoni

Multiple Instances of Explorer in Task Manager

Recommended Posts

Because of a recent crash, reformat and clean install of Windows XP, I, as the person that manages SW on this system, have been bouncing back and forth between user account being sure all browser and other softwares are configured optimally for security. I Log Off each time I change accounts (don't use Windows fast user switching). Yesterday I happened to open Task Manager and saw 3-4 instances of explorer.exe! TM showed the various user account names in the center column. This has never happened before to my knowledge as I used to have the free version of SAS and now have SAS Pro with the First Chance feature. So I then set about checking each user account's SAS gui, turned off the "Scan at Shutdown" feature and the multiple explorer.exe's in Task Manager problem hasn't recurred.

I don't know if this has been reported here before, but thought I'd better point it out in case this is an issue that requires further action on my part or your developer team. At least on my pc (specs in my signature), SAS Pro appears to not be cleanly making log-off transitions cleanly from user account to user account, with regards to Windows handling of explorer.exe if the Scan AT Shutdown feature of First Chance is turned on when there are multiple WinXP user accounts.

Share this post


Link to post
Share on other sites

Just an additional thought (I think out loud a lot :) ). I wonder if multiple instances of explorer.exe is at the root of my "End Task" SAS issues at shutdown I (and others) occasionally experience with SAS? If SAS is hanging on to other user's explorer.exe's, perhaps that's why Windows shutdown in hanging SAS up. I'll have to give it a little time to see if my workaround (turning off First Chance, Scan at Shutdown) clears up that little problem for me as well.

Share this post


Link to post
Share on other sites

Hmmmmmm. I have to take back what I said about unchecking "Scan at Shutdown" stopping the multiple instances of explorer.exe in task manager when I log in and out of my user accounts. It's doing it again. Only a restart clears out the extra explorer.exe processes in Task Manager if I have logged in and out of those accounts several times. What could be causing this? I've never had this problem before. Only real-time security on this WinXP Home pc is Avast Home Edition and Comodo CIS (without AV) and of course SAS Pro Realtime Protection is enabled. As I stated in my first post, this is a reformat/clean install of the OS just done on Feb 12th. Any thoughts re the multiple explorer.exe's?

Share this post


Link to post
Share on other sites

I fear this is an infection of some sort, as pc is definitely slowing down and some minor symptoms persist with my SBC/ATT DSL sign-in screen (no graphics displaying but ssl lock in corner of task bar). And they persist after two, yes two, total uninstalls/clean installs of FX 3.0.6. Have been running all my scans in Safe Mode: Avast, A-squared, MBAM, MS Removal Tool, even Blacklight Rootkit Eliminator. Also ran Trend Micro Housecall on-line scan. Nothing has been found on my pc by any of them.

Unhiding all folders, Search shows explorer.exe in c:\Windows, c:\Windows\Prefetch, and c:\Windows\SecurityPatchFiles\i386. Both Jotti and VirusTotal on-line scans "found nothing" when I uploaded all 3 to check.

I have posted my HJT log over at Help2Go forums for help and will post back the results of their efforts to help me eradicate anything my machine has "contracted". It's so short, I'll share it here if it will shed any further light on input to my thread.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:08:40 AM, on 2/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\COMODO\Firewall\cmdagent.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\COMODO\Firewall\cfp.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4489749281

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\PROGRAM FILES\A-SQUARED FREE\a2service.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe

--

End of file - 3167 bytes

I'm beginning to think my clean, brand spanking new install of Windows XP got infected before I could get my Windows patches all downloaded or my Comodo FW fully configured safely. I'm just totally stumped.

Share this post


Link to post
Share on other sites

Hi Buttoni.

The log is clean.

I suggest you disable system restore, run a temp cleaner like CCleaner or ATF, then run the scans again.

If that fails to suffice, then a repair install, possibly followed by a clean install is in order.

Share this post


Link to post
Share on other sites

Thanks for the reply Seth. Well, after much investigating and tinkering, I found that the reason NoScript was freezing users out of allowing scripts for desired sites was not malware. I had ticked one setting in NoScript incorrectly for all 3 users. Its on the Noscript, Options, Advanced, HTTPS, Behavior Tab. I had "Forbid active web content unless it comes from a secure HTTPS connection" set to ALWAYS. Switching it back to never and just entering the desired websites in the box just below fixed that problem right up.

As to the ATT login.yahoo.com screen being all text & none of the usual graphics (but showing the SSL lock below and funtioning corrrectly in all other ways, I think I found the answer to that one, too. My connection to ATT Yahoo DSL always feeds through Akamai.net, one of the servers ATT uses. Today, FX popped up a screen saying akamai.net's certificate was invalid because the issuing certificate authority (Equifax Secure CA) was not trusted. And it doesn't give me toe opportunity to "make an exception" and permit that one site only, like it sometimes does. First I invoded the login text-only screen and right clicked it and looked at the certificate itself via View Page Info, View Certificate, Details. It says it's by Equifax and issued to Yahoo.com alright. Then I went to FX Tools, Options, Advanced, Encryption tab, view certificates, and it would appear Equifax Secure CA truly is not on the FX list of certificate authorities? Anybody know how I can pursue this? Since my login screen USED to have graphics on it before the clean install on WinXP and clean install of FX, I'm thinking maybe just some setting or certificate update I need to do?

As to the multiple explorer.exe's in task manager discussed in my original post, it only happens if multiple user accounts have been accessed in one power-on session. They all reflect one copy per user per the number of times I have opened those up. If I never open any other accounts than the one at boot up, explorer.exe only appears once in task manager under the name of the one user that is logged on. To address this, I went to my admin account, Control Panel, User Accounts and clicked "Change how users log on/off". I check to "Clear all programs when users log off" and rebooted. But the problem persists exactly as just described. FYI I have the Fast User Switching Service turned off at all times. I don't want programs left open when switching accounts. This one is a real mystery and I'm going to bounce this question over to the Windows helpers on Windows user groups and see of they can explain it. I have been unable to find many KB articles on the topic.

Today I realized my 512MB machine is still trying to use the WinXP default Pagefile of Initial=768, Max size=1536. Major instability issues. Apparently since the reformat/clean install of OS I had forgotten to go in and clear the Pagefile and set a new Pagefile to 2560 Initial and Max! I think I was maxing out my Pagefile and causing instability (though I never got an error window to that effect). Resetting it has my pc running much faster now and no more weird behavior, actually.

So my conclusion is I don't think I have malware, as all the many scans kept telling me. I just need to get the certificate thing sorted out over on Firefox forums and talk to the MVP's on Windows News Groups for some advice on the explorer.exe's not closing at logoff. I always has in the past. I just can't figure that one out. Not having any unusual behaviors, instability or wacky stuff anymore. Plan on upgrading my memory to 4 GB in a week or so, too.

So for now, I think my issues are resolved. Comodo, Avast and SAS load u under the User rather than Local/Network Service and Event log is showing some Event ID 1517's and Event IDD 1524 indicating unable to unload classes reg files and individual user registries because sstill in use by some app or service; Will unload when no longer in use". I think that is at the root of my multiple explorer.exe issues and plan to ask on Windows User Groups forums for advice on that issue.

Thanks for being there for us. I'll be back and post details if I learn anything constructive from the Windows people.

__________________

Peggy in Texas

Dell Dimension 4700 Intel P4; 512MB RAM;

Windows XP SP3 ; Firefox 3.0.6; IE6 only if absolutely needed; ATT DSL 2Wire 1800 router; Yahoo Web Mail; IE-Spyad; MVPS Hosts File; Comodo FW 3.0; Avast!Home; SuperAntispyware Pro; a-Squared & MBAM on demand.

Share this post


Link to post
Share on other sites

No problems since my last post, other than I'm still getting the multiple explorer.exe's in Task Manager under whichever users have been logged on (and then off) in one power-up session. My Event Viewer still shows a lot of these errors on the Event log:

Event ID 1524: "Windows cannot unload your classes registry file. It is still in use by another application or service. The file will be unloaded when it is no longer in use."

Event ID 1517: "Windows saved user Computer Name\User Name registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account. Try reconfiguring the services to run in either Local Service or Network Service."

The only programs on this pc that run under the user name are Superantispyware.exe, ashDisp.exe (Avast) and cfp.exe (Comodo Firewall). I'm beginning to think these multiple instances of explorer.exe (killing my 512MB RAM at 17,000K apiece!) really are related to these event errors and that it has ALWAYS been going on and I just never noticed it before.

So my question is there some way to make SAS Pro install against Local Service or Network Service at boot up?

Share this post


Link to post
Share on other sites

I just downloaded UPHClean tonight, to see if that would solve my problem. It installed OK and it has indeed stopped the 1517 and 1524 errors in Event Viewer. Now I'm just getting the 1401 informational entry that indicates UPHClean is doing it's job of trying to allow Windows to close down a user's profile cleanly at logoff. Here's what that entry looks like, which indicates explorer.exe is involved in some way.

Event Type: Information

Event Source: UPHClean

Event Category: None

Event ID: 1401

Date: 3/3/2009

Time: 6:45:11 PM

User: HOME-23AB30824B\ButtonAdmin

Computer: HOME-23AB30824B

Description:

The following handles in user profile hive HOME-23AB30824B\ButtonAdmin (S-1-5-21-1085031214-1757981266-839522115-1005) have been remapped because they were preventing the profile from unloading successfully:

explorer.exe (1100)

HKCU (0x44)

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings (0x54)

HKCU\Software\Classes (0x9c)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer (0xa8)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer (0xbc)

HKCU\Software\Classes (0xcc)

HKCU\Software\Classes (0x140)

HKCU\Software\Classes (0x150)

HKCU\Software\Microsoft\Plus!\Themes\Apply (0x158)

HKCU\Control Panel\Appearance\New Schemes (0x160)

HKCU\Control Panel\Appearance\New Schemes\21 (0x164)

HKCU\Control Panel\Appearance\New Schemes\21 (0x168)

HKCU\Control Panel\Appearance\New Schemes\21\Sizes\0 (0x16c)

HKCU\Software\Classes (0x174)

HKCU\Software\Classes (0x180)

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap (0x1f0)

HKCU\Software\Classes (0x1f4)

HKCU\Software\Classes (0x208)

HKCU\Software\Classes (0x248)

HKCU\Software\Classes (0x254)

HKCU\Software\Classes (0x258)

HKCU\Software\Microsoft\Windows\Shell (0x26c)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts (0x270)

HKCU\Software\Microsoft\Windows\ShellNoRoam (0x274)

HKCU\Software\Classes (0x280)

HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache (0x284)

HKCU\Software\Classes (0x288)

HKCU\Software\Classes (0x298)

HKCU\Software\Classes (0x2d0)

HKCU\Software\Classes (0x2f0)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count (0x31c)

HKCU\Software\Classes (0x320)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count (0x324)

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked (0x32c)

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached (0x33c)

HKCU\Software\Classes (0x3b4)

HKCU\Software\Classes (0x3b8)

HKCU\Software\Classes (0x3cc)

HKCU\Software\Classes (0x3dc)

HKCU\Software\Classes (0x3e0)

HKCU\Software\Classes (0x3e4)

HKCU\Software\Classes (0x3f0)

HKCU\Software\Classes (0x3f4)

HKCU\Software\Classes (0x404)

HKCU\Software\Classes (0x408)

HKCU\Software\Classes (0x420)

HKCU\Software\Classes (0x424)

HKCU\Software\Classes (0x428)

HKCU\Software\Classes (0x444)

HKCU\Software\Classes (0x44c)

HKCU\Software\Classes (0x450)

HKCU\Software\Classes (0x46c)

HKCU\Software\Classes (0x48c)

HKCU\Software\Classes (0x4b8)

HKCU\Software\Classes (0x4c4)

HKCU\Software\Classes (0x4d4)

HKCU\Software\Classes (0x4d8)

HKCU\Software\Classes (0x4dc)

HKCU\Software\Classes (0x4e0)

HKCU\Software\Classes (0x4f8)

HKCU\Software\Classes (0x500)

HKCU\Software\Classes (0x508)

HKCU\Software\Classes (0x50c)

HKCU\Software\Classes (0x518)

HKCU\Software\Classes (0x538)

HKCU\Software\Classes (0x568)

HKCU\Software\Classes (0x580)

HKCU\Software\Classes (0x584)

HKCU\Software\Classes (0x598)

HKCU\Software\Classes (0x5b0)

HKCU\Software\Microsoft\Internet Explorer\Security\P3Global (0x5f0)

HKCU\Software\Classes (0x600)

HKCU\Software\Classes (0x610)

HKCU\Software\Classes (0x638)

HKCU\Software\Microsoft\Windows\Shell\Bags\1\Desktop (0x660)

HKCU\Software\Classes (0x6e8)

HKCU (0x6f4)

HKCU\Software\Classes (0x718)

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap (0x71c)

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap (0x728)

HKCU\Software\Classes (0x750)

HKCU\Software\Classes (0x760)

HKCU\Software\Classes (0x77c)

HKCU\Software\Microsoft\Internet Explorer\Security\P3Sites (0x780)

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap (0x78c)

HKCU\Software\Classes (0x790)

HKCU\Software\Classes (0x7c4)

HKCU\Software\Classes (0x7e0)

HKCU\Software\Classes (0x7e4)

HKCU\Software\Classes (0x7f4)

HKCU\Software\Classes (0x80c)

HKCU\Software\Classes (0x810)

HKCU\Software\Classes (0x820)

HKCU\Software\Classes (0x830)

HKCU\Software\Classes (0x840)

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Extensions (0x844)

HKCU\Software\Classes (0x84c)

HKCU\Software\Classes (0x89c)

HKCU\Software\Classes (0x8f4)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\c (0x92c)

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket (0x96c)

HKCU\Software\Classes (0x994)

HKCU\Software\Classes (0x9b0)

HKCU\Software\Classes (0x9bc)

HKCU\Software\Classes (0x9c8)

But sadly the multiple explorer.exe's persist if I log off one account and then onto another. Only a clean restart between users prevents the multiples of explorer.exe. So that's what I'm doing until I get this resolved. So I'm back to thinking it may be SAS, Avast or Comodo that's holding onto explorer.exe ???, since they are the only programs running in the background (besides UPHClean now) on this pc. I read in a KB article tonight there's a known "bug" in Java that can (by design, per Sun) hold onto a profile because of some hsperfdata_ file it creates/uses. But a search found no such file(s) on my system (even searching hidden files). So I doubt Java is the culprit in my case. Any further thoughts are welcomed, as I'm really stymied on this. :?:

Share this post


Link to post
Share on other sites

Well, I decided to run a little experiment to see what it would reveal. I uninstalled SAS Pro in Safe Mode using your uninstall tool. Then I rebooted into normal mode and my Windows logon screen would let me log onto my admin account. But after logging off, I then attempted to log onto one of the LUA's and was unable to: the cursor would not flash in the password box to let me type it in and log onto a second account at all! Had to restart pc. This time I initially logged onto one of the LUA accounts first and did so successfully. I then logged off the LUA and tried to log into the admin account. It let me, and then two copies of explorer.exe were sitting in task manager (1 for the LUA and 1 for the admin account). So I don't really understand what in the heck is going on.

I then reinstalled SAS Pro and could easily log on and off each account (without having to restart), but as before my little experiment, multiple copies of explorer.exe were in the Task Manager process list, one per user account I had logged in as. The oddest thing in all this is this is a CLEAN INSTALL of the operating system and a system file check using scannow shows no problems with the OS files. :?::?::?:

Share this post


Link to post
Share on other sites

Well, the Windows Help & Support forum helpers haven't offered a single reply as yet. But all of a sudden this morning.......BINGO!!!! I found my problem. :idea: I took a look at my Comodo Defense+ (HIPS feature) events for a week or so and saw that Comodo was terminating csrss.exe at every single boot up. Why?

Don't know much about csrss.exe, but Wikipedia tells me it is what controls the user side of Windows Operating System, which certainly sounded like it might be related to my user profile (explorer.exe for a particular logged-on user) not closing down at log off. I learned it's a critical system file that should NEVER be terminated lest you want a BSOD!! Well, no BSOD's yet, thank God, but did have some anomalous system instability two weeks ago. But why was Comodo terminating a system file when all Windows files are considered sacrosanct by Comodo? :wink: Hmmmmmm.............So I started poking around at all my D+ rules in Comodo settings, particularly my explorer.exe application rule. VOILA! There was my answer!!

Apparently, as a security measure on my part, I had set up my explorer.exe D+ rule to protect the file from "Process Termination" (just by malware, or so I thought). But it doing that, I was also not letting WinXP's csrss.exe properly close down explorer.exe at logoff either! :shock: The minute I undid that aspect of the rule, Comodo stopped terminating csrss.exe at bootup/logoff. That has stopped the multiple copies of explorer.exe I've been experiencing at logoff lately!!! YIPPEEE!!!!! I figured it out all by myself! :) The 1517 & 1524 events in Windows Event Viewer have also stopped.

Hope posting back my findings may help someone else.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...