Re: Odd Behavior on Bootup

Beats the heck out of me, Steve.

net1.exe, C:\WINDOWS\$NtServicePackUninstall$, 113 KB
Probably added by SP2.

NET1.EXE-029B9DB4.pf , C:\WINDOWS\Prefetch, 16 KB
Means that NET1.EXE has run at least once on your machine. This is called a
prefetch file and makes NET1.EXE load faster.

net1.exe, C:\WINDOWS\system32, 122 KB
Normal

net1.exe, C:\WINDOWS\ServicePackFiles\i386, 122 KB
Added by SP1 or SP2 and used in lieu of dllcache for Windows File
Protection.

net1.exe, C:\WINDOWS\system32\dllcache, 122 KB
Normal. Used for Windows File Protection.

wmiprvse.exe, C:\WINDOWS\$NtServicePackUninstall$, 199 KB
Probably added by SP2.

WMIPRVSE.EXE-029B9DB4.pf , C:\WINDOWS\Prefetch, 45 KB
Means that WMIPRVSE.EXE has run at least once on your machine. This is
called a prefetch file and makes WMIPRVSE.EXE load faster.

C:\WINDOWS\ServicePackFiles\i386, 213 KB
Added by SP1 or SP2 and used in lieu of dllcache for Windows File
Protection.

C:\WINDOWS\system32\dllcache, 213 KB
Normal. Used for Windows File Protection.

C:\WINDOWS\system32\wbem, 213 KB
Normal.

The ServicePackFiles folder only exists if you have upgraded to XP SP1 or XP
SP2 and they were not included in the original install and the SP1 or SP2
upgrade was done by downloading it from Microsoft. If the Service Pack is
installed by means of a CD-ROM or a distribution share, the ServicePackFiles
folder is not created. Same for slipstreaming a Service Pack.

%windir%\ServicePackFiles\i386 is used instead of %windir%\system32\dllcache
for Windows File Protection.

%windir%\ServicePackFiles\i386 contains the most recently updated service
pack files.

%windir%\ServicePackFiles\i386 folder exists if the following conditions are
true:
* You installed Windows XP SP2 from a Windows XP SP2 CD that included SP2 as
part of the base installation.
* You downloaded and installed Windows XP SP2 from the Microsoft Web site.
* Windows XP SP2 was included with the computer.
from...
http://support.microsoft.com/kb/916261

$NtServicePackUninstall$
Windows XP is really Windows NT 5.1, hence the NT part.

Service Pack
Definition: A service pack is a tested, cumulative set of all hotfixes,
security updates, critical updates, and updates. Service packs may also
contain additional fixes for problems that are found internally since the
release of the product and a limited number of customer-requested design
changes or features.

$NtServicePackUninstall$ folders are created for uninstalling Windows
Service Packs.
SP1 or SP2 are Service Pack 1 and Service Pack 2.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:86AE400A-8F71-4169-8BEA-F5A4619DCAF9@xxxxxxxxxxxxx,
Steve R <SteveR@xxxxxxxxxxxxxxxxxxxxxxxxx> hunted and pecked:
Wes,

These are the locations of the net1.exe and wmiprvse.exe files.


Steve

"Wesley Vogel" wrote:

Hi Steve,

I see that it shows net1.exe starting at boot. Not good.

net1.exe should only exist in these folders...
C:\WINDOWS\system32
C:\WINDOWS\system32\dllcache
and/or
C:\WINDOWS\ServicePackFiles\i386

Wmiprvse.exe should only exist in these folders...
C:\WINDOWS\system32\wbem
C:\WINDOWS\system32\dllcache
and/or
C:\WINDOWS\ServicePackFiles\i386

Do a Search on your machine for net1.exe and Wmiprvse.exe....
To search for hidden or system files in Windows XP:
1. Click Start, click Search, click All files and folders and then click
More advanced options.
2. Click to select the Search system folders and Search hidden files and
folders check boxes.

Post back with were you see net1.exe and Wmiprvse.exe located on your
machine. You can right click the found items, click Properties,
highlight the path from the General tab listed on Location, right click
that, select Copy and paste the path into a message.

services.exe & svchost.exe
At startup, Svchost.exe checks the services portion of the registry to
construct a list of services that it needs to load. The Services Control
Manager (services.exe) is responsible for starting, stopping and
interacting with system services.

mdnsresponder.exe is a process associated with "Bonjour for Windows"
software. It is used by ITunes for music sharing. This is a non-essential
process. Disabling or enabling it is down to user preference.

imapi.exe is the IMAPI CD-Burning COM Service, needed when you want to
burn CDs with XP's CD burner. Not needed if you have a 3rd party CD
burner program like Nero, etc.

Wmiprvse.exe
Windows Management Instrumentation (WMI).
see this...
http://www.neuber.com/taskmanager/process/wmiprvse.exe.html

"javaw.exe" belongs to Java from Sun Microsystems, Inc.

Can also be added by a worm...
Name Java Virtual Machine
Command javaw.exe
Status X
Description Added by a variant of the WIN32.RBOT WORM!
http://www.castlecops.com/s10964-javaw_exe.html

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:26BBAF82-9759-485F-AC7B-63BDACB486F3@xxxxxxxxxxxxx,
Steve R <SteveR@xxxxxxxxxxxxxxxxxxxxxxxxx> hunted and pecked:
Hi, Wes,

I got rid of most of the items you suggested and, according to BootLog
XP, the system load time dropped from 208 seconds to 187 seconds. The
initial long-lasting net.exe command prompt as well as the second
short-term net.exe command prompt and the ipconfig.exe command prompt
remain.

I don't know if it helps, but BootLog XP shows the following selected
long boot times:
services.exe, 95 sec.
Two instances of svchost.exe at 97 and 115 seconds.
vsmon.exe, 140 sec.
explorer.exe, 147 sec.
mDNSResponder.exe, 92 sec.
imapi.exe, 106 sec.
net1.exe, 89 sec.
wmiprvse.exe, 96 sec.
javaw.exe, 35 sec.

The others are of much shorter duration.

Steve

"Wesley Vogel" wrote:

Man, Steve, you have some crap loading! I did not find anything
obvious that would start net.exe and ipconfig.exe. But I made
comments anyway. ;-)

AsioReg regsvr32.exe /s ctasio.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctasio.dll is a module belonging to ASIO (Audio Stream In/Out) drivers
for the SoundBlaster Audigy audio hardware.
regsvr32.exe /s ctasio.dll looks suspicious as hell, but...
See this.


http://www.bleepingcomputer.com/startups/regsvr32.exe_ctasio.dll-4482.html
Normally the Regsvr32 tool (Regsvr32.exe) is used to register and
unregister object linking and embedding (OLE) controls such as
dynamic-link library (DLL) or ActiveX Controls (OCX) files that are
self-registerable. That is ..dll, .ocx and .cpl files. The
regsvr32.exe /s switch is for: Silent; display no message boxes.

CTDVDDet c:\program files\creative\sbaudigy2\dvdaudio\ctdvddet.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Creative Soundblaster crap, see...
http://www.bleepingcomputer.com/startups/CTDVDDet.exe-1119.html

CTHelper cthelper.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Creative Soundblaster crap, see...
http://www.bleepingcomputer.com/startups/CTHELPER.EXE-6637.html

CTSysVol c:\program files\creative\sbaudigy2\surround
mixer\ctsysvol.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Creative Volume Manager Creative Soundblaster crap, see...
http://www.castlecops.com/s804-CTsysVol.html

EPSON Stylus CX6400
c:\windows\system32\spool\drivers\w32x86\3\e_s4i2l1.exe /p19 "epson
stylus cx6400" /o6 "usb001" /m "stylus cx6400"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
e_s4i2l1.exe is a process which belongs to the EPSON Status Monitor 3
which is installed alongside your EPSON printer and offers additional
diagnostic and maintenance functions. This program is a non-essential
process

EPSON Stylus CX7700
Series c:\windows\system32\spool\drivers\w32x86\3\e_fatiafl.exe /p26
"epson stylus cx7700 series" /m "stylus cx7700" /ef
HKU\S-1-5-21-606747145-515967899-839522115-1004\SOFTWARE\
Microsoft\Windows\CurrentVersion\Run
More crap from EPSON.

EPSON Stylus CX7700
Series c:\windows\system32\spool\drivers\w32x86\3\e_fatiafl.exe /p26
"epson stylus cx7700 series" /o6 "usb003" /m "stylus cx7700"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
More crap from EPSON.

FreeRAM XP "c:\program files\yourware solutions\freeram xp pro\freeram
xp pro.exe" -win
HKU\S-1-5-21-606747145-515967899-839522115-1004\SOFTWARE\
Microsoft\Windows\CurrentVersion\Run
UNINSTALL this POS, you do not need it! XP handles RAM on its own!

Google Desktop Search "c:\program files\google\google desktop
search\googledesktop.exe" /startup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Crap from Google, see...
http://www.bleepingcomputer.com/startups/GoogleDesktop.exe-1864.html

Ink Monitor c:\program files\epson\ink monitor\inkmonitor.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
More crap from EPSON, see...
http://www.bleepingcomputer.com/startups/InkMonitor.exe-2202.html

IntelliPoint "c:\program files\microsoft intellipoint\ipoint.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Crap from Microsoft.
ipoint.exe is a process installed alongside a Microsoft IntelliMouse
and provides additional configuration options for these devices.

LifeSaverXP Backup c:\progra~1\lifesa~1\lifesa~1.exe /b /d30
All Users Common Startup =
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
lifesa~1.exe looks suspicious to me, a Google search turns up nothing.
If you downloaded and installed LifeSaverXP Backup on purpose it may be
all right, otherwise I would uninstall it.
If c:\progra~1\lifesa~1\lifesa~1.exe is really...
C:\Program Files\LifeSaverXP\LifeSaverXP.exe
it may be all right.
It sure looks suspicious to me.

NvCplDaemon rundll32.exe c:\windows\system32\nvcpl.dll,nvstartup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
I would delete this Run referrence. In fact, I have on my machine.
NvCpl.dll = NVIDIA Display Properties Extension

NvMediaCenter rundll32.exe
c:\windows\system32\nvmctray.dll,nvtaskbarinit
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
I would delete this Run referrence. In fact, I have on my machine.
NvMediaCenter
[[RunDLL32.exe NvMCTray.dll, NvTaskbarInit System Tray icon used to
manage settings for nVidia based graphics cards. May be required for
some 3D applications to recognize your card correctly - such as the
game "Everquest". Otherwise, settings can be changed manually via
Display Properties]]

Rainlendar2 c:\program files\rainlendar2\rainlendar2.exe
HKU\S-1-5-21-606747145-515967899-839522115-1004\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
rainlendar2.exe MAY have something to do with a Desktop Calendar.
http://www.rainlendar.net/cms/index.php

SBDrvDet c:\program files\creative\sb drive det\sbdrvdet.exe /r
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Crap from Creative SoundBlaster.
sbdrvdet.exe is a process associated with the Creative SoundBlaster
Drivers. This process should not be removed to ensure that your sound
card drivers are working.
Also see...
http://www.bleepingcomputer.com/startups/sbdrvdet.exe-10070.html

Skype "c:\program files\skype\phone\skype.exe" /nosplash
/minimized STEVEN\Steve
HKU\S-1-5-21-606747145-515967899-839522115-1004\SOFTWARE\
Microsoft\Windows\CurrentVersion\Run
skype.exe is a process belonging to the Skype Internet Telephoney
suite, which is used for computer-to-telephone based communications

SkypeMate skypemate.lnk STEVEN\Steve Startup
STEVEN\Steve Startup =
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
SkypeMate is the software driver that allows USB phones manufactured by
Yealink to work with Skype. It must be installed on your computer for
your phone's keypad, display, and other features to function with
Skype.

Zone Labs Client "c:\program files\zone labs\zonealarm\zlclient.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This is the ZoneAlarm firewall.

avast! c:\progra~1\alwils~1\avast4\ashdisp.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ashdisp.exe is a process belonging to Avast Internet security suite.
This utility forms an important part of your computers protection
against Internet-bound viruses and worms

ctfmon.exe c:\windows\system32\ctfmon.exe STEVEN\Steve
HKU\S-1-5-21-606747145-515967899-839522115-1004\SOFTWARE
\Microsoft\Windows\CurrentVersion\Run
See...
Can I Remove the Ctfmon.exe File?
here...
Frequently asked questions about Ctfmon.exe
http://support.microsoft.com/kb/282599

itype "c:\program files\microsoft intellitype pro\itype.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
itype.exe is a process belonging to Microsoft Intellitype Pro keyboard
software. Disabling or enabling it is down to user preference.
Related to Microsoft_IntelliType_Pro MS Keyboard Software.


http://www.microsoft.com/downloads/details.aspx?familyid=3D0BA152-5D92-4772-A2FD-5AB35C750685&displaylang=en

nwiz nwiz.exe /install
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
I would delete this Run referrence. In fact, I have on my machine.
nwiz.exe = NVIDIA nView Wizard
[[Application enables user to having 32 virtual desktops, get a desktop
larger than the viewable area of the monitor, being able to divide the
display across more than one monitor, managing applications and many
more functionality.]]



--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:D3A2AE35-9DC3-4F36-8B46-1D24836A2822@xxxxxxxxxxxxx,
Steve R <SteveR@xxxxxxxxxxxxxxxxxxxxxxxxx> hunted and pecked:
Thanks, Wes,

We have two desktops and a laptop linked to the Internet through a
Linksys WRT54G wireless router but not networked with each other.

Net.exe and ipconfig.exe do not appear in System Info-Startup
Programs, the
text of which follows.

AsioReg regsvr32.exe /s ctasio.dll All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTDVDDet c:\program files\creative\sbaudigy2\dvdaudio\ctdvddet.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTHelper cthelper.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTSysVol c:\program files\creative\sbaudigy2\surround
mixer\ctsysvol.exe All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus CX6400
c:\windows\system32\spool\drivers\w32x86\3\e_s4i2l1.exe /p19 "epson
stylus cx6400" /o6 "usb001" /m "stylus cx6400" All
Users HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus CX7700
Series c:\windows\system32\spool\drivers\w32x86\3\e_fatiafl.exe /p26
"epson
stylus cx7700 series" /m "stylus cx7700" /ef
"hkcu" STEVEN\Steve



HKU\S-1-5-21-606747145-515967899-839522115-1004\SOFTWARE\Microsoft\Windows\C
urrentVersion\Run

.

Loading