Saved Bookmarks
| 1. |
Solve : How can I tell O.S. that Shutdown.exe is NOT malware ?? |
|
Answer» The System Event log shows that it does not know why it was closed, and does not seem to distinguish between a malware attack and the legitimate CMD.EXE command
I think you may need to use the /e and /d switches with shutdown.exe. Type Shutdown /? at the prompt or read this more info here http://www.myitforum.com/articles/5/view.asp?id=8842 Code: [Select]C:\>shutdown /? Usage: shutdown [/i | /l | /s | /r | /g | /a | /p | /h | /e] [/f] [/m \\computer][/t xxx][/d [p|u:]xx:yy [/c "comment"]] No args Display help. This is the same as typing /?. /? Display help. This is the same as not typing any options. /i Display the graphical user interface (GUI). This must be the first option. /l Log off. This cannot be used with /m or /d options. /s Shutdown the computer. /r Shutdown and restart the computer. /g Shutdown and restart the computer. After the system is rebooted, restart any registered applications. /a Abort a system shutdown. This can only be used during the time-out period. /p Turn off the local computer with no time-out or warning. Can be used with /d and /f options. /h Hibernate the local computer. Can be used with the /f option. /e Document the reason for an unexpected shutdown of a computer. /m \\computer Specify the target computer. /t xxx Set the time-out period before shutdown to xxx seconds. The valid range is 0-315360000 (10 years), with a default of 30. If the timeout period is greater than 0, the /f parameter is implied. /c "comment" Comment on the reason for the restart or shutdown. Maximum of 512 characters allowed. /f Force running applications to close without forewarning users. The /f parameter is implied when a value greater than 0 is specified for the /t parameter. /d [p|u:]xx:yy Provide the reason for the restart or shutdown. p indicates that the restart or shutdown is planned. u indicates that the reason is user defined. If neither p nor u is specified the restart or shutdown is UNPLANNED. xx is the major reason number (positive integer less than 256). yy is the minor reason number (positive integer less than 65536). Reasons on this computer: (E = Expected U = Unexpected P = planned, C = customer defined) Type Major Minor Title U 0 0 Other (Unplanned) E 0 0 Other (Unplanned) E P 0 0 Other (Planned) U 0 5 Other Failure: System Unresponsive E 1 1 Hardware: Maintenance (Unplanned) E P 1 1 Hardware: Maintenance (Planned) E 1 2 Hardware: Installation (Unplanned) E P 1 2 Hardware: Installation (Planned) E 2 2 Operating System: Recovery (Planned) E P 2 2 Operating System: Recovery (Planned) P 2 3 Operating System: Upgrade (Planned) E 2 4 Operating System: Reconfiguration (Unplanned) E P 2 4 Operating System: Reconfiguration (Planned) P 2 16 Operating System: Service pack (Planned) 2 17 Operating System: Hot fix (Unplanned) P 2 17 Operating System: Hot fix (Planned) 2 18 Operating System: Security fix (Unplanned) P 2 18 Operating System: Security fix (Planned) E 4 1 Application: Maintenance (Unplanned) E P 4 1 Application: Maintenance (Planned) E P 4 2 Application: Installation (Planned) E 4 5 Application: Unresponsive E 4 6 Application: Unstable U 5 15 System Failure: Stop error U 5 19 Security issue E 5 19 Security issue E P 5 19 Security issue E 5 20 Loss of network connectivity (Unplanned) U 6 11 Power Failure: Cord Unplugged U 6 12 Power Failure: Environment P 7 0 LEGACY API shutdown Quote from: BC_Programmer on October 06, 2010, 03:22:33 PM where is the OS saying it's malware?The OS is NOT saying it's malware. The OS just cannot tell the difference between shutdown and malware. The OS is ignorant and reports "No title for this reason could be found". I Google searched the pair of phrases "The process winlogon.exe has initiated the restart of " "the following reason: No title for this reason could be found" and THAT is where I found the answer that an unexpected shutdown could be due to malware. another result gave a forum that had no answer other than to use the GUI to select a shutdown. I know it is not malware because the shutdown was at a time and place of my choosing, but next week I will have forgotten what I was doing this week. I can understand the OS wanting to be given a "title for this reason", but do not understand why its own Shutdown.exe is not providing the title. When I see the OS not understanding what its own executables have done I wonder if I need a different control argument, and wonder how much longer it can stagger along before it gives nothing but BSODs ! ! Patio I use Comodo Internet Security for Firewall + A.V. + behavior blocking. I have no malware problem, just an OS that is less than perfect. Salmon Before I started this I ran shutdown /? and its summary was Usage: shutdown [-i | -l | -s | -r | -a] [-f] [-m \\computername] [-t xx] [-c "comment"] [-d up:xx:yy] and the -d option was WRONGLY listed as Code: [Select]-d [u][p]:xx:yy The reason code for the shutdown It was WRONG, and so also was the summary example "-d up:xx:yy", they suggest the 'u' and 'p' may coexist. I found that shutdown merely presented HELP with my choice of "-d up:34:5678" Your help screen with "/d [p|u:]xx:yy" clearly denotes that a choice should be made between p and u. I have no option "-e" listed I am using XP Home + SP3, I guess you have more options and better documentation with XP Pro. Thank you very much for the link. That seems to perfectly fit my need. I fully expect that after experimenting with that information (and lots of reboots where I failed to get it right) I will be able to return and MARK this as solved. Regards and thanks Alan Quote from: ALAN_BR on October 07, 2010, 03:21:34 AM The OS is NOT saying it's malware.you're title suggests something different. Quote The OS just cannot tell the difference between shutdown and malware.And why should it? What the *censored* do you expect? some magical fairy-land where every backwater utility that does something like this will be automatically recognized as being run by the user and the daisies and the frogs all sing and play in the fields? First off, Almost all malware will give a stupid reason code and comment, like saying it's a planned shutdown and that they are "restarting for an update" and that's forgetting of course that only "joke" type malware would ever really restart the machine anyway. Quote The OS is ignorant and reportsThere was no comment left, so that's what it reports. What are you expecting here, exactly? Quote I Google searched the pair of phrasesSo? I Fail to see the relevance. Any number of events could be construed in the wrong way with google. If I was to go by that then all my disks failed years ago, since they almost all inevitably contain messages to the effect of "The driver detected a controller error on \Device\Harddisk#\DR#" At seemingly random intervals. I'd also have no choice but to reinstall Visual Studio because if I was to believe Event Viewer it neither installed properly nor is ever able to start (but it starts fine). Quote another result gave a forum that had no answer other than to use the GUI to select a shutdown.So? Google for something vague or common and you will get a wide range of results. I'm sure a lot of malware-oriented topics use the word "the" too, but that doesn't mean that you have to label every single instance of "the" in your sentences as not being malware related. It's called context. Quote I know it is not malware because the shutdown was at a time and place of my choosing,Good. Quote but next week I will have forgotten what I was doing this week.Right... so, you make a habit of looking through eventviewer in your spare time or something? That's not very productive. Quote I can understand the OS wanting to be given a "title for this reason",because you didn't tell it to. Quote When I see the OS not understanding what its own executables have done I wonder if I need a different control argument, and wonder how much longer it can stagger along before it gives nothing but BSODs ! !The REASON that "the OS is not able to understand what it's executables are doing" is because that would entail that there is a "hook" between the executables and the OS that is wholly undocumented! And if it's documented, then any program, malware or otherwise, could come in and make changes and tell the OS "It's OK, The user told me to do this" or something equally nonsensical. And then one can assume that AV and malware vendors will also look at this "sanctioned by the OS" flag and ignore them, meaning that any form of malware can simply perform all it's task under the guise of being sanctioned by the OS by using the documented interface between its "executables" and the Operating System. And I'm sure you know why they can't use an undocumented interface. God forbid shutdown.exe be able to use undocumented APIs! How will the competition, which is... the market of shutdown utilities, I guess- cope with such a thing? They'll complain, and then MS will be forced to add an interface anyway and now the malware can pretend to be OS sanctioned. Even if they were somehow able to smuggle in such an undocumented interface, it won't take long for malware writers to stumble upon a way to deal with it that works; generally by disassembling programs like shutdown and seeing what various libraries they are calling and with what arguments, and which point they will find the "undocumented function" that would probably be named something like "InformOSofOSExecutableAction()" or something stupid like that. And then their malware programs can claim to be part of the OS and we are back where we started, which is clearly why this is not being done. Quote I have no malware problem, just an OS that is less than perfect.Of course it isn't "perfect"- that's like saying "the perfect car" It's open to such a wide and equally vague range of interpretations. Is Visual Studio a "perfect" programming environment? Of course not, but personally I think it's better then most of the competing products. Some people think Borland/CodeGear's IDE is better, some prefer Eclipse (which I use for Java myself, but not for any other language it supports) and still others even program using basic text editing and command line tools. Is Windows a "Perfect OS"? Of course not. There is no such thing as a perfect OS, or a perfect software application, for that matter, because such perfection would entail use by Perfect users, like those able to effortlessly use vim. Salmon Quote Before I started this I ran shutdown /? and its summary wasThey can co-exist. http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/shutdown.mspx?mfr=true Quote To shut down in 60 seconds, force running applications to close, restart the computer after shutdown, indicate a user code, indicate that the shutdown is planned, log major reason code 125, and log minor reason code 1, type: I'm not sure, but I think the reason codes correspond to those listed here: http://msdn.microsoft.com/en-us/library/aa376885%28VS.85%29.aspx either way, you should probably be using the -c switch (for a comment). This will at least be displayed in eventviewer, I believe). Quote I found that shutdown merely presented HELP with my choice of "-d up:34:5678"The "reason codes" are codes, not just random numbers you plug in. Of course, it would be nice to have them documented; but we have yet to invent a method of time travel so that we can go back and fix shutdown's help implementation. Still... putting a seemingly random number as a parameter that is listed as "code" is pretty silly. "code" implies a meaning, and it's usually better to know what meaning you are after and then put in the corresponding code for that meaning then fiddle-faddle about with codes until you get something that makes sense. Quote from: BC_Programmer on October 07, 2010, 04:58:50 AM you're title suggests something different.NO - I accept that is a plausible interpretation of the brief title, but is neither stated nor implied in my post. to restate my problem :- The System Event Log shows that the system closed down without knowing why because a Title mechanism has failed. If a reporting mechanism has failed I want it fixed because when something bad is about to happen it will fail to warn me. When I start my car I am reassured that all is well if the batter/oil/brake level etc warning lights come on for a few seconds and then extinguish. If any warning signal fails I might hope to drive to a local garage and they will simply replace a light bulb, but I would not ignore the problem till the next 20,000 mile service ! ! Quote There was no comment left, so that's what it reports. What are you expecting here, exactly?NO I did not complain about absence of COMMENT. I was complaining about failure to have a TITLE SHUTDOWN -s -t 10 -c "CClean + Shutdown" -d u:34:5678 Quote If I was to go by that then all my disks failed years ago, since they almost all inevitably contain messages to the effect of "The driver detected a controller error on \Device\Harddisk#\DR#" At seemingly random intervals.Would you blindly ignore such messages if the were NOT random but rock steady consistent. Because I take notice of warnings, no matter how rare or random, I actually recognize incipient fatal catastrophes and am able to avert disaster. e.g. I have seen failure to flush data to disk and FTDISK errors and worse in the event log, and now I avoid the situations that cause loss of data and disk corruption. In my case the problem was that once Acronis has mounted a disc image for the purpose of exploring its contents, it is not possible to dismount that image without such errors, but I can leave it mounted and the system manages an orderly shutdown which dismounts without any consequent errors. Quote So? Google for something vague or common and you will get a wide range of results. I'm sure a lot of malware-oriented topics use the word "the" too, but that doesn't mean that you have to label every single instance of "the" in your sentences as not being malware related.Where is this coming from ? 25,430,000,000 results searching for a vague or common "the" 21,600,000 results searching WITHOUT quotes for "the following reason: No title for this reason could be found" 13,700 results searching WITH quotes for "the following reason: No title for this reason could be found" 8,230 results searching for above preceded by "The process winlogon.exe has initiated the restart of " If you think my search was vague, please tell me how I could be more precise and still get more than zero results. I have just tried The process winlogon.exe has initiated the restart of ACER-311VPBCEH0 for the following reason: No title for this reason could be found. Guess what, Google has a single result this afternoon - Google has already found my cry for help and is quoting this post. NB "How can I tell O.S. that Shutdown.exe is NOT malware ?" comes across as a very snappy title to my post !! Quote because you didn't tell it to.THE WHOLE PURPOSE OF THIS POST IS BECAUSE I DID NOT KNOW HOW TO TELL IT TO ! Quote any program, malware or otherwise, could come in and make changes and tell the OS "It's OK, The user told me to do this"Plausible but debatable. I have used third party defraggers and partition managers and Acronis image restorers, and all of them are leave the restrictions of running under Windows by rebooting into boot mode operation, and I have never NOTICED any complaint that a Shutdown was performed without a Title. If third party software can do it I guess malware can also do it. Quote They can co-exist.I agree that the document indicates the same as I have already seen with SHUTDOWN /? BUT the documentation does not align with reality. Salmon has already shown,in his very helpful post, that the correct usage is /d [p|u:]xx:yy Provide the reason for the restart or shutdown. and I understand that the vertical bar denotes ALTERNATIVES and does not indicate a logical OR operation. Quote either way, you should probably be using the -c switch (for acomment). This will at least be displayed in eventviewer, I believe).You should have looked at the end of my first post, you would have seen that I used SHUTDOWN -s -t 10 -c "CClean + Shutdown" -d u:34:5678 and the System Event log actually displayed Minor Reason: 0x162e Shutdown Type: shutdown Comment: CClean + Shutdown But it still complained that it had not been given a Title. Alan Quote from: BC_Programmer on October 07, 2010, 04:58:50 AM
That was Alan, not me, that you quoted there. Quote from: ALAN_BR on October 07, 2010, 09:03:19 AM NO - I accept that is a plausible interpretation of the brief title, but is neither stated nor implied in my post.Your Post uses the word malware in both the title, as well as the original Post. This problem has nothing to do with malware. Anyway, did a little looking to see which syntax (allowing both u and p or not) was right, but it's not hard to realize that having both wouldn't make any sense. the u stands for user code- the p stands for planned. Omitting both indicates an unplanned shutdown. You can use both U and P in XP, but I believe it uses the last one and ignores any before it. For both, you give the major and minor codes; depending on the combination of the unplanned/planned/usercode and the major/minor reason codes, it should be giving you a different title. If you use u, I don't think you will ever get a visible title. (since it is by definition a user defined code and there is no defined resource string for it) Quote to restate my problem :-There is no "title mechanism"- or, to be more precise, there isn't one given via the shutdown supplied with XP (at least, not a "set your own text string" type). The reason for this is that the "title" is actually represented by the reason code, and the usercode/planned/unplanned status. Then reads a string resource that describes that Combination. I imagine when it says there is no title found then there was no corresponding resource for the combination. (Which again, would be expected with a user-defined code) To test, I ran this command in my XP VM: Code: [Select]shutdown -s -f -d p:4:1 -c "I AM A COMMENT" and, the result? here it is: TADA! basically, I chose a combination of major/minor/planned/unplanned from the handy chart ST linked (the reason codes, as noted by the linked page, are available via MSDN but you would then have to peruse the header files... or, you could strip the ending zeros off of the Major codes ( found here (0x00040000 turns into simply 4. of course everything above 10 has to be converted from hex. No need for that with the chart though, of course. Quote When I start my car I am reassured that all is well if the batter/oil/brake level etc warning lights come on for a few seconds and then extinguish.Not really relevant... we are talking about a shutdown that you (or a script) initiated with the shutdown command. The title might not be particularly helpful but it hardly entails a "warning", it just means that the major/minor+unplanned/planned/user reason code combo you gave doesn't correspond to a system string resource. Quote NO I did not complain about absence of COMMENT. I was complaining about failure to have a TITLEapologies for that. Quote SHUTDOWN -s -t 10 -c "CClean + Shutdown" -d u:34:567834 is not a valid major reason code. 5678 is not a valid minor reason code. you stated u, for usercode. No usercode will ever correspond to a title stringID, if I understand correctly. Quote Would you blindly ignore such messages if the were NOT random but rock steady consistent.Yes. Unless I was of course having real, observable issues. In fact, it's usually me noticing real observable issues that sends me to eventvwr to try to find out the problem. perusing eventviewer as a "preventative measure" is more a waste of time(IMO) then anything; there are far too many red herrings that could make you suspicious that you are infected, or that you have a hardware issue. My video card/driver also crashes whenever I play a DVD or video for a extended period, so I simply don't play videos. I'm sure I could look at the many events for the video card (display driver has stopped responding etc) but none of them will help me diagnose the problem, because It's already pretty obvious- I tried different drivers and that didn't help (and a fresh OS install as well) so it's probably a hardware issue. (oddly, youtube and most online videos work, it's just playing stuff off-line from MP4's and AVI's and so forth that cause it). But enough about that! Quote Because I take notice of warnings, no matter how rare or random, I actually recognize incipient fatal catastrophes and am able to avert disaster.True, but those Events aren't logged silently; they almost always produce a popup (or at the least, a balloon) that informs you of this. I suppose it could be helpful if it occurs away from the PC, but you aren't going to be psychically dismounting drives from afar. Also, I've had similar issues (actually, the system refused to allow me to remove some flash drive). it's usually just a matter of closing all open explorer windows that accessed it, then it let's me. This might be the case for acronis image browsing (I know it's the story for WinImage disk mounting as well, and things are complicated even more by write-caching). Quote QuoteSo? Google for something vague or common and you will get a wide range of results. I'm sure a lot of malware-oriented topics use the word "the" too, but that doesn't mean that you have to label every single instance of "the" in your sentences as not being malware related.Where is this coming from ? Because, you are searching for "No title for this reason could be found", and the various other phrases in the event; that's a terribly broad search. Of course it's going to find hits related to malware, as with any number of similar searches (you could search for, say "winword has stopped responding" and some of those hits are sure to be malware related). However, finding google results that refer to malware with a query like that is not any sort of conclusion that what you have is related to malware. You know that you initiated the shutdown, and that it most certainly is not "malware", and you just needed to find out why there wasn't a title given (which is, of course, why you posted here) Truly, though, it was not the O.S saying that it was malware; it was your google searches on what the OS said. (different). Quote If you think my search was vague, please tell me how I could be more precise and still get more than zero results.you aren't really searching "properly" (if there is such a thing) Basically, you are searching for the effect(no title in the event), and not the cause(using shutdown isn't giving it a title) you are looking for why your own initiated shutdown didn't have a title, so a more accurate search would have been something like shutdown + "No title for this reason could be found" - the forth hit is the link Salmon Trout gave; the first hit is the MSDN link to reason codes. Quote The process winlogon.exe has initiated the restart of ACER-311VPBCEH0 for the following reason: No title for this reason could be found.Of course you'd get a hit to this thread with that query. I doubt anybody else has a machine named ACER-311VPBCEH0. Quote THE WHOLE PURPOSE OF THIS POST IS BECAUSE I DID NOT KNOW HOW TO TELL IT TO !INDEED. AS I NOTED BEFORE THAT WAS MY MISTAKE. I DO APOLOGIZE FOR MY CONFUSION. THX. Quote Plausible but debatable. The third party defraggers, partition managers, and image restorers all give valid, planned reason codes that correspond to appropriate string resources that can be displayed by event viewer. However, I was more addressing the broad assertion that there should be some more tight coupling between the utilities (in this case, shutdown) and the results they create (shutting down the system, adding events to the event log). your original post made it seem like you thought the OS was implicitly saying "OMG the computer shut down cuz of malware"; your statement: Quote When I see the OS not understanding what its own executables have done I wonder if I need a different control argument, and wonder how much longer it can stagger along before it gives nothing but BSODs ! !seems to say that you think there are (or should be, or is) a tighter coupling between components of windows and the OS itself; this would, as I noted, mean that the components would need to access undocumented APIs to essentially tell the OS what it's done; shutdown, is really just a program. it doesn't use any special code. (and I won't get into any sort of "OMG MS uses a lot of undocumented functions in like word and IE" argument at CH, I get into it quite enough elsewhere, heh). Quote I agree that the document indicates the same as I have already seen with SHUTDOWN /?It does; to a point. you just can't use U and P at the same time, although the documentation appears to say otherwise. Quote Salmon has already shown,in his very helpful post, that the correct usage isI think, you can use both p and u at the same time. It worked for me, but I think it might have simply ignored the P (it comes up with the "no title for this event.etc" title). I'm not sure if it is actually taking both into consideration; I think it ignores the P when you specify U. Quote You should have looked at the end of my first post, you would have seen that I used I meant it more along the lines of, if you use a user code that doesn't correspond to a title string, such as major code 34 and minor code 5678, then you should use the comment to indicate the nature of the shutdown. Or, you could fix the major/minor codes and set it as a planned shutdown. Basically what I meant was not having a title isn't that bad. You can always indicate things with the comment, which truly is the only way to add user-defined info to the event item, anyway. Quote from: Salmon Trout on October 07, 2010, 11:00:01 AM That was Alan, not me, that you quoted there. Sorry, misquoted him there.I was doing the best I could with limited and inaccurate information in response to SHUTDOWN /? The help screen told me I could supply code xx less than 256 and yy less than 65536 It said absolutely nothing about needing particular specific codes to result in a title. It never even hinted that a Title might appear as a result of a special code. I Googled to find out how to tell XP the information it needed to know to do its job properly, and finding nothing via that route I came here for some friendly advice ! ! ! ! I am happy to say that due to Salmon's post and his link I was able to achieve perfect results with SHUTDOWN -s -t 10 -c "CClean + Shutdown" -d p:2:4 The result is Quote Event Type: Information Alan Quote from: ALAN_BR on October 07, 2010, 12:33:28 PM I Googled to find out how to tell XP the information it needed to know to do its job properly, I cannot resist remarking that no computer system, whether running Windows XP or any other computer software, has the ability to "know" anything, or to do "its job" in any other way than the way that it is instructed to do. I agree with Professor Searle that computer systems cannot have mental contents. http://en.wikipedia.org/wiki/John_Searle "The question of whether Machines Can Think... is about as relevant as the question of whether Submarines Can Swim." -Edsger Wybe Dijkstra |
|