Jump to content

can I ask where to locate these windows "updates"


Recommended Posts

  

22 hours ago, migs_k said:

I got notified of these updates just 2-3 days ago even though I already have those updates (current version of my windows is 20h2) 

especially the one I'm suspicious of it the critical update as I have that since January 

fake.png.dc1bb4616e8c4e61aba579ff3e95b87c.png

 where can I locate these "updates", because I want to send it for inspection, get to see what's inside of it.

 

ty

Link to post
Share on other sites

some of them might be located in the "view optional updates" section in Windows Update settings panel.

in my case it shows Microsoft Silverlight ready to download but it doesn't appear in Windows Update. Silverlight is obsolete now and unnecessary now.

i suspect that Eset pulls info from the Microsoft Catalog website and displays them. if you click "Check for Updates" in the Windows Update and it shows your device is up to date, then don't worry.

 

Capture.PNG.0462f4c1c4c17ad57b7a07952a85b884.PNG

Link to post
Share on other sites

dunno, something definitely suspicious is going on

I just discovered in my documents 2 exported bookmark htmls that the contents contain selectively private stuff and not just talking about porn (although it was included)

 

also today, I found in my recycle bin files ive deleted long ago, these files all of them deleted at the same time of 5:08, and their original location deleted is on microsoft/windows/recent

Link to post
Share on other sites

scratch this

Quote

also today, I found in my recycle bin files ive deleted long ago, these files all of them deleted at the same time of 5:08, and their original location deleted is on microsoft/windows/recent

 

Link to post
Share on other sites

can anyone tell me what these are??

 

Quote

2018-08-12 16:46:34.411, Info      [Environment::Initialize] Start...
2018-08-12 16:46:34.411, Info      [Environment::Initialize] wstrStartDeployTime = 2018-08-12 16:46:34:408
2018-08-12 16:46:34.411, Info      [Environment::Initialize] wstrSystemDrive = C:
2018-08-12 16:46:34.411, Info      [Environment::Initialize] wstrTargetNewOSDrive = C:
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrLogPath = C:\$GetCurrent\Logs
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrLogFileFullPath = C:\$GetCurrent\Logs\downlevel_2018_08_12_16_46_34_410.log
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrTempPath = \$GetCurrent
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrTempFolder = C:\$GetCurrent
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrTenSTempPath = 
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrTenSTempFolder = 
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrReportPath = C:\$GetCurrent\downlevel_2018_08_12_16_46_34_410.rpt
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrExecutablePath = C:\Windows10Upgrade
2018-08-12 16:46:35.411, Info      [Environment::Initialize] Exe name = Windows10UpgraderApp.exe
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrSystemTempFolder = C:\Users\Asus\AppData\Local\Temp
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrTempMedia = C:\$GetCurrent\media
2018-08-12 16:46:35.411, Info      [Environment::Initialize] wstrSafeOSFolder = C:\$GetCurrent\SafeOS
2018-08-12 16:46:35.412, Info      [Environment::Initialize] wstrcV = lkmGbIx8e0Cr4ziT.999
2018-08-12 16:46:35.412, Warning   [WMIHelper::GetHardwareId]  CoInitializeSecurity failed, Error = 0x80010119
2018-08-12 16:46:35.536, Info      [WMIHelper::GetRegMachineId]  Open an existing reg key HKLM\SOFTWARE\Microsoft\SQMClient.
2018-08-12 16:46:35.536, Info      [Environment::Initialize]  Machine Id is: {2C9DC76A-19D2-4199-B941-9D98B96BE2E9}
2018-08-12 16:46:35.536, Info      [Environment::Initialize]  Device Id is: 0a62a4c6365927abfa389d453ce1147662fbb673
2018-08-12 16:46:35.536, Info      [OSVersion::Init]  >= 6.2, Use Rtl function to detect OS version ...
2018-08-12 16:46:35.537, Info      [Environment::Initialize] Windows Version: 10.0 (16299),,producttype=1
2018-08-12 16:46:35.537, Info      [Environment::Initialize] wstrPostOobeScriptFilename = C:\$GetCurrent\SafeOS\SetupComplete.cmd
2018-08-12 16:46:35.537, Info      [Environment::Initialize] wstrRollbackScriptFilename = C:\$GetCurrent\SafeOS\Rollback.cmd
2018-08-12 16:46:35.537, Info      [Environment::Initialize] wstrRollbackInformationFilename = C:\$GetCurrent\SafeOS\GetCurrentRollback.ini
2018-08-12 16:46:35.537, Info      [Environment::Initialize] wstrWINRESetupPhaseFilename = C:\$GetCurrent\SafeOS\GetCurrentWinRESetup.ini
2018-08-12 16:46:35.537, Info      [Environment::Initialize] bLADTest = 0
2018-08-12 16:46:35.537, Info      [Environment::Initialize] bIsSetupConfigIniFilePresent = 0
2018-08-12 16:46:35.537, Info      [Environment::Initialize] wstrSetupConfigIniFilePath = C:\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini
2018-08-12 16:46:35.537, Info      [Environment::Initialize]  Init Telemetry system based on WER APIs
2018-08-12 16:46:35.538, Info      [Environment::Initialize] Finished
2018-08-12 16:46:35.538, Warning   [GetCurrent_Initialize] This version doesn't verify signature information
2018-08-12 16:46:35.538, Info      [MinimalRequirementCheck] hr = 0x0, ResultBits = 0x0
2018-08-12 16:46:35.538, Info      [GetCurrent_Initialize]  MinimalRequirement Check succeeded! hr = 0x0 
2018-08-12 16:46:35.538, Info      [GetCurrent_Initialize] Load appraiserxp.dll
2018-08-12 16:46:35.539, Info      [GetCurrent_Initialize]  Load appraiserxp.dll succeeded! hr = 0x0 
2018-08-12 16:46:35.539, Info      [GetCurrent_Initialize] Get IsReady function
2018-08-12 16:46:35.539, Info      [GetCurrent_Initialize]  Get IsReady function succeeded! hr = 0x0 
2018-08-12 16:46:35.539, Info      [GetCurrent_Initialize] pfnIsReady: 0x53c53960
2018-08-12 16:46:35.539, Info      [GetCurrent_Initialize] isPushing: 1
2018-08-12 16:46:35.539, Info      [GetCurrent_Initialize]  Call Compact check IsReady succeeded! hr = 0x0 
2018-08-12 16:46:35.540, Info      [GetCurrent_Initialize]  Compact Check succeeded! isReady = 1 
2018-08-12 16:46:35.548, Info      [GetCurrent_SetPartnerPostOOBEScript]  Create GetCurrent SafeOS Folder succeeded! hr = 0x0 
2018-08-12 16:46:35.551, Info      [GetCurrent_SetPartnerPostOOBEScript]  Copy partner post oobe script succeeded! dwReturn = 0x1 GetLastError = 0x0 
2018-08-12 16:46:35.551, Info      [GetCurrent_SetPartnerID] Partner ID is {E52ABFC2-76BB-4908-883F-CA581FDD83F9}
2018-08-12 16:46:35.551, Info      [GetCurrent_SetPartnerID] Partner Name is VNL
2018-08-12 16:46:35.552, Info      [OSVersion::Init]  >= 6.2, Use Rtl function to detect OS version ...
2018-08-12 16:46:35.552, Warning   [SystemRequirementCheck::IsUpgradeOptionSupported] Upgrade option type (0x600) is not allowed. But we'll continue. We'll fix this late.
2018-08-12 16:46:35.552, Info      [GetCurrent_SetUpgradeOptionType] Upgrade option: 0x600
2018-08-12 16:46:35.552, Info      [GetCurrent_SyncDataEx] Start sync with external...
2018-08-12 16:46:35.552, Info      [GetCurrent_SyncDataEx] Get wstrExternalId = {} from external.
2018-08-12 16:46:35.552, Info      [GetCurrent_SyncDataEx] Get wstrExternalIdDescription = NHV19:<1.4.9200.22532>:<3> from external.
2018-08-12 16:46:35.552, Info      [GetCurrent_SyncDataEx] Set Assistant Show Up time = 2018-08-12 16:32:00:991.
2018-08-12 16:46:35.552, Info      [GetCurrent_SyncDataEx] Set Download Image Duration = 804 seconds.
2018-08-12 16:46:35.553, Info      [GetCurrent_SyncDataEx] Set Restart times during download = 0.
2018-08-12 16:46:35.553, Info      [GetCurrent_SyncDataEx] Set wstrDeviceId = 0a62a4c6365927abfa389d453ce1147662fbb673 to external.
2018-08-12 16:46:35.553, Info      [GetCurrent_SyncDataEx] Set wstrcV = lkmGbIx8e0Cr4ziT.999 to external.
2018-08-12 16:46:35.553, Info      [GetCurrent_SyncDataEx] End sync with external...
2018-08-12 16:46:35.553, Info      [GetCurrent_StartDeploy] Check GetCurrent mutex: dwError = 0x529e766f 
2018-08-12 16:46:35.553, Info      [GetCurrent_StartDeploy] Check Setup360 mutex: dwError = 0x529e766f 
2018-08-12 16:46:35.553, Info      [GetCurrent_StartDeploy] No other GetCurrentDeploy instance, start deploy ... 
2018-08-12 16:46:35.553, Info      [DoXPDeployment]  wstrSetupSourceFolderOrFile = C:\Windows10Upgrade\17134.112.180619-1212.rs4_release_svc_refresh_CLIENTCONSUMER_RET_x64FRE_en-us.esd
2018-08-12 16:46:35.553, Info      [DoXPDeployment]  Create action chain ...
2018-08-12 16:46:35.553, Info      [DoXPDeployment] Windows Version: 10.0 (16299),,1, 768
2018-08-12 16:46:35.553, Info      [DoXPDeployment] Win 7 and plus, use win 10 setup directly
2018-08-12 16:46:35.553, Info      [DoXPDeployment]  Execute action chain
2018-08-12 16:46:35.553, Info      [XPSetupActionQueue::Execute]  Execute action chains of class XPSAQ<class EntryQueueDelegatorForWin7Later> ...
2018-08-12 16:46:35.553, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class EnableWUNoAutoRebootDelegator> ...
2018-08-12 16:46:35.553, Info      [EnableWUNoAutoRebootDelegator::ExecuteAction]  Can't read WU Auto Reboot Policy, error = 0x2
2018-08-12 16:46:35.558, Info      [EnableWUNoAutoRebootDelegator::ExecuteAction]  Disable WU Auto Reboot in policies succeeded! hr = 0x0 
2018-08-12 16:46:35.558, Info      [WinUtil::RunCommand]  Command Line: gpupdate /force
2018-08-12 16:46:35.666, Info      [WinUtil::RunCommand]  Waiting for process 0xbd8
2018-08-12 16:46:58.895, Info      [WinUtil::RunCommand]  process exited as expected.
2018-08-12 16:46:58.895, Info      [WinUtil::RunCommand]  Process returned: 0x0
2018-08-12 16:46:58.895, Info      [EnableWUNoAutoRebootDelegator::ExecuteAction]  Update the Goup Policy forcely succeeded! hr = 0x0 
2018-08-12 16:46:58.906, Info      [XPSetupAction::Execute]  The action is marked to ingore execution error. hr = 0x0
2018-08-12 16:46:58.906, Info      [XPSetupActionQueue::Execute]  Execute action chains of class XPSAQ<class StartWUDelegator> ...
2018-08-12 16:46:58.906, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class StartWUServiceDelegator> ...
2018-08-12 16:46:58.907, Info      [StartWUServiceDelegator::TryStartService]  Open SC Manager succeeded! m_hSCManager = 0x6878300 GetLastError = 0x0 
2018-08-12 16:46:58.908, Info      [StartWUServiceDelegator::TryStartService]  SC Manager Handle: 0x6878300
2018-08-12 16:46:58.908, Info      [StartWUServiceDelegator::TryStartService]  Open Service succeeded! m_hWUService = 0x6878030 GetLastError = 0x0 
2018-08-12 16:46:58.908, Info      [StartWUServiceDelegator::TryStartService]  Service Handle: 0x6878030
2018-08-12 16:46:58.908, Info      [StartWUServiceDelegator::TryStartService]  QUERY_SERVICE_CONFIG size: 256
2018-08-12 16:46:58.908, Info      [StartWUServiceDelegator::TryStartService]  Query service config succeeded! fSuccess = 0x1 GetLastError = 0x0 
2018-08-12 16:46:58.908, Info      [StartWUServiceDelegator::TryStartService]  Start type: 0x3
2018-08-12 16:46:58.908, Info      [StartWUServiceDelegator::TryStartService]  Query service status succeeded! fSuccess = 0x1 GetLastError = 0x0 
2018-08-12 16:46:58.908, Info      [StartWUServiceDelegator::TryStartService]  Current status: 0x1
2018-08-12 16:46:58.910, Info      [StartWUServiceDelegator::TryStartService]  Start service succeeded! fSuccess = 0x1 GetLastError = 0x0 
2018-08-12 16:46:58.910, Info      [XPSetupAction::Execute]  The action is marked to ingore execution error. hr = 0x0
2018-08-12 16:46:58.910, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class ConfigWUPolicyDelegator> ...
2018-08-12 16:46:58.922, Info      [XPSetupAction::Execute]  The action is marked to ingore execution error. hr = 0x0
2018-08-12 16:46:58.923, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class DecryptEsdFileDelegator> ...
2018-08-12 16:46:59.244, Info      [DecryptEsdFileDelegator::ExecuteAction]  Create temporary folder: C:\$GetCurrent\media
2018-08-12 16:46:59.245, Info      [DecryptEsdFileDelegator::ExecuteAction]  Create temporary folder succeeded! hr = 0x0 
2018-08-12 16:46:59.245, Info      [DecryptEsdFileDelegator::ExecuteAction]  Invoke function : RestoreESDLayout()...
2018-08-12 16:47:00.318, Warning   [EsdDecryptCallbackFunc]  Progress Flag File is not set, set is as default [progress.ini]
2018-08-12 17:12:59.710, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class DeleteSourceSetupDelegator> ...
2018-08-12 17:13:04.726, Info      [DeleteSourceSetupDelegator::ExecuteAction]  Target architecture : amd64
2018-08-12 17:13:04.726, Info      [DeleteSourceSetupDelegator::ExecuteAction] bIsDataOnlyMigration : 0 bTargetArchIsAmd64 : 1 bCurrentArchIsAmd64 : 1
2018-08-12 17:13:04.726, Info      [DeleteSourceSetupDelegator::ExecuteAction]  Delete legacy setup binary to force setup360 run : C:\$GetCurrent\media\sources\setup.exe
2018-08-12 17:13:04.727, Info      [DeleteSourceSetupDelegator::ExecuteAction]  Delete legacy setup binary succeeded! hr = 0x0 
2018-08-12 17:13:04.727, Info      [XPSetupActionQueue::Execute]  Execute action chains of class XPSAQ<class RollbackPrepDelegator> ...
2018-08-12 17:13:04.727, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class SaveRollbackInformationDelegator> ...
2018-08-12 17:13:04.727, Info      [SaveRollbackInformationDelegator::ExecuteAction]  Ensure SafeOS folder: C:\$GetCurrent\SafeOS
2018-08-12 17:13:04.727, Info      [SaveRollbackInformationDelegator::ExecuteAction]  Create SafeOS folder succeeded! hr = 0x0 
2018-08-12 17:13:07.807, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class DeployGetCurrentOOBEDelegator> ...
2018-08-12 17:13:10.595, Info      [CopyFileDelegator::ExecuteAction]  Copy file: C:\Windows10Upgrade\GetCurrentOOBE.dll -> C:\$GetCurrent\SafeOS\GetCurrentOOBE.dll 
2018-08-12 17:13:24.998, Info      [CopyFileDelegator::ExecuteAction]  CopyFileDelegator::ExecuteAction succeeded! fSuccess = 0x1 GetLastError = 0x0 
2018-08-12 17:13:24.998, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class CreatePreOobeScriptDelegator> ...
2018-08-12 17:13:24.998, Info      [CreatePreOobeScriptDelegator::ExecuteAction]  Output filename: C:\$GetCurrent\SafeOS\preoobe.cmd
2018-08-12 17:13:31.054, Info      [CreatePreOobeScriptDelegator::ExecuteAction]  Open preoobe.cmd succeeded! fout = 0x1 
2018-08-12 17:13:33.556, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class CreatePostOobeScriptDelegator> ...
2018-08-12 17:13:33.556, Info      [CreatePostOobeScriptDelegator::ExecuteAction]  Output filename: C:\$GetCurrent\SafeOS\SetupComplete.cmd
2018-08-12 17:13:33.557, Info      [CreatePostOobeScriptDelegator::ExecuteAction]  Open SetupComplete.cmd succeeded! fout = 0x1 
2018-08-12 17:13:33.562, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class ConfigRollbackRunDelegator> ...
2018-08-12 17:13:37.028, Info      [ConfigRollbackRunDelegator::ExecuteAction]  Open an existing reg key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce.
2018-08-12 17:13:37.028, Info      [ConfigRollbackRunDelegator::ExecuteAction]  Update Registry Value, Path=SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, !GetCurrentRollback="C:\Windows10Upgrade\GetCurrentRollback.exe" "progress.ini" "C:" "NHV19:<1.4.9200.22532>:<3>"
2018-08-12 17:13:37.028, Info      [ConfigRollbackRunDelegator::ExecuteAction]  Update Registry Value succeeded! hr = 0x0 
2018-08-12 17:13:37.028, Info      [XPSetupAction::Execute]  The action is marked to ingore execution error. hr = 0x0
2018-08-12 17:13:37.028, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class RunSetupForWin7LaterDelegator> ...
2018-08-12 17:13:37.028, Info      [GenerateClientId]  >= 6.2, Use Rtl function to detect OS version ...
2018-08-12 17:13:37.028, Warning   [WinUtil::IsPrivacySettingsComplete] WUA: Failed to check if Privacy Settings complete. Assuming incomplete. Error: [0x80070002]
2018-08-12 17:13:37.029, Info      [WinUtil::IsPrivacySettingsComplete] WUA: IsPrivacySettingsComplete: [FALSE]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA: EditionID Value [CoreSingleLanguage]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA bIsDeviceManaged from EditionId: [FALSE]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA: Could not get NV Domain. [0x80070002]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA: bIsDeviceManaged from NV Domain: [FALSE]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA: Could not get ProductCode. [0x80070002]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA: bIsDeviceManaged from ProductCode: [FALSE]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA: Could not get UseWUServer value. [0x80070002]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA: bIsDeviceManaged from UseWUServer: [FALSE]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA: Could not get ShowPrivacySettingsUI value. [0x80070002]
2018-08-12 17:13:37.029, Info      [WinUtil::IsDeviceManaged] WUA: bIsDeviceManaged from ShowPrivacySettingsUI: [FALSE]
2018-08-12 17:13:37.029, Info      [RunSetupForWin7LaterDelegator::ExecuteAction]  Command Line: C:\$GetCurrent\media\setup.exe /migchoice upgrade /showoobe none /quiet /Compat IgnoreWarning /eula accept /noreboot /postoobe C:\$GetCurrent\SafeOS\SetupComplete.cmd /CorrelationVector lkmGbIx8e0Cr4ziT.999 /ClientId Win10UA:VNL:NHV19:<1.4.9200.22532>:<3>:{}:[10.0.16299]:[2] /DynamicUpdate Enable /telemetry enable /UpdateMedia Decline /SkipSummary
2018-08-12 17:13:37.029, Info      [WinUtil::RunCommand]  Command Line: C:\$GetCurrent\media\setup.exe /migchoice upgrade /showoobe none /quiet /Compat IgnoreWarning /eula accept /noreboot /postoobe C:\$GetCurrent\SafeOS\SetupComplete.cmd /CorrelationVector lkmGbIx8e0Cr4ziT.999 /ClientId Win10UA:VNL:NHV19:<1.4.9200.22532>:<3>:{}:[10.0.16299]:[2] /DynamicUpdate Enable /telemetry enable /UpdateMedia Decline /SkipSummary
2018-08-12 17:14:12.877, Info      [WinUtil::RunCommand]  Waiting for process 0x1794
2018-08-12 23:46:16.129, Info      [WinUtil::RunCommand]  process exited as expected.
2018-08-12 23:46:16.228, Info      [WinUtil::RunCommand]  Process returned: 0x0
2018-08-12 23:46:16.229, Info      [RunSetupForWin7LaterDelegator::ExecuteAction]  Run Setup.exe succeeded! hr = 0x0 
2018-08-12 23:46:16.240, Info      [RunSetupForWin7LaterDelegator::ExecuteAction]  Setup execution result succeeded! (HRESULT)dwExitCode = 0x0 
2018-08-12 23:46:16.478, Info      [XPSetupActionQueue::Execute]  Execute action chains of class XPSAQ<class EnvScanDelegator> ...
2018-08-12 23:46:16.493, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class RunOnceCheckDelegator> ...
2018-08-12 23:46:16.722, Info      [RunOnceCheckDelegator::ExecuteAction] The Rollback Runonce is already set properly
2018-08-12 23:46:16.722, Info      [XPSetupAction::Execute]  The action is marked to ingore execution error. hr = 0x0
2018-08-12 23:46:16.722, Info      [XPSetupAction::Execute]  Execute action of class XPSA<class UpdateEnvScanTelemetryDelegator> ...
2018-08-12 23:46:16.953, Info      [XPSetupAction::Execute]  The action is marked to ingore execution error. hr = 0x0
2018-08-12 23:46:16.953, Info      [DoXPDeployment]  Destroy action chain
2018-08-12 23:46:16.953, Info      [XPSetupActionQueue::DisassemblyChildActions]  Disassembly child actions of class XPSAQ<class EntryQueueDelegatorForWin7Later> ...
2018-08-12 23:46:16.953, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSAQ<class EnvScanDelegator> ...
2018-08-12 23:46:16.953, Info      [XPSetupActionQueue::DisassemblyChildActions]  Disassembly child actions of class XPSAQ<class EnvScanDelegator> ...
2018-08-12 23:46:16.953, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class UpdateEnvScanTelemetryDelegator> ...
2018-08-12 23:46:16.998, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class RunOnceCheckDelegator> ...
2018-08-12 23:46:16.998, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class RunSetupForWin7LaterDelegator> ...
2018-08-12 23:46:16.998, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSAQ<class RollbackPrepDelegator> ...
2018-08-12 23:46:16.998, Info      [XPSetupActionQueue::DisassemblyChildActions]  Disassembly child actions of class XPSAQ<class RollbackPrepDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class ConfigRollbackRunDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class CreatePostOobeScriptDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class CreatePreOobeScriptDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class DeployGetCurrentOOBEDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class SaveRollbackInformationDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class DeleteSourceSetupDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class DecryptEsdFileDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSAQ<class StartWUDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Disassembly child actions of class XPSAQ<class StartWUDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class ConfigWUPolicyDelegator> ...
2018-08-12 23:46:17.034, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class StartWUServiceDelegator> ...
2018-08-12 23:46:17.551, Info      [XPSetupActionQueue::DisassemblyChildActions]  Destroy action of class XPSA<class EnableWUNoAutoRebootDelegator> ...
2018-08-12 23:46:17.552, Info      [EnableWUNoAutoRebootDelegator::~EnableWUNoAutoRebootDelegator] Restore WU No Auto Reboot setting HRESULT = 0x0
2018-08-12 23:46:17.552, Info      [DoXPDeployment]  Finished hr = 0x0
2018-08-12 23:46:17.553, Info      [TelemetryUpgrade::CanSendTelemetry]  Telemetry allowed on Win10 and above.
 

 

Link to post
Share on other sites

theres also an unknown user S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681

in the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv

and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc

im the only user on this device

 

WdNisDrv

also stops running from time to time

Link to post
Share on other sites
  • ESET Insiders
4 hours ago, migs_k said:

can anyone tell me what these are??

 

 

Win 10 version upgrade logs.

 

3 hours ago, migs_k said:

theres also an unknown user S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681

in the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv

and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc

im the only user on this device

Every Win 10 installation has the same unknown user.

Link to post
Share on other sites

Open an admin level command prompt window and enter:

netstat -anob

This will give you a better idea what you current network connections status is.

I have no clue why the above Eset network connections are showing what it is. It is normal to see two network connections for a process for the same port when both IPv4 & IPv6 are  enabled. However, the IP addresses in the listening state should be 0.0.0.0 and ::. Also suspect is all ports being shown except for svchost.exe port 135 entry.

Link to post
Share on other sites
Quote

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       1204
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
 Can not obtain ownership information
  TCP    0.0.0.0:1536           0.0.0.0:0              LISTENING       704
 [System]
  TCP    0.0.0.0:1537           0.0.0.0:0              LISTENING       900
 Can not obtain ownership information
  TCP    0.0.0.0:1538           0.0.0.0:0              LISTENING       1756
  EventLog
 [svchost.exe]
  TCP    0.0.0.0:1539           0.0.0.0:0              LISTENING       1608
  Schedule
 [svchost.exe]
  TCP    0.0.0.0:1540           0.0.0.0:0              LISTENING       300
 Can not obtain ownership information
  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING       2288
  CDPSvc
 [svchost.exe]
  TCP    10.102.37.150:139      0.0.0.0:0              LISTENING       4
 Can not obtain ownership information
  TCP    10.102.37.150:2142     82.202.185.211:443     ESTABLISHED     7960
 Can not obtain ownership information
  TCP    10.102.37.150:2147     82.202.185.211:443     ESTABLISHED     5236
 [ksde.exe]
  TCP    10.102.37.150:2982     162.159.130.234:443    ESTABLISHED     8792
 [Discord.exe]
  TCP    10.102.37.150:3144     172.217.194.18:443     ESTABLISHED     8304
 [brave.exe]
  TCP    10.102.37.150:3203     180.87.4.152:443       CLOSE_WAIT      7960
 Can not obtain ownership information
  TCP    10.102.37.150:3207     104.18.27.211:443      ESTABLISHED     8304
 [brave.exe]
  TCP    10.102.37.150:3211     172.67.69.162:443      ESTABLISHED     8304
 [brave.exe]
  TCP    127.0.0.1:1044         127.0.0.1:1045         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1045         127.0.0.1:1044         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1063         127.0.0.1:1064         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1064         127.0.0.1:1063         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1065         127.0.0.1:1066         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1066         127.0.0.1:1065         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1067         127.0.0.1:1068         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1068         127.0.0.1:1067         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1069         127.0.0.1:1070         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1070         127.0.0.1:1069         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1071         127.0.0.1:1072         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1072         127.0.0.1:1071         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:1146         0.0.0.0:0              LISTENING       12056
 [NVIDIA Web Helper.exe]
  TCP    127.0.0.1:2140         127.0.0.1:2141         ESTABLISHED     7960
 Can not obtain ownership information
  TCP    127.0.0.1:2141         127.0.0.1:2140         ESTABLISHED     7960
 Can not obtain ownership information
  TCP    127.0.0.1:2145         127.0.0.1:2146         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:2146         127.0.0.1:2145         ESTABLISHED     5236
 [ksde.exe]
  TCP    127.0.0.1:3128         0.0.0.0:0              LISTENING       11104
 [System]
  TCP    127.0.0.1:3128         127.0.0.1:3129         ESTABLISHED     11104
 [System]
  TCP    127.0.0.1:3129         127.0.0.1:3128         ESTABLISHED     11104
 [System]
  TCP    127.0.0.1:3839         127.0.0.1:3840         ESTABLISHED     7960
 Can not obtain ownership information
  TCP    127.0.0.1:3840         127.0.0.1:3839         ESTABLISHED     7960
 Can not obtain ownership information
  TCP    127.0.0.1:3843         0.0.0.0:0              LISTENING       7960
 Can not obtain ownership information
  TCP    127.0.0.1:3847         127.0.0.1:3848         ESTABLISHED     7960
 Can not obtain ownership information
  TCP    127.0.0.1:3848         127.0.0.1:3847         ESTABLISHED     7960
 Can not obtain ownership information
  TCP    127.0.0.1:3849         127.0.0.1:3850         ESTABLISHED     7960
 Can not obtain ownership information
  TCP    127.0.0.1:3850         127.0.0.1:3849         ESTABLISHED     7960
 Can not obtain ownership information
  TCP    127.0.0.1:6463         0.0.0.0:0              LISTENING       9576
 [Discord.exe]
  TCP    127.0.0.1:43227        0.0.0.0:0              LISTENING       2028
 Can not obtain ownership information
  TCP    192.168.176.123:1073   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    192.168.176.123:1074   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    192.168.176.123:1075   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    192.168.176.123:1076   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    192.168.176.123:1077   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    192.168.176.123:1078   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    192.168.176.123:1079   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    192.168.176.123:1080   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    192.168.176.123:1081   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    192.168.176.123:1082   193.56.255.62:443      ESTABLISHED     5236
 [ksde.exe]
  TCP    [::]:135               [::]:0                 LISTENING       1204
  RpcSs
 [svchost.exe]
  TCP    [::]:445               [::]:0                 LISTENING       4
 Can not obtain ownership information
  TCP    [::]:1536              [::]:0                 LISTENING       704
 [System]
  TCP    [::]:1537              [::]:0                 LISTENING       900
 Can not obtain ownership information
  TCP    [::]:1538              [::]:0                 LISTENING       1756
  EventLog
 [svchost.exe]
  TCP    [::]:1539              [::]:0                 LISTENING       1608
  Schedule
 [svchost.exe]
  TCP    [::]:1540              [::]:0                 LISTENING       300
 Can not obtain ownership information
  UDP    0.0.0.0:67             *:*                                    7960
 Can not obtain ownership information
  UDP    0.0.0.0:500            *:*                                    3572
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:1900           *:*                                    7960
 Can not obtain ownership information
  UDP    0.0.0.0:4500           *:*                                    3572
  IKEEXT
 [svchost.exe]
  UDP    0.0.0.0:5050           *:*                                    2288
  CDPSvc
 [svchost.exe]
  UDP    0.0.0.0:5353           *:*                                    6740
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    8304
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    8304
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    8304
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    6740
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    8304
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    2408
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:5353           *:*                                    8304
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    8304
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    6740
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    6740
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    7960
 Can not obtain ownership information
  UDP    0.0.0.0:5353           *:*                                    8304
 [brave.exe]
  UDP    0.0.0.0:5353           *:*                                    8304
 [brave.exe]
  UDP    0.0.0.0:5355           *:*                                    2408
  Dnscache
 [svchost.exe]
  UDP    0.0.0.0:53709          *:*                                    2060
 Can not obtain ownership information
  UDP    0.0.0.0:58096          *:*                                    2060
 Can not obtain ownership information
  UDP    0.0.0.0:58307          *:*                                    2060
 Can not obtain ownership information
  UDP    0.0.0.0:63933          *:*                                    7960
 Can not obtain ownership information
  UDP    10.102.37.150:137      *:*                                    4
 Can not obtain ownership information
  UDP    10.102.37.150:138      *:*                                    4
 Can not obtain ownership information
  UDP    10.102.37.150:2177     *:*                                    7236
  QWAVE
 [svchost.exe]
  UDP    127.0.0.1:10010        *:*                                    12056
 [NVIDIA Web Helper.exe]
  UDP    127.0.0.1:50747        *:*                                    7960
 Can not obtain ownership information
  UDP    127.0.0.1:51235        *:*                                    7148
 [nvcontainer.exe]
  UDP    127.0.0.1:52983        *:*                                    2060
 Can not obtain ownership information
  UDP    127.0.0.1:61333        *:*                                    4212
  iphlpsvc
 [svchost.exe]
  UDP    127.0.0.1:63923        *:*                                    7960
 Can not obtain ownership information
  UDP    127.0.0.1:63924        *:*                                    7960
 Can not obtain ownership information
  UDP    192.168.176.123:1900   *:*                                    7960
 Can not obtain ownership information
  UDP    192.168.176.123:2177   *:*                                    7236
  QWAVE
 [svchost.exe]
  UDP    192.168.176.123:5353   *:*                                    7960
 Can not obtain ownership information
  UDP    192.168.176.123:51495  *:*                                    7960
 Can not obtain ownership information
  UDP    192.168.176.123:51496  *:*                                    7960
 Can not obtain ownership information
  UDP    [::]:500               *:*                                    3572
  IKEEXT
 [svchost.exe]
  UDP    [::]:4500              *:*                                    3572
  IKEEXT
 [svchost.exe]
  UDP    [::]:5353              *:*                                    8304
 [brave.exe]
  UDP    [::]:5353              *:*                                    2408
  Dnscache
 [svchost.exe]
  UDP    [::]:5353              *:*                                    6740
 [brave.exe]
  UDP    [::]:5353              *:*                                    8304
 [brave.exe]
  UDP    [::]:5353              *:*                                    8304
 [brave.exe]
  UDP    [::]:5353              *:*                                    6740
 [brave.exe]
  UDP    [::]:5353              *:*                                    8304
 [brave.exe]
  UDP    [::]:5355              *:*                                    2408
  Dnscache
 [svchost.exe]
  UDP    [fe80::2016:5d80:4c51:aa93%6]:2177  *:*                                    7236
  QWAVE
 [svchost.exe]
  UDP    [fe80::6993:e4bb:5af1:f881%12]:2177  *:*                                    7236
  QWAVE
 [svchost.exe]

 

 

ive added the 127.0.0.1 0x1f4b0.com to hosts and it returned back to 0.0.0.0, but still this shows in eset

image.png.f2c8e52f17f3e30c1f000870170aa825.png

what are suppose to be the default connections / ports of these things

should I block ports 15xx?

 

is my system services hijacked?

Link to post
Share on other sites

Refer to the netstat output you posted.

Note all the ksde.exe references; especially in regards to IPv4 localhost connection. Ksde.exe is either Kaspersky Anti-virus: https://www.file.net/process/ksde.exe.html , or Kaspersky VPN Secure Connection software. For the present, I assume it is the later.

I assume all the weird Eset network connection display of IPv4 addresses is due to the use of Kaspersky VPN Secure Connection operation. Note that this VPN feature is usually implemented as part of a Kaspersky security software installation. The Kaspersky web site however notes it can be installed stand-alone. You will have to research if a stand-alone installation of it is compatible with Eset Internet Security. Since you're not complaining about Internet connectivity issues, it appears there are none; at least from an operational aspect.

Link to post
Share on other sites
12 hours ago, migs_k said:

not sure about that, after blocking 0x1f4b0.com and restarting its now replaced by 0123movies.com

Uninstall Kaspersky VPN and see if this resolves all these network issues you are concerned about.

Link to post
Share on other sites

I did a big of research on this issue.

It appears anything to do with this domain, 0x1f4b0.com, is probably malicious. Here's an anyrun.com sandbox analysis for hxxps://005.0x1f4b0.com: https://any.run/report/c9270df0bb81eefa3f3f18c3627123bd0c325861b7ff652d58826a61bc9c853b/f4895086-cbc0-4be8-8d3b-c8b14daf0d45 . Verdict -malicious.

Also any attempt to access 0x1f4b0.com in FireFox is blocked by uBlock Origin Easy Privacy filter.

The fact that this domain was appended to your Eset Network Connections tool display indicates to me that your VPN connection is hacked. Again, uninstall Kaspersky VPN software and clean out any remnants of it on your device.

Link to post
Share on other sites

Also and notable is Kaspersky VPN does not host DNS servers in the Philippines; or Indonesia for that matter:

Quote

The countries covered by the Kaspersky VPN are;

  • Canada
  • Czech Republic
  • Denmark
  • France
  • Germany
  • Hong Kong
  • Japan
  • Mexico
  • the Netherlands
  • The Republic of Ireland
  • Russia
  • Singapore
  • Spain
  • Sweden
  • Turkey
  • the United States of America
  • Ukraine and the United Kingdom.

https://anonymster.com/reviews/kaspersky-vpn-review/

Edited by itman
Link to post
Share on other sites

ive also sent some sort of .exe s to eset

they are CR_xxxxx/setup.exe
the x are random number / chars

 

these things keep popping up from HIPS from time to time targeting my browsers

 

I couldnt obtain all of them, as soon as it gets reported by eset's HIPS I try to go the location of that .exe and its not there

anyway, do you how to disable safe boot without logging into windows and without a windows 10 physical disc?

Link to post
Share on other sites

also to me this is an unresolved issue
 

Quote

can I ask what these are? they automatically ran without me knowing

Time;Application;Operation;Target;Action;Rule;Additional information
2/19/2021 5:05:06 PM;C:\Windows\System32\LogonUI.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-2775152818-1588230348-2558996214-1001\DestructiveResetInProgress;allowed;Automatic mode;
2/19/2021 5:05:07 PM;C:\Windows\System32\LogonUI.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-2775152818-1588230348-2558996214-1001\TpmClearRecoveryInProgress;allowed;Automatic mode;
2/19/2021 5:05:09 PM;C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87BDED91-3F10-4383-B8C1-26886F49F141}\LocalServer32;allowed;Automatic mode;
2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AarSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AarSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BcastDVRUserService_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BcastDVRUserService_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BluetoothUserService_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BluetoothUserService_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CaptureService_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CaptureService_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cbdhsvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cbdhsvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CDPUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CDPUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ConsentUxUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ConsentUxUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CredentialEnrollmentManagerUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CredentialEnrollmentManagerUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DeviceAssociationBrokerSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DeviceAssociationBrokerSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DevicePickerUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DevicePickerUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DevicesFlowUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DevicesFlowUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MessagingService_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MessagingService_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OneSyncSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OneSyncSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PimIndexMaintenanceSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PimIndexMaintenanceSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PrintWorkflowUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PrintWorkflowUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UdkUserSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UdkUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnistoreSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnistoreSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UserDataSvc_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UserDataSvc_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WpnUserService_1f8ead56\Start;allowed;Automatic mode;
2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WpnUserService_1f8ead56\ImagePath;allowed;Automatic mode;
2/19/2021 5:05:41 PM;C:\Windows\System32\svchost.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-2775152818-1588230348-2558996214-1001\NgcFirst\ConsecutiveSwitchCount;allowed;Automatic mode;
2/19/2021 5:05:53 PM;C:\Windows\System32\ctfmon.exe;Modify startup settings;HKEY_USERS\S-1-5-21-2775152818-1588230348-2558996214-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internat.exe;allowed;Automatic mode;

 

2/19/2021 5:05:06 PM;C:\Windows\System32\LogonUI.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-2775152818-1588230348-2558996214-1001\DestructiveResetInProgress;allowed;Automatic mode;

 

after doing google search 
D6886603-9D2F-4EB2-B667-1971041FA96B = PIN

so im going to assume someone logged in via my PC's PIN

did a "DestructiveResetInProgress" and "TpmClearRecoveryInProgress" whatever this means

 

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...