migs_k 0 Posted February 21, 2021 Share Posted February 21, 2021 22 hours ago, migs_k said: I got notified of these updates just 2-3 days ago even though I already have those updates (current version of my windows is 20h2) especially the one I'm suspicious of it the critical update as I have that since January where can I locate these "updates", because I want to send it for inspection, get to see what's inside of it. ty Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted February 21, 2021 Most Valued Members Share Posted February 21, 2021 You can search in Google for KBXXXXXX and then see the changes that are made in specific update https://support.microsoft.com/en-us/topic/kb4023057-update-for-windows-10-update-service-components-fccad0ca-dc10-2e46-9ed1-7e392450fb3a Link to comment Share on other sites More sharing options...
Most Valued Members shocked 60 Posted February 21, 2021 Most Valued Members Share Posted February 21, 2021 some of them might be located in the "view optional updates" section in Windows Update settings panel. in my case it shows Microsoft Silverlight ready to download but it doesn't appear in Windows Update. Silverlight is obsolete now and unnecessary now. i suspect that Eset pulls info from the Microsoft Catalog website and displays them. if you click "Check for Updates" in the Windows Update and it shows your device is up to date, then don't worry. migs_k 1 Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 22, 2021 Share Posted February 22, 2021 As far as KB4023057 goes, I also received it again on 2/19. Appears this is an update to Windows Updating itself and Microsoft is just using the prior KB number. migs_k 1 Link to comment Share on other sites More sharing options...
migs_k 0 Posted February 22, 2021 Author Share Posted February 22, 2021 what about these services? no results on googling i cant disable it, all it says parameter incorrect Link to comment Share on other sites More sharing options...
ESET Insiders stackz 112 Posted February 22, 2021 ESET Insiders Share Posted February 22, 2021 (edited) All those services are fine, they are just Windows 10 Per-user services: Per-user services in Windows 10 and Windows Server - Windows Application Management | Microsoft Docs Edited February 22, 2021 by stackz migs_k 1 Link to comment Share on other sites More sharing options...
migs_k 0 Posted February 22, 2021 Author Share Posted February 22, 2021 even though it has 5335 attached to it? Link to comment Share on other sites More sharing options...
ESET Insiders stackz 112 Posted February 22, 2021 ESET Insiders Share Posted February 22, 2021 12 minutes ago, migs_k said: even though it has 5335 attached to it? Yes, every user session the services will be created with a different hex number suffix. Nightowl and migs_k 2 Link to comment Share on other sites More sharing options...
Most Valued Members shocked 60 Posted February 22, 2021 Most Valued Members Share Posted February 22, 2021 here's an example of one of those services on my pc. Link to comment Share on other sites More sharing options...
migs_k 0 Posted February 22, 2021 Author Share Posted February 22, 2021 dunno, something definitely suspicious is going on I just discovered in my documents 2 exported bookmark htmls that the contents contain selectively private stuff and not just talking about porn (although it was included) also today, I found in my recycle bin files ive deleted long ago, these files all of them deleted at the same time of 5:08, and their original location deleted is on microsoft/windows/recent Link to comment Share on other sites More sharing options...
migs_k 0 Posted February 22, 2021 Author Share Posted February 22, 2021 scratch this Quote also today, I found in my recycle bin files ive deleted long ago, these files all of them deleted at the same time of 5:08, and their original location deleted is on microsoft/windows/recent Link to comment Share on other sites More sharing options...
migs_k 0 Posted February 23, 2021 Author Share Posted February 23, 2021 can anyone tell me what these are?? Quote 2018-08-12 16:46:34.411, Info [Environment::Initialize] Start... 2018-08-12 16:46:34.411, Info [Environment::Initialize] wstrStartDeployTime = 2018-08-12 16:46:34:408 2018-08-12 16:46:34.411, Info [Environment::Initialize] wstrSystemDrive = C: 2018-08-12 16:46:34.411, Info [Environment::Initialize] wstrTargetNewOSDrive = C: 2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrLogPath = C:\$GetCurrent\Logs 2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrLogFileFullPath = C:\$GetCurrent\Logs\downlevel_2018_08_12_16_46_34_410.log 2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrTempPath = \$GetCurrent 2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrTempFolder = C:\$GetCurrent 2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrTenSTempPath = 2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrTenSTempFolder = 2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrReportPath = C:\$GetCurrent\downlevel_2018_08_12_16_46_34_410.rpt 2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrExecutablePath = C:\Windows10Upgrade 2018-08-12 16:46:35.411, Info [Environment::Initialize] Exe name = Windows10UpgraderApp.exe 2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrSystemTempFolder = C:\Users\Asus\AppData\Local\Temp 2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrTempMedia = C:\$GetCurrent\media 2018-08-12 16:46:35.411, Info [Environment::Initialize] wstrSafeOSFolder = C:\$GetCurrent\SafeOS 2018-08-12 16:46:35.412, Info [Environment::Initialize] wstrcV = lkmGbIx8e0Cr4ziT.999 2018-08-12 16:46:35.412, Warning [WMIHelper::GetHardwareId] CoInitializeSecurity failed, Error = 0x80010119 2018-08-12 16:46:35.536, Info [WMIHelper::GetRegMachineId] Open an existing reg key HKLM\SOFTWARE\Microsoft\SQMClient. 2018-08-12 16:46:35.536, Info [Environment::Initialize] Machine Id is: {2C9DC76A-19D2-4199-B941-9D98B96BE2E9} 2018-08-12 16:46:35.536, Info [Environment::Initialize] Device Id is: 0a62a4c6365927abfa389d453ce1147662fbb673 2018-08-12 16:46:35.536, Info [OSVersion::Init] >= 6.2, Use Rtl function to detect OS version ... 2018-08-12 16:46:35.537, Info [Environment::Initialize] Windows Version: 10.0 (16299),,producttype=1 2018-08-12 16:46:35.537, Info [Environment::Initialize] wstrPostOobeScriptFilename = C:\$GetCurrent\SafeOS\SetupComplete.cmd 2018-08-12 16:46:35.537, Info [Environment::Initialize] wstrRollbackScriptFilename = C:\$GetCurrent\SafeOS\Rollback.cmd 2018-08-12 16:46:35.537, Info [Environment::Initialize] wstrRollbackInformationFilename = C:\$GetCurrent\SafeOS\GetCurrentRollback.ini 2018-08-12 16:46:35.537, Info [Environment::Initialize] wstrWINRESetupPhaseFilename = C:\$GetCurrent\SafeOS\GetCurrentWinRESetup.ini 2018-08-12 16:46:35.537, Info [Environment::Initialize] bLADTest = 0 2018-08-12 16:46:35.537, Info [Environment::Initialize] bIsSetupConfigIniFilePresent = 0 2018-08-12 16:46:35.537, Info [Environment::Initialize] wstrSetupConfigIniFilePath = C:\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini 2018-08-12 16:46:35.537, Info [Environment::Initialize] Init Telemetry system based on WER APIs 2018-08-12 16:46:35.538, Info [Environment::Initialize] Finished 2018-08-12 16:46:35.538, Warning [GetCurrent_Initialize] This version doesn't verify signature information 2018-08-12 16:46:35.538, Info [MinimalRequirementCheck] hr = 0x0, ResultBits = 0x0 2018-08-12 16:46:35.538, Info [GetCurrent_Initialize] MinimalRequirement Check succeeded! hr = 0x0 2018-08-12 16:46:35.538, Info [GetCurrent_Initialize] Load appraiserxp.dll 2018-08-12 16:46:35.539, Info [GetCurrent_Initialize] Load appraiserxp.dll succeeded! hr = 0x0 2018-08-12 16:46:35.539, Info [GetCurrent_Initialize] Get IsReady function 2018-08-12 16:46:35.539, Info [GetCurrent_Initialize] Get IsReady function succeeded! hr = 0x0 2018-08-12 16:46:35.539, Info [GetCurrent_Initialize] pfnIsReady: 0x53c53960 2018-08-12 16:46:35.539, Info [GetCurrent_Initialize] isPushing: 1 2018-08-12 16:46:35.539, Info [GetCurrent_Initialize] Call Compact check IsReady succeeded! hr = 0x0 2018-08-12 16:46:35.540, Info [GetCurrent_Initialize] Compact Check succeeded! isReady = 1 2018-08-12 16:46:35.548, Info [GetCurrent_SetPartnerPostOOBEScript] Create GetCurrent SafeOS Folder succeeded! hr = 0x0 2018-08-12 16:46:35.551, Info [GetCurrent_SetPartnerPostOOBEScript] Copy partner post oobe script succeeded! dwReturn = 0x1 GetLastError = 0x0 2018-08-12 16:46:35.551, Info [GetCurrent_SetPartnerID] Partner ID is {E52ABFC2-76BB-4908-883F-CA581FDD83F9} 2018-08-12 16:46:35.551, Info [GetCurrent_SetPartnerID] Partner Name is VNL 2018-08-12 16:46:35.552, Info [OSVersion::Init] >= 6.2, Use Rtl function to detect OS version ... 2018-08-12 16:46:35.552, Warning [SystemRequirementCheck::IsUpgradeOptionSupported] Upgrade option type (0x600) is not allowed. But we'll continue. We'll fix this late. 2018-08-12 16:46:35.552, Info [GetCurrent_SetUpgradeOptionType] Upgrade option: 0x600 2018-08-12 16:46:35.552, Info [GetCurrent_SyncDataEx] Start sync with external... 2018-08-12 16:46:35.552, Info [GetCurrent_SyncDataEx] Get wstrExternalId = {} from external. 2018-08-12 16:46:35.552, Info [GetCurrent_SyncDataEx] Get wstrExternalIdDescription = NHV19:<1.4.9200.22532>:<3> from external. 2018-08-12 16:46:35.552, Info [GetCurrent_SyncDataEx] Set Assistant Show Up time = 2018-08-12 16:32:00:991. 2018-08-12 16:46:35.552, Info [GetCurrent_SyncDataEx] Set Download Image Duration = 804 seconds. 2018-08-12 16:46:35.553, Info [GetCurrent_SyncDataEx] Set Restart times during download = 0. 2018-08-12 16:46:35.553, Info [GetCurrent_SyncDataEx] Set wstrDeviceId = 0a62a4c6365927abfa389d453ce1147662fbb673 to external. 2018-08-12 16:46:35.553, Info [GetCurrent_SyncDataEx] Set wstrcV = lkmGbIx8e0Cr4ziT.999 to external. 2018-08-12 16:46:35.553, Info [GetCurrent_SyncDataEx] End sync with external... 2018-08-12 16:46:35.553, Info [GetCurrent_StartDeploy] Check GetCurrent mutex: dwError = 0x529e766f 2018-08-12 16:46:35.553, Info [GetCurrent_StartDeploy] Check Setup360 mutex: dwError = 0x529e766f 2018-08-12 16:46:35.553, Info [GetCurrent_StartDeploy] No other GetCurrentDeploy instance, start deploy ... 2018-08-12 16:46:35.553, Info [DoXPDeployment] wstrSetupSourceFolderOrFile = C:\Windows10Upgrade\17134.112.180619-1212.rs4_release_svc_refresh_CLIENTCONSUMER_RET_x64FRE_en-us.esd 2018-08-12 16:46:35.553, Info [DoXPDeployment] Create action chain ... 2018-08-12 16:46:35.553, Info [DoXPDeployment] Windows Version: 10.0 (16299),,1, 768 2018-08-12 16:46:35.553, Info [DoXPDeployment] Win 7 and plus, use win 10 setup directly 2018-08-12 16:46:35.553, Info [DoXPDeployment] Execute action chain 2018-08-12 16:46:35.553, Info [XPSetupActionQueue::Execute] Execute action chains of class XPSAQ<class EntryQueueDelegatorForWin7Later> ... 2018-08-12 16:46:35.553, Info [XPSetupAction::Execute] Execute action of class XPSA<class EnableWUNoAutoRebootDelegator> ... 2018-08-12 16:46:35.553, Info [EnableWUNoAutoRebootDelegator::ExecuteAction] Can't read WU Auto Reboot Policy, error = 0x2 2018-08-12 16:46:35.558, Info [EnableWUNoAutoRebootDelegator::ExecuteAction] Disable WU Auto Reboot in policies succeeded! hr = 0x0 2018-08-12 16:46:35.558, Info [WinUtil::RunCommand] Command Line: gpupdate /force 2018-08-12 16:46:35.666, Info [WinUtil::RunCommand] Waiting for process 0xbd8 2018-08-12 16:46:58.895, Info [WinUtil::RunCommand] process exited as expected. 2018-08-12 16:46:58.895, Info [WinUtil::RunCommand] Process returned: 0x0 2018-08-12 16:46:58.895, Info [EnableWUNoAutoRebootDelegator::ExecuteAction] Update the Goup Policy forcely succeeded! hr = 0x0 2018-08-12 16:46:58.906, Info [XPSetupAction::Execute] The action is marked to ingore execution error. hr = 0x0 2018-08-12 16:46:58.906, Info [XPSetupActionQueue::Execute] Execute action chains of class XPSAQ<class StartWUDelegator> ... 2018-08-12 16:46:58.906, Info [XPSetupAction::Execute] Execute action of class XPSA<class StartWUServiceDelegator> ... 2018-08-12 16:46:58.907, Info [StartWUServiceDelegator::TryStartService] Open SC Manager succeeded! m_hSCManager = 0x6878300 GetLastError = 0x0 2018-08-12 16:46:58.908, Info [StartWUServiceDelegator::TryStartService] SC Manager Handle: 0x6878300 2018-08-12 16:46:58.908, Info [StartWUServiceDelegator::TryStartService] Open Service succeeded! m_hWUService = 0x6878030 GetLastError = 0x0 2018-08-12 16:46:58.908, Info [StartWUServiceDelegator::TryStartService] Service Handle: 0x6878030 2018-08-12 16:46:58.908, Info [StartWUServiceDelegator::TryStartService] QUERY_SERVICE_CONFIG size: 256 2018-08-12 16:46:58.908, Info [StartWUServiceDelegator::TryStartService] Query service config succeeded! fSuccess = 0x1 GetLastError = 0x0 2018-08-12 16:46:58.908, Info [StartWUServiceDelegator::TryStartService] Start type: 0x3 2018-08-12 16:46:58.908, Info [StartWUServiceDelegator::TryStartService] Query service status succeeded! fSuccess = 0x1 GetLastError = 0x0 2018-08-12 16:46:58.908, Info [StartWUServiceDelegator::TryStartService] Current status: 0x1 2018-08-12 16:46:58.910, Info [StartWUServiceDelegator::TryStartService] Start service succeeded! fSuccess = 0x1 GetLastError = 0x0 2018-08-12 16:46:58.910, Info [XPSetupAction::Execute] The action is marked to ingore execution error. hr = 0x0 2018-08-12 16:46:58.910, Info [XPSetupAction::Execute] Execute action of class XPSA<class ConfigWUPolicyDelegator> ... 2018-08-12 16:46:58.922, Info [XPSetupAction::Execute] The action is marked to ingore execution error. hr = 0x0 2018-08-12 16:46:58.923, Info [XPSetupAction::Execute] Execute action of class XPSA<class DecryptEsdFileDelegator> ... 2018-08-12 16:46:59.244, Info [DecryptEsdFileDelegator::ExecuteAction] Create temporary folder: C:\$GetCurrent\media 2018-08-12 16:46:59.245, Info [DecryptEsdFileDelegator::ExecuteAction] Create temporary folder succeeded! hr = 0x0 2018-08-12 16:46:59.245, Info [DecryptEsdFileDelegator::ExecuteAction] Invoke function : RestoreESDLayout()... 2018-08-12 16:47:00.318, Warning [EsdDecryptCallbackFunc] Progress Flag File is not set, set is as default [progress.ini] 2018-08-12 17:12:59.710, Info [XPSetupAction::Execute] Execute action of class XPSA<class DeleteSourceSetupDelegator> ... 2018-08-12 17:13:04.726, Info [DeleteSourceSetupDelegator::ExecuteAction] Target architecture : amd64 2018-08-12 17:13:04.726, Info [DeleteSourceSetupDelegator::ExecuteAction] bIsDataOnlyMigration : 0 bTargetArchIsAmd64 : 1 bCurrentArchIsAmd64 : 1 2018-08-12 17:13:04.726, Info [DeleteSourceSetupDelegator::ExecuteAction] Delete legacy setup binary to force setup360 run : C:\$GetCurrent\media\sources\setup.exe 2018-08-12 17:13:04.727, Info [DeleteSourceSetupDelegator::ExecuteAction] Delete legacy setup binary succeeded! hr = 0x0 2018-08-12 17:13:04.727, Info [XPSetupActionQueue::Execute] Execute action chains of class XPSAQ<class RollbackPrepDelegator> ... 2018-08-12 17:13:04.727, Info [XPSetupAction::Execute] Execute action of class XPSA<class SaveRollbackInformationDelegator> ... 2018-08-12 17:13:04.727, Info [SaveRollbackInformationDelegator::ExecuteAction] Ensure SafeOS folder: C:\$GetCurrent\SafeOS 2018-08-12 17:13:04.727, Info [SaveRollbackInformationDelegator::ExecuteAction] Create SafeOS folder succeeded! hr = 0x0 2018-08-12 17:13:07.807, Info [XPSetupAction::Execute] Execute action of class XPSA<class DeployGetCurrentOOBEDelegator> ... 2018-08-12 17:13:10.595, Info [CopyFileDelegator::ExecuteAction] Copy file: C:\Windows10Upgrade\GetCurrentOOBE.dll -> C:\$GetCurrent\SafeOS\GetCurrentOOBE.dll 2018-08-12 17:13:24.998, Info [CopyFileDelegator::ExecuteAction] CopyFileDelegator::ExecuteAction succeeded! fSuccess = 0x1 GetLastError = 0x0 2018-08-12 17:13:24.998, Info [XPSetupAction::Execute] Execute action of class XPSA<class CreatePreOobeScriptDelegator> ... 2018-08-12 17:13:24.998, Info [CreatePreOobeScriptDelegator::ExecuteAction] Output filename: C:\$GetCurrent\SafeOS\preoobe.cmd 2018-08-12 17:13:31.054, Info [CreatePreOobeScriptDelegator::ExecuteAction] Open preoobe.cmd succeeded! fout = 0x1 2018-08-12 17:13:33.556, Info [XPSetupAction::Execute] Execute action of class XPSA<class CreatePostOobeScriptDelegator> ... 2018-08-12 17:13:33.556, Info [CreatePostOobeScriptDelegator::ExecuteAction] Output filename: C:\$GetCurrent\SafeOS\SetupComplete.cmd 2018-08-12 17:13:33.557, Info [CreatePostOobeScriptDelegator::ExecuteAction] Open SetupComplete.cmd succeeded! fout = 0x1 2018-08-12 17:13:33.562, Info [XPSetupAction::Execute] Execute action of class XPSA<class ConfigRollbackRunDelegator> ... 2018-08-12 17:13:37.028, Info [ConfigRollbackRunDelegator::ExecuteAction] Open an existing reg key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce. 2018-08-12 17:13:37.028, Info [ConfigRollbackRunDelegator::ExecuteAction] Update Registry Value, Path=SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, !GetCurrentRollback="C:\Windows10Upgrade\GetCurrentRollback.exe" "progress.ini" "C:" "NHV19:<1.4.9200.22532>:<3>" 2018-08-12 17:13:37.028, Info [ConfigRollbackRunDelegator::ExecuteAction] Update Registry Value succeeded! hr = 0x0 2018-08-12 17:13:37.028, Info [XPSetupAction::Execute] The action is marked to ingore execution error. hr = 0x0 2018-08-12 17:13:37.028, Info [XPSetupAction::Execute] Execute action of class XPSA<class RunSetupForWin7LaterDelegator> ... 2018-08-12 17:13:37.028, Info [GenerateClientId] >= 6.2, Use Rtl function to detect OS version ... 2018-08-12 17:13:37.028, Warning [WinUtil::IsPrivacySettingsComplete] WUA: Failed to check if Privacy Settings complete. Assuming incomplete. Error: [0x80070002] 2018-08-12 17:13:37.029, Info [WinUtil::IsPrivacySettingsComplete] WUA: IsPrivacySettingsComplete: [FALSE] 2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA: EditionID Value [CoreSingleLanguage] 2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA bIsDeviceManaged from EditionId: [FALSE] 2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA: Could not get NV Domain. [0x80070002] 2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA: bIsDeviceManaged from NV Domain: [FALSE] 2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA: Could not get ProductCode. [0x80070002] 2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA: bIsDeviceManaged from ProductCode: [FALSE] 2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA: Could not get UseWUServer value. [0x80070002] 2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA: bIsDeviceManaged from UseWUServer: [FALSE] 2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA: Could not get ShowPrivacySettingsUI value. [0x80070002] 2018-08-12 17:13:37.029, Info [WinUtil::IsDeviceManaged] WUA: bIsDeviceManaged from ShowPrivacySettingsUI: [FALSE] 2018-08-12 17:13:37.029, Info [RunSetupForWin7LaterDelegator::ExecuteAction] Command Line: C:\$GetCurrent\media\setup.exe /migchoice upgrade /showoobe none /quiet /Compat IgnoreWarning /eula accept /noreboot /postoobe C:\$GetCurrent\SafeOS\SetupComplete.cmd /CorrelationVector lkmGbIx8e0Cr4ziT.999 /ClientId Win10UA:VNL:NHV19:<1.4.9200.22532>:<3>:{}:[10.0.16299]:[2] /DynamicUpdate Enable /telemetry enable /UpdateMedia Decline /SkipSummary 2018-08-12 17:13:37.029, Info [WinUtil::RunCommand] Command Line: C:\$GetCurrent\media\setup.exe /migchoice upgrade /showoobe none /quiet /Compat IgnoreWarning /eula accept /noreboot /postoobe C:\$GetCurrent\SafeOS\SetupComplete.cmd /CorrelationVector lkmGbIx8e0Cr4ziT.999 /ClientId Win10UA:VNL:NHV19:<1.4.9200.22532>:<3>:{}:[10.0.16299]:[2] /DynamicUpdate Enable /telemetry enable /UpdateMedia Decline /SkipSummary 2018-08-12 17:14:12.877, Info [WinUtil::RunCommand] Waiting for process 0x1794 2018-08-12 23:46:16.129, Info [WinUtil::RunCommand] process exited as expected. 2018-08-12 23:46:16.228, Info [WinUtil::RunCommand] Process returned: 0x0 2018-08-12 23:46:16.229, Info [RunSetupForWin7LaterDelegator::ExecuteAction] Run Setup.exe succeeded! hr = 0x0 2018-08-12 23:46:16.240, Info [RunSetupForWin7LaterDelegator::ExecuteAction] Setup execution result succeeded! (HRESULT)dwExitCode = 0x0 2018-08-12 23:46:16.478, Info [XPSetupActionQueue::Execute] Execute action chains of class XPSAQ<class EnvScanDelegator> ... 2018-08-12 23:46:16.493, Info [XPSetupAction::Execute] Execute action of class XPSA<class RunOnceCheckDelegator> ... 2018-08-12 23:46:16.722, Info [RunOnceCheckDelegator::ExecuteAction] The Rollback Runonce is already set properly 2018-08-12 23:46:16.722, Info [XPSetupAction::Execute] The action is marked to ingore execution error. hr = 0x0 2018-08-12 23:46:16.722, Info [XPSetupAction::Execute] Execute action of class XPSA<class UpdateEnvScanTelemetryDelegator> ... 2018-08-12 23:46:16.953, Info [XPSetupAction::Execute] The action is marked to ingore execution error. hr = 0x0 2018-08-12 23:46:16.953, Info [DoXPDeployment] Destroy action chain 2018-08-12 23:46:16.953, Info [XPSetupActionQueue::DisassemblyChildActions] Disassembly child actions of class XPSAQ<class EntryQueueDelegatorForWin7Later> ... 2018-08-12 23:46:16.953, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSAQ<class EnvScanDelegator> ... 2018-08-12 23:46:16.953, Info [XPSetupActionQueue::DisassemblyChildActions] Disassembly child actions of class XPSAQ<class EnvScanDelegator> ... 2018-08-12 23:46:16.953, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class UpdateEnvScanTelemetryDelegator> ... 2018-08-12 23:46:16.998, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class RunOnceCheckDelegator> ... 2018-08-12 23:46:16.998, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class RunSetupForWin7LaterDelegator> ... 2018-08-12 23:46:16.998, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSAQ<class RollbackPrepDelegator> ... 2018-08-12 23:46:16.998, Info [XPSetupActionQueue::DisassemblyChildActions] Disassembly child actions of class XPSAQ<class RollbackPrepDelegator> ... 2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class ConfigRollbackRunDelegator> ... 2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class CreatePostOobeScriptDelegator> ... 2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class CreatePreOobeScriptDelegator> ... 2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class DeployGetCurrentOOBEDelegator> ... 2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class SaveRollbackInformationDelegator> ... 2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class DeleteSourceSetupDelegator> ... 2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class DecryptEsdFileDelegator> ... 2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSAQ<class StartWUDelegator> ... 2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Disassembly child actions of class XPSAQ<class StartWUDelegator> ... 2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class ConfigWUPolicyDelegator> ... 2018-08-12 23:46:17.034, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class StartWUServiceDelegator> ... 2018-08-12 23:46:17.551, Info [XPSetupActionQueue::DisassemblyChildActions] Destroy action of class XPSA<class EnableWUNoAutoRebootDelegator> ... 2018-08-12 23:46:17.552, Info [EnableWUNoAutoRebootDelegator::~EnableWUNoAutoRebootDelegator] Restore WU No Auto Reboot setting HRESULT = 0x0 2018-08-12 23:46:17.552, Info [DoXPDeployment] Finished hr = 0x0 2018-08-12 23:46:17.553, Info [TelemetryUpgrade::CanSendTelemetry] Telemetry allowed on Win10 and above. Link to comment Share on other sites More sharing options...
migs_k 0 Posted February 23, 2021 Author Share Posted February 23, 2021 theres also an unknown user S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 in the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc im the only user on this device WdNisDrv also stops running from time to time Link to comment Share on other sites More sharing options...
ESET Insiders stackz 112 Posted February 23, 2021 ESET Insiders Share Posted February 23, 2021 4 hours ago, migs_k said: can anyone tell me what these are?? Win 10 version upgrade logs. 3 hours ago, migs_k said: theres also an unknown user S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 in the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc im the only user on this device Every Win 10 installation has the same unknown user. migs_k 1 Link to comment Share on other sites More sharing options...
migs_k 0 Posted February 24, 2021 Author Share Posted February 24, 2021 what about this? Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 24, 2021 Share Posted February 24, 2021 Open an admin level command prompt window and enter: netstat -anob This will give you a better idea what you current network connections status is. I have no clue why the above Eset network connections are showing what it is. It is normal to see two network connections for a process for the same port when both IPv4 & IPv6 are enabled. However, the IP addresses in the listening state should be 0.0.0.0 and ::. Also suspect is all ports being shown except for svchost.exe port 135 entry. Link to comment Share on other sites More sharing options...
migs_k 0 Posted February 24, 2021 Author Share Posted February 24, 2021 Quote Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1204 RpcSs [svchost.exe] TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 Can not obtain ownership information TCP 0.0.0.0:1536 0.0.0.0:0 LISTENING 704 [System] TCP 0.0.0.0:1537 0.0.0.0:0 LISTENING 900 Can not obtain ownership information TCP 0.0.0.0:1538 0.0.0.0:0 LISTENING 1756 EventLog [svchost.exe] TCP 0.0.0.0:1539 0.0.0.0:0 LISTENING 1608 Schedule [svchost.exe] TCP 0.0.0.0:1540 0.0.0.0:0 LISTENING 300 Can not obtain ownership information TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 2288 CDPSvc [svchost.exe] TCP 10.102.37.150:139 0.0.0.0:0 LISTENING 4 Can not obtain ownership information TCP 10.102.37.150:2142 82.202.185.211:443 ESTABLISHED 7960 Can not obtain ownership information TCP 10.102.37.150:2147 82.202.185.211:443 ESTABLISHED 5236 [ksde.exe] TCP 10.102.37.150:2982 162.159.130.234:443 ESTABLISHED 8792 [Discord.exe] TCP 10.102.37.150:3144 172.217.194.18:443 ESTABLISHED 8304 [brave.exe] TCP 10.102.37.150:3203 180.87.4.152:443 CLOSE_WAIT 7960 Can not obtain ownership information TCP 10.102.37.150:3207 104.18.27.211:443 ESTABLISHED 8304 [brave.exe] TCP 10.102.37.150:3211 172.67.69.162:443 ESTABLISHED 8304 [brave.exe] TCP 127.0.0.1:1044 127.0.0.1:1045 ESTABLISHED 5236 [ksde.exe] TCP 127.0.0.1:1045 127.0.0.1:1044 ESTABLISHED 5236 [ksde.exe] TCP 127.0.0.1:1063 127.0.0.1:1064 ESTABLISHED 5236 [ksde.exe] TCP 127.0.0.1:1064 127.0.0.1:1063 ESTABLISHED 5236 [ksde.exe] TCP 127.0.0.1:1065 127.0.0.1:1066 ESTABLISHED 5236 [ksde.exe] TCP 127.0.0.1:1066 127.0.0.1:1065 ESTABLISHED 5236 [ksde.exe] TCP 127.0.0.1:1067 127.0.0.1:1068 ESTABLISHED 5236 [ksde.exe] TCP 127.0.0.1:1068 127.0.0.1:1067 ESTABLISHED 5236 [ksde.exe] TCP 127.0.0.1:1069 127.0.0.1:1070 ESTABLISHED 5236 [ksde.exe] TCP 127.0.0.1:1070 127.0.0.1:1069 ESTABLISHED 5236 [ksde.exe] TCP 127.0.0.1:1071 127.0.0.1:1072 ESTABLISHED 5236 [ksde.exe] TCP 127.0.0.1:1072 127.0.0.1:1071 ESTABLISHED 5236 [ksde.exe] TCP 127.0.0.1:1146 0.0.0.0:0 LISTENING 12056 [NVIDIA Web Helper.exe] TCP 127.0.0.1:2140 127.0.0.1:2141 ESTABLISHED 7960 Can not obtain ownership information TCP 127.0.0.1:2141 127.0.0.1:2140 ESTABLISHED 7960 Can not obtain ownership information TCP 127.0.0.1:2145 127.0.0.1:2146 ESTABLISHED 5236 [ksde.exe] TCP 127.0.0.1:2146 127.0.0.1:2145 ESTABLISHED 5236 [ksde.exe] TCP 127.0.0.1:3128 0.0.0.0:0 LISTENING 11104 [System] TCP 127.0.0.1:3128 127.0.0.1:3129 ESTABLISHED 11104 [System] TCP 127.0.0.1:3129 127.0.0.1:3128 ESTABLISHED 11104 [System] TCP 127.0.0.1:3839 127.0.0.1:3840 ESTABLISHED 7960 Can not obtain ownership information TCP 127.0.0.1:3840 127.0.0.1:3839 ESTABLISHED 7960 Can not obtain ownership information TCP 127.0.0.1:3843 0.0.0.0:0 LISTENING 7960 Can not obtain ownership information TCP 127.0.0.1:3847 127.0.0.1:3848 ESTABLISHED 7960 Can not obtain ownership information TCP 127.0.0.1:3848 127.0.0.1:3847 ESTABLISHED 7960 Can not obtain ownership information TCP 127.0.0.1:3849 127.0.0.1:3850 ESTABLISHED 7960 Can not obtain ownership information TCP 127.0.0.1:3850 127.0.0.1:3849 ESTABLISHED 7960 Can not obtain ownership information TCP 127.0.0.1:6463 0.0.0.0:0 LISTENING 9576 [Discord.exe] TCP 127.0.0.1:43227 0.0.0.0:0 LISTENING 2028 Can not obtain ownership information TCP 192.168.176.123:1073 193.56.255.62:443 ESTABLISHED 5236 [ksde.exe] TCP 192.168.176.123:1074 193.56.255.62:443 ESTABLISHED 5236 [ksde.exe] TCP 192.168.176.123:1075 193.56.255.62:443 ESTABLISHED 5236 [ksde.exe] TCP 192.168.176.123:1076 193.56.255.62:443 ESTABLISHED 5236 [ksde.exe] TCP 192.168.176.123:1077 193.56.255.62:443 ESTABLISHED 5236 [ksde.exe] TCP 192.168.176.123:1078 193.56.255.62:443 ESTABLISHED 5236 [ksde.exe] TCP 192.168.176.123:1079 193.56.255.62:443 ESTABLISHED 5236 [ksde.exe] TCP 192.168.176.123:1080 193.56.255.62:443 ESTABLISHED 5236 [ksde.exe] TCP 192.168.176.123:1081 193.56.255.62:443 ESTABLISHED 5236 [ksde.exe] TCP 192.168.176.123:1082 193.56.255.62:443 ESTABLISHED 5236 [ksde.exe] TCP [::]:135 [::]:0 LISTENING 1204 RpcSs [svchost.exe] TCP [::]:445 [::]:0 LISTENING 4 Can not obtain ownership information TCP [::]:1536 [::]:0 LISTENING 704 [System] TCP [::]:1537 [::]:0 LISTENING 900 Can not obtain ownership information TCP [::]:1538 [::]:0 LISTENING 1756 EventLog [svchost.exe] TCP [::]:1539 [::]:0 LISTENING 1608 Schedule [svchost.exe] TCP [::]:1540 [::]:0 LISTENING 300 Can not obtain ownership information UDP 0.0.0.0:67 *:* 7960 Can not obtain ownership information UDP 0.0.0.0:500 *:* 3572 IKEEXT [svchost.exe] UDP 0.0.0.0:1900 *:* 7960 Can not obtain ownership information UDP 0.0.0.0:4500 *:* 3572 IKEEXT [svchost.exe] UDP 0.0.0.0:5050 *:* 2288 CDPSvc [svchost.exe] UDP 0.0.0.0:5353 *:* 6740 [brave.exe] UDP 0.0.0.0:5353 *:* 8304 [brave.exe] UDP 0.0.0.0:5353 *:* 8304 [brave.exe] UDP 0.0.0.0:5353 *:* 8304 [brave.exe] UDP 0.0.0.0:5353 *:* 6740 [brave.exe] UDP 0.0.0.0:5353 *:* 8304 [brave.exe] UDP 0.0.0.0:5353 *:* 2408 Dnscache [svchost.exe] UDP 0.0.0.0:5353 *:* 8304 [brave.exe] UDP 0.0.0.0:5353 *:* 8304 [brave.exe] UDP 0.0.0.0:5353 *:* 6740 [brave.exe] UDP 0.0.0.0:5353 *:* 6740 [brave.exe] UDP 0.0.0.0:5353 *:* 7960 Can not obtain ownership information UDP 0.0.0.0:5353 *:* 8304 [brave.exe] UDP 0.0.0.0:5353 *:* 8304 [brave.exe] UDP 0.0.0.0:5355 *:* 2408 Dnscache [svchost.exe] UDP 0.0.0.0:53709 *:* 2060 Can not obtain ownership information UDP 0.0.0.0:58096 *:* 2060 Can not obtain ownership information UDP 0.0.0.0:58307 *:* 2060 Can not obtain ownership information UDP 0.0.0.0:63933 *:* 7960 Can not obtain ownership information UDP 10.102.37.150:137 *:* 4 Can not obtain ownership information UDP 10.102.37.150:138 *:* 4 Can not obtain ownership information UDP 10.102.37.150:2177 *:* 7236 QWAVE [svchost.exe] UDP 127.0.0.1:10010 *:* 12056 [NVIDIA Web Helper.exe] UDP 127.0.0.1:50747 *:* 7960 Can not obtain ownership information UDP 127.0.0.1:51235 *:* 7148 [nvcontainer.exe] UDP 127.0.0.1:52983 *:* 2060 Can not obtain ownership information UDP 127.0.0.1:61333 *:* 4212 iphlpsvc [svchost.exe] UDP 127.0.0.1:63923 *:* 7960 Can not obtain ownership information UDP 127.0.0.1:63924 *:* 7960 Can not obtain ownership information UDP 192.168.176.123:1900 *:* 7960 Can not obtain ownership information UDP 192.168.176.123:2177 *:* 7236 QWAVE [svchost.exe] UDP 192.168.176.123:5353 *:* 7960 Can not obtain ownership information UDP 192.168.176.123:51495 *:* 7960 Can not obtain ownership information UDP 192.168.176.123:51496 *:* 7960 Can not obtain ownership information UDP [::]:500 *:* 3572 IKEEXT [svchost.exe] UDP [::]:4500 *:* 3572 IKEEXT [svchost.exe] UDP [::]:5353 *:* 8304 [brave.exe] UDP [::]:5353 *:* 2408 Dnscache [svchost.exe] UDP [::]:5353 *:* 6740 [brave.exe] UDP [::]:5353 *:* 8304 [brave.exe] UDP [::]:5353 *:* 8304 [brave.exe] UDP [::]:5353 *:* 6740 [brave.exe] UDP [::]:5353 *:* 8304 [brave.exe] UDP [::]:5355 *:* 2408 Dnscache [svchost.exe] UDP [fe80::2016:5d80:4c51:aa93%6]:2177 *:* 7236 QWAVE [svchost.exe] UDP [fe80::6993:e4bb:5af1:f881%12]:2177 *:* 7236 QWAVE [svchost.exe] ive added the 127.0.0.1 0x1f4b0.com to hosts and it returned back to 0.0.0.0, but still this shows in eset what are suppose to be the default connections / ports of these things should I block ports 15xx? is my system services hijacked? Link to comment Share on other sites More sharing options...
migs_k 0 Posted February 24, 2021 Author Share Posted February 24, 2021 these are some of those "Can not obtain ownership information" Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 24, 2021 Share Posted February 24, 2021 Refer to the netstat output you posted. Note all the ksde.exe references; especially in regards to IPv4 localhost connection. Ksde.exe is either Kaspersky Anti-virus: https://www.file.net/process/ksde.exe.html , or Kaspersky VPN Secure Connection software. For the present, I assume it is the later. I assume all the weird Eset network connection display of IPv4 addresses is due to the use of Kaspersky VPN Secure Connection operation. Note that this VPN feature is usually implemented as part of a Kaspersky security software installation. The Kaspersky web site however notes it can be installed stand-alone. You will have to research if a stand-alone installation of it is compatible with Eset Internet Security. Since you're not complaining about Internet connectivity issues, it appears there are none; at least from an operational aspect. Link to comment Share on other sites More sharing options...
migs_k 0 Posted February 25, 2021 Author Share Posted February 25, 2021 not sure about that, after blocking 0x1f4b0.com and restarting its now replaced by 0123movies.com Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 25, 2021 Share Posted February 25, 2021 12 hours ago, migs_k said: not sure about that, after blocking 0x1f4b0.com and restarting its now replaced by 0123movies.com Uninstall Kaspersky VPN and see if this resolves all these network issues you are concerned about. Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 25, 2021 Share Posted February 25, 2021 I did a big of research on this issue. It appears anything to do with this domain, 0x1f4b0.com, is probably malicious. Here's an anyrun.com sandbox analysis for hxxps://005.0x1f4b0.com: https://any.run/report/c9270df0bb81eefa3f3f18c3627123bd0c325861b7ff652d58826a61bc9c853b/f4895086-cbc0-4be8-8d3b-c8b14daf0d45 . Verdict -malicious. Also any attempt to access 0x1f4b0.com in FireFox is blocked by uBlock Origin Easy Privacy filter. The fact that this domain was appended to your Eset Network Connections tool display indicates to me that your VPN connection is hacked. Again, uninstall Kaspersky VPN software and clean out any remnants of it on your device. Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 25, 2021 Share Posted February 25, 2021 (edited) Also and notable is Kaspersky VPN does not host DNS servers in the Philippines; or Indonesia for that matter: Quote The countries covered by the Kaspersky VPN are; Canada Czech Republic Denmark France Germany Hong Kong Japan Mexico the Netherlands The Republic of Ireland Russia Singapore Spain Sweden Turkey the United States of America Ukraine and the United Kingdom. https://anonymster.com/reviews/kaspersky-vpn-review/ Edited February 25, 2021 by itman Link to comment Share on other sites More sharing options...
migs_k 0 Posted February 26, 2021 Author Share Posted February 26, 2021 ive also sent some sort of .exe s to eset they are CR_xxxxx/setup.exe the x are random number / chars these things keep popping up from HIPS from time to time targeting my browsers I couldnt obtain all of them, as soon as it gets reported by eset's HIPS I try to go the location of that .exe and its not there anyway, do you how to disable safe boot without logging into windows and without a windows 10 physical disc? Link to comment Share on other sites More sharing options...
migs_k 0 Posted February 26, 2021 Author Share Posted February 26, 2021 also to me this is an unresolved issue Quote can I ask what these are? they automatically ran without me knowing Time;Application;Operation;Target;Action;Rule;Additional information2/19/2021 5:05:06 PM;C:\Windows\System32\LogonUI.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-2775152818-1588230348-2558996214-1001\DestructiveResetInProgress;allowed;Automatic mode;2/19/2021 5:05:07 PM;C:\Windows\System32\LogonUI.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-2775152818-1588230348-2558996214-1001\TpmClearRecoveryInProgress;allowed;Automatic mode;2/19/2021 5:05:09 PM;C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{87BDED91-3F10-4383-B8C1-26886F49F141}\LocalServer32;allowed;Automatic mode;2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AarSvc_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AarSvc_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BcastDVRUserService_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BcastDVRUserService_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BluetoothUserService_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:38 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BluetoothUserService_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CaptureService_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CaptureService_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cbdhsvc_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cbdhsvc_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CDPUserSvc_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CDPUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ConsentUxUserSvc_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ConsentUxUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CredentialEnrollmentManagerUserSvc_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CredentialEnrollmentManagerUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DeviceAssociationBrokerSvc_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DeviceAssociationBrokerSvc_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:39 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DevicePickerUserSvc_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DevicePickerUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DevicesFlowUserSvc_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DevicesFlowUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MessagingService_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MessagingService_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OneSyncSvc_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OneSyncSvc_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PimIndexMaintenanceSvc_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PimIndexMaintenanceSvc_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PrintWorkflowUserSvc_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PrintWorkflowUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UdkUserSvc_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UdkUserSvc_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:40 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnistoreSvc_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnistoreSvc_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UserDataSvc_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UserDataSvc_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WpnUserService_1f8ead56\Start;allowed;Automatic mode;2/19/2021 5:05:41 PM;C:\Windows\System32\services.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WpnUserService_1f8ead56\ImagePath;allowed;Automatic mode;2/19/2021 5:05:41 PM;C:\Windows\System32\svchost.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-2775152818-1588230348-2558996214-1001\NgcFirst\ConsecutiveSwitchCount;allowed;Automatic mode;2/19/2021 5:05:53 PM;C:\Windows\System32\ctfmon.exe;Modify startup settings;HKEY_USERS\S-1-5-21-2775152818-1588230348-2558996214-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internat.exe;allowed;Automatic mode; 2/19/2021 5:05:06 PM;C:\Windows\System32\LogonUI.exe;Modify startup settings;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\S-1-5-21-2775152818-1588230348-2558996214-1001\DestructiveResetInProgress;allowed;Automatic mode; after doing google search D6886603-9D2F-4EB2-B667-1971041FA96B = PIN so im going to assume someone logged in via my PC's PIN did a "DestructiveResetInProgress" and "TpmClearRecoveryInProgress" whatever this means Link to comment Share on other sites More sharing options...
Recommended Posts