Slashdot Mirror
Finding a Disappearing Application in Windows?
siuengr asks: "I have a computer that has a window that pops up every few minutes, but disappears before I can figure out what it is. I have run every virus program and spybot cleaner I have, but they do not find any problems. How can I figure what is causing this window to pop-up all the time, when it doesn't stick around long enough to see anything about it? Is there any software that tracks what applications have ran over a period of time, even if they are not currently running?"
Open up the Task Manager and be patient. Watch the processes.
Same thing! Be interesting to see if anyone tracks this down. My solution was to buy a new computer (old one severely needed an upgrade anyway). I looked through my processes and didn't see anything. Tried windows live antivirus too. Happens every few minutes here. Try killing your processes or using msconfig to kill startup stuff. There's several sites that list known windows processes.
Nuking windows and/or wiping drives or partitions will of course work as well.
Use CamStudio (GPL), or some other desktop video recorder. Record your desktop until the event has occurred a few times, then advance to a frame in the video file that contains the dialogue box/application window. Leave the task manager (ctrl-alt-delete) running off to the side. Let the event occur once with the applications tab displayed and once with the processes tab. Make sure you can see the whole process list.
Check the event viewer (control panel->administration) for erratic messages. Try disabling processes one by one to see if one of them is the cause. What Anti-stuff are you running? Anti-stuff is only as good as the definition database. Furthermore, many malicious processes can hide their existence from the OS, and an application tracking software is almost certainly going to get this info from the OS. Make sure your video drivers are up-to-date. If you suspect that the app communicates over the netowrk, install a software firewall and set it to anal mode.
Run a benchmarking utility or simultaneously run several resource hungry applications to slow the machine down, and maybe the window will hang around for a while.
If you cant catch it there, just format and reinstall Windows--the standard fix for anything Microsoft. Cue the mac/linux comments!
FairTax baby!
A friend of mine had issues with Kapersky anti-virus doing this every few minutes. Do you have that installed?
You can mod your friends, you can mod your nose, but you can't mod your friend's nose.
Tiny Firewall provides a security module that requires the user authorize every unknown application be manually allowed to run.
While I have yet to see any unknown process start on my machine, none (not even ones started by trusted processes) are allowed to proceed without first being given the OK by me. I'd give it a shot and see if TF 2006 can catch it for you.
Prcess Explorer Options..Different Highlight Duration
It might be a better solution
Google for it. It shows recently terminated processes in red (or whatever) for a few seconds after it's terminated (all configurable)
The revolution will not be televised... but it will have a page on Wikipedia
Assumptions:
1. For a dialog to be coming up it has to be iniatated by a process.
2. Mystery process most likely isn't part of Windows
Action:
1. Disable all startup programs with msconfig
2. Reboot
3. If problem is gone re-enable startup processes one at a time.
If the problem is back/still there go to step 5
4. Goto step 2
5. Visit Slashdot. Scroll past this comment and proceed to next proposed solution, one which, hopefully, won't waste your time like this one just did.
Maybe the process continues to run, it's merely popping up some kind of window from time-to-time. I'd look through task manager for any processes that don't seem right. Google for the process names if you find anything suspicious.
:P
Or maybe it's just Messenger showing you when someone's logged on
...this is truly a crappy Ask Slashdot.
The submitter didn't provide ANY details about his environment other than "Windows" nor did he provide ANY description of what the "disappearing application" does.
The devil is in the details, and so is your answer. Provide more info or, as a man more eloquent than I once said, "BRACE YOSELF."
Slashdot? Oh, I just read it for the articles.
Switch to Linux!
OK, a touch more seriously, you've killed off everything non-essential to a working computer and had it still come up? If not, check that first@
'nuff said.
If nothing obvious is running as a process, this might be popping up from a scheduled task.
Occassionally we ran these at my old job and it would pop up a window in front of whatever you were doing, very briefly. The task was a batch file that kicked off something else.
Unitarian Church: Freethinkers Congregate!
If you have an HP printer/scanner it might be their updater program.
Look on sysinternals.com - the best bet would be Filemon - then you can track which files are being opened.
Download Process Explorer. It's like task manager on steroids. One of the things you can do is put "delays" on the list of running processes when the list changes, like with the addition/removal of a process/window.
Go to Options > Difference Highlight Duration, and set it like 15 seconds or whatever. New processes will show up in bright green for 15 secs, and killed processes will show up as red for 15 secs.
Yep, I have the problem too and have an HP deskjet (probably with the huge stinking driver instead of the cut-down one).
your adblocker (or something like it) is proabaly closing a popup window as soon as it appears.
Your exact scenario happened to me a few weeks ago.
Do you use the TweakUI program that comes with Powertoys for Windows XP? If so, do you have X-Mouse turned on? Check Mouse -> X-Mouse and see if "Activation follows mouse (X-Mouse)" is turned on.
Some poorly written Windows apps will pop up dialogs that then disappear if they lose mouse focus. If you have X-Mouse turned on, they will pop up a dialog - and if your mouse is anywhere else on the screen, they'll think they've lost focus and close the dialog.
All I had to do was disable X-Mouse until the app popped the dialog again, then I could deal with it. Unfortunately I don't remember what the poorly written program happened to be...
The Online Slang Dictionary
We have an HP PSC 2355 printer and we installed the software that came with it. Anyhow, every half an hour or so, a program would randomly appear in the taskbar and disappear very quickly afterwards, usually minimising any full-screen applications. In the end, we had to disable it in msconfig. I honestly can't remember what the entry was in msconfig, but I could find it somewhere if it's actually the problem. Of course, it probably begins with "hp" anyway.
If we can hit that bull's-eye, the rest of the dominoes will fall like a house of cards... Checkmate.
Spy++ (comes with Visual Studio and probably other packages) should be able to list the window, even after it disappears and trace it to the owning process. Used it many times to find information about "rogue" dialogs.
StarTrek.org Free Webmail
Sounds exactly like one of the HP processes that used to run on my machine. I installed an HP printer program that I needed along with the drivers and then I noticed a taskbar process that would run about every 15 minutes or so. It really bugged me until I got rid of it.
Do you have an HP printer perhaps?
"A government is a body of people, usually notably ungoverned." - Shepard Book Quoting Malcolm Reynolds
Since when did Slashdot become Experts Exchange?
Try Process Lasso, it has a process log feature. Very handy.
http://www.bitsum.com/
--nomax
But...
Get "HighjackThis" which will give you a list of all the stuff starting in a log file.
From there, you can start to figure out what each one is. It takes HOURS, but you'll know a lot when you are done.
Also, get "Tlist.exe" and "kill.exe" from the Windows SDK or PowerTools.
Then compose a batch file to use the command line switches in TList to fire periodically. Eventually the two apps will be running the at the same time. (Pipe all the results to a text file you can look at.)
Or, call a pro who can dig it out by sitting down in front. Submitter doesn't have enough background to provide full detail probably shouldn't be dicking with his/her registry either.
You might be looking at it and not see it.
.dll into a currently running .dll on the target machine while showing process viewer.
When to a security demo and watched the security guys run a Metasploit process that actually injected the remote
So while sys_msg.exe or whatever minimal process changed in the process viewer slightly the name remained the same and there was no way to tell that the process was suddenly pwned from a remote host and was (presumably) doing horrible and unwanted things to your computer. All from a dropdown menu, point and click interface too.
I went back to my office and hugged my Mac, tell you what.
=tkk
Bill Gates - Creationist?!?
After doing that and then downloading Process explorer to make sure it isn't replaced is to look in your startup with either MSconfig or startup control panel.o rer.html
http://www.sysinternals.com/Utilities/ProcessExpl
http://www.mlin.net/StartupCPL.shtml
You know for just $50 an hour plus travel, I can take care of that issue for you.
--
So who is hotter? Ali or Ali's sister
You didn't mention whether the computer was on a network. I see CMD windows pop up for a second to run things once in awhile on work machines, so there could be any number of applications which aren't in the msconfig list being invoked upon you.
If you're not on a network, as some others said earlier have a look at msconfig... that'd spook me.
Laughter is the Spackle of the Soul.
I had this same problem; a no-name window would appear in my task bar every few minutes and then disappear immediately. I used a tool by Stardock called SecureProcess (a part of their ThinkDesk suite) to find out what it was. The tool can be used to stop processes from starting until you give them permission.
In my case, it turns out the mystery window was software that came with my HP printer. I might be wrong, but I think it was HPCMPMGR.EXE (this was several months ago, however, so my recollection might be off.)
go to cnet.com and download bazooka -- it will tell you if you have any malware and how to remove it
For any windows problem to which you do not know the answer immediately or through a quick google search.
Visit http://www.sysinternals.com/
Look through all the categories and short descriptions until you find a tool that could provide a diagnostic clue.
In your case Process Explorer will do the trick, just turn the highlight time up and you should see process creation (provided it is caused by a process).
If no new process is spawning, an existing one is launching the window, so compare the process listing against a similarly configured pc without the problem or a clean one and slowly remove processes until the one causing the problem is destroyed.
If all the processes listed are valid, then you may have a compromised exe or dll, so use the dependency walker to find all the files used, then use md5sum or similar to hash them and compare the hashes against a clean machine.
If you think the problem may be using a network connection you get additional options; you can use tcpview & process explorer to find the process in question and then kill it. You can also use wireshark (formerly ethereal) from http://www.wireshark.org/ either on the machine itself or another machine to monitor the network traffic.
If all these steps are ineffectual, you may have a rootkit, so run rootkit revealer also from sysinternals.
If you suspect a virus/spyware then it can be difficult to use the machine itself to diagnose; instead grab a copy of Barts PE with Mcaffee/Sophos & lavasoft adaware and the registry redirector to scan the local machine. This usually will allow you to get the machine to a state where other tools can be effective.
Check out the Windows Resource Kits from Microsoft; they have a wealth of tools that may not be immediately useful, but can prove invaluable.
On domain machines, the first step is always to check any logon scripts/group policy.
I've noticed that some web sites will pop-up a browser window and hide it. For what reason, I have no idea. Poor coding practice?
On the Mac side, you can make it appear by using Expose. It's just a tiny, blank browser window with no control bar or buttons or anything, shuffled conveniently off the screen. Until Expose makes it my bitch.
On the Windows side, I'm sure there's got to be ways of popping IE windows, and making them not appear in the task bar. I just haven't seen it on the Windows side, because I browse a much narrower range of sites on Windows.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
You fail to state what OS you are running.
;-)
If you are running Windows XP Professional (I think Windows 2000 Pro also has it), you can simply turn on process tracking in Group Policy. Every process that starts will now be logged in the security log. View it with the Event Viewer (Start.. Run.. type "eventvwr.msc")
Instructions for how to enable process tracking (for exactly the same problem!)
I don't think the same can be done for Windows XP Home... but I've been wrong before
I hold it, that a little rebellion, now and then, is a good thing. -- Thomas Jefferson
I am betting that you have an HP printer. I almost destroyed the printer itself when I found out what the window that was nagging me was. I stopped using their software. Google for it, I have since lost the link. I believe it may have been calling home to update it's software and perhaps I had blocked it's traffic and it just kept trying. It was very annoying because it would drop my full screen games to desktop. Whatever it was doing, I got it stopped for awhile thanks to google but when we updated the software it started doing it again. So we stopped using it altogether.
If it is a window - use APISpy to track windows API calls - look for a call to CreateWindow() and track where it is coming from.
I have mod points and I am not afraid to use them
I hate to just chime with my own two cents and wild guess but I've had the same experience and tracked it down to iTunes opening a song from Shared Music. It a small wide rectangular window saying "Opening URL..." or something. I have seen it up for longer when there are network problems. You can reproduce it by clicking on Next Song several times quickly just as quickly as it can load songs.
Press the "turbo" switch and run your PC at 8mhz instead of 12. The window will stay on screen longer, giving you enough time to see what it says.
Better get GMER http://www.gmer.net/
As several people have mentioned, some of the tools at sysinternals.com are perfect for this, and I highly recommend them.
Also, WinTasks (a task manager replacement) has a process logging feature. (www.liutilities.com)
what about figuring what's causing my laptop hard drive to go constantly? the memory settings look ok...
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
Write a script (VBS, Perl, whatever) to monitor your process list. Have it poll the process list every quarter of a second or something, and keep a running list of processes that are found. On the first iteration, write the list to one file. On succeeding iterations, compare the list of the i-th iteration to the list of known processes -- if a new process appears that wasn't in a previous iteration, spit it out to another file...
Is Capitalism Good for the Poor?
I vote that this should be the comment of the week.
Note to self: Stop putting jokes in my insightful comments so I can get something other than +1 Funny!
Available at robotgenius.net
Spyberus is free of charge. Check out the tutorial
There is probably a dll that is tied into explorer or something to repopulate when you clean.
Also, use Spybot Search and Destroy in safe mode with all of the updates, but use all of the immunize functions first. It can spot some zombie process that "look" normal, but which sure as heck aren't. and then kill them.
Do a maximum amount of cleaning in safe mode.
Check out Spywarewarrior.com for a comperhensive list of bogus cleaners that are really infectors. For an example, see this illustration.
I make a decent living doing nothing but cleaning things like this up. I can't give you a ten page How-to, but the links will put you on the right trail.
"It is a greater offense to steal men's labor, than their clothes"
I fixed this on my XP home sp2 machine by
deleting iexplorer.exe and quickly
creating a folder named iexplorer.exe
in it's place so Ms can't replace it.
Worked for me, no more popups,
and if I want IE, I run it from the
backup file.
q a z
A binary search would be better. Split the search space (the set of startup programs) in half. Enable or disable one half. If the problem appears, adjust your search space to that half.
Start with zero, all of them turned off. If this does not work, and it won't, you better wipe and reload. Boot off a liveCD, backup data files and start the reinstall.
Windoze never gets better, so you are better off with an ,alternative that installs in 20 minutes, does everthing you want and then keeps doing it. I once swore that I'd never suffer through a windoze install again, the reboots, the driver hunt, the software hunt, the endless screens of "I agree master" and now, I'm told, multiple reboots over "security updates". I've only had to break that vow once but never for my own computers.
Friends don't help friends install M$ junk.
Macs aren't safe from injecting code into an existing process. Trojans can do the exact same thing on Mac OS X as on Windows. See the vm_write() Mach API call.
Same applies to Linux's ptrace().
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
Why hasn't anyone mentioned root-kits?
a ler.html - RootkitRevealer 1.7 by Sysinternals showed a directory in "C:/windows", and one in "C:/program files", that if you went to look normally, didn't show up. I quickly booted up Knoppix and verified that there was some crap in there, but a search on the Internet showed nothing. Booted windows into safe mode, and since safemode doesn't run things other than windows crap, I was able to delete the two folders, and even a registry entry that showed up about it.
My gf's computer had a root-kit on it. I go to a tech school, and nearly everyone knowledgeable here (even IT guys) went over the damn thing to see what was wrong. It kept doing pop-ups, like it had some type of ad-ware, but it didn't appear to have anything abnormal running. It didn't matter if it was IE or firefox, the ad would pop up on pretty regular intervals. Every possible thing was checked, from using standard tools like spy-bot-s&d, any number of free and bought virus scanners... Some people (including me) even poured over the registry by hand to find out if anything was running. absolutely nothing.
It turned out to be a ROOT-KIT (2 actually, they hid each other. One user-mode, and one kernel-mode). The rogue programs actually were able to make windows "not see" the file. On boot, windows would see it just enough to turn it on, but after it was running it prevented anything from actually finding it, injecting code between the hard-disk access and low-level windows stuff. not windows-explorer, not regedit, not task-manager, not even 3rd party apps like win-task, or even defraggers.
http://www.sysinternals.com/Utilities/RootkitReve
If you can't find anything, maybe its because it won't let you find it!
"Infecting minds with my own memetic virus, one post at a time." Ultimape
There are some very effective free tools from Sysinternal.com : 1. Process Explorer - it's showing not only the list of process, but also their paths on the disk http://www.sysinternals.com/Utilities/ProcessExplo rer.html
2. Autorun : showing all processes and services launched automatically on start, and allowing to disable them. Very usewful for temporary disabling DRM crap like cdac11ba.exe, temporary disabling google web accelerator on start etc.
http://www.sysinternals.com/Utilities/Autoruns.htm l
3. Rootkit Revealer - name speak for itself.
http://www.sysinternals.com/Utilities/RootkitRevea ler.html
Other tools allow monitor access to files, to disk, TCP/IP traffic etc.
Would you be doing it on Windows?
Engineering is the art of compromise.
Is this supposed to be the new brand of "activism" coming out of the FSF? "Windoze never gets better"? Good lord, Slashdot never ceases to amaze me.
The question was "How can I figure what is causing this window to pop-up all the time?". The general question is "How can I fix my computer?"
Buying a computer is NOT a solution to this in any way.
Please learn more about your language before you try to engage it again.
http://silentrunners.org/
:-)
That, or a reformat and re-install, ofcourse
I've never heard of an existing app that does this, but I have done it myself on a few occasions as a throwaway script. Just run a script every second (or faster), get the list of running processes ("tasklist" command), diff the output with the previous result and dump it to a log file with a time stamp. If you have the Win32-ported GNU tools you can do this with a batch file.
-Billco, Fnarg.com
My XP box has such a window. One day it popped up when the machine was heavily loaded and stuck around long enough for me to identify it. It belongs to an app which displays the WiFi signal strength in the whatchamacallit that also contains the clock. The window seems to get popped up momentarily during some part of the WiFi protocol.
It's much less annoying now that I know it's not malware.
I had this problem for a while too. If the computer was sitting there, the box would never pop up, but randomly, while I was gaming, it would pop up and disappear immediately. The frequency of appearence went up over time, until it started to appear sometime while not gaming. By the point at which it was appearing several times a minute, I found that I could get it to not disappear if the mouse stopped moving at the exact time that it appeared.
It turned out to be a notice telling me to replace my wireless mouse batteries. Presumably a bug was causing it to disappear whenever more data was received from the mouse, so it never stayed on screen. (I was addicted to C&C Generals at the time, ICYW.)
I'll tell you precisely why -- the new slashdot code! It used to be that one would select the moderation out of a list, scroll down to the bottom of the screen and hit "moderate" which would apply the moderations.
NOW, the instant you select the moderation from a list, it is applied. If you click the down arrow to expand the list and attempt to use the scroll wheel to move through the list, Slashcode it will "grab" whatever's highlighted in the list as your selection and apply it.
It's caused me to screw up moderating more than once recently. So to "undo" my moderations I have to post something in the thread. [b/c you can't post and moderate a discussion]
's/office/mom's basement/'
Friends don't help friends install M$ junk.
Not sure if you'll have enough time to do this or not... 1. Install the "Debugging Tools for Windows" (http://www.microsoft.com/whdc/devtools/debugging/ installx86.mspx) and launch WinDbg.
2. Monitor the process in Task Manager.
3. As soon as the process appears in Task Manager, Alt+Tab to WinDbg and Attach to Process (F6), then click the Break button (Ctrl+Break).
This should halt the application and allow you to analyze (!analyze -v) it to see what it's doing. Or, at the very least, you could upload the output of the debug to some message board and see if anyone could tell you what's going on.
Of course, you could also just reformat. You need to do it anyway. Trust me. ;)
Ever try the Pause key, right next to Scroll Lock? Works for me, even on most modern OSes.
..."totaled" will be one of those repairs. Case in point, my 1980 pickup truck. When it came down to having to scrape off the transmission pan gasket (did you know they weren't designed to last 25 years?), it became "totaled". I for one did not want to spend 8 hours on my back underneath it flicking who-knows-what toxic things into my nostrils and pores, and my reliable shop gave me a bid of 4 hours (@US$40/hr)... Take into account that it has no heater (and I live in the Great White North), and the fusebox needed replacing... TOTALED! But I did get US$40 cash and "they" took it away :-) The same with computers. My old laptop needed a new battery, a new backlight, a memory replacement and upgrade... the purchase price of a *new* laptop was only a couple of hundred more. So I bought a new laptop. I'm *very* happy with my decision (got one of those widescreen "desktop replacements" - not really a laptop).
Anonymously doesn't mean anonymously. Slashdot knows who made what posts, or at the very least, who has contributed to a discussion. (I haven't studied slashcode, so I do not pretend to know precisely what is going on.) Try it sometime, post anon to a discussion when you have mod points, then come back and try to moderate in that discussion.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
This just started happening on my work laptop about a month ago. I got Sysinternals and Process Explorer, opened it up, and waited for the window to appear/disappear. It did not spawn a new process, as far as I could tell (there was no red 'recently deceased' line, etc). I am guessing at this point that it's being produced by an already running process, and so doesn't have to start up something new. No spyware/virus/rootkit checker reports anything at all.
I mean, geez, as long as you're going to post AC you might as well let go and tell us what you really think of 'im...
Anonymously doesn't mean anonymously. Slashdot knows who made what posts, or at the very least, who has contributed to a discussion. (I haven't studied slashcode, so I do not pretend to know precisely what is going on.) Try it sometime, post anon to a discussion when you have mod points, then come back and try to moderate in that discussion.
I've found that if I actually log out, it works fine. However, Firefox automatically fills in my login information on the reply form, so if I neglect to remove it, I get logged back in anyway. Oops....
-Mike
I'm sorry; I don't know what I was thinking!
I don't know how long it stays up, but if it's more than a half-second, you may want to just hit the print screen key as fast as you can. It will save a bitmap copy of the screen to the clipboard, which you can then analyze at your leisure.
Check out Chad's News
If the cost of repair is more than the value of the _repaired_ car--then by definition repairing it is stupid. Because you can just buy a similar used car and junk the one you have.
it's almost a guarantee that the process in question is in one way or another linked to or dependent on this thing lots of computers these days have, I believe it's called 'windoze' or something to that effect. My solution would be get rid of that thing first >.> Seriously though, most (not all, but most) windows I see pop up for a moment are batch files running one command or another, usually just spawning some random process the computer's administrator set up. Typically speaking, you'd expect if it were a virus that it would be a bit more subtle about it's presence than opening a window. So my guess is that it's something that's supposed to be there, though I wouldn't bet on that if the stakes were high.
I had spyware that I had a hard time tracking down as well. I knew that it was running, but that I couldn't see it in the task manager. It would open up ads on occasion that looked like IE. I found the process name by open up windows notepad, calling up the Save As... dialog and telling my computer to shut down. Of course, the computer can't shut down because of the dialog, so the spyware started to crash as well, throwing up error dialogs identifying the name of the process. I used process explorer (as already mentioned) and a network logger to find the directory containing the suspect exe, but using window's explorer, the directory didn't exist. Eventually I had to boot into safe mode to delete the directory. Inside, I found records of everything I had been doing on the compy for months: chat transcripts, files, you name it. Regardless, I was thrilled that I had nailed the thing! Can't hide from me forever, scallywag!
You can check out Hijack This. When downloaded and run, it will show every process running on your machine. You'll have to go in and figure out which is the one doing the weird stuff.
You could turn on process monitoring (google for Auditing Settings Process Accounting). This will record an event log entry every time a new process is spawned with some details that might be useful. However, if the popup is generated by a single process which popups, then sleeps it won't create an event log entry every time - as the process isn't being re-spawned.
If you are concerned that you have been rootkitted and that the event log can't be trusted, you may as well blow the whole thing away (or take your luck with rootkit removal - urgh).
trmatthe
Yeah right...
Could this be the one instance where IE would be appreciable?
Say it ain't so joe!
2^3 * 31 * 647