Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Two instances of MSC in WinPatrol "Startup Programs"


  • Please log in to reply
32 replies to this topic

#1 Without_A_Monitor

Without_A_Monitor

  • Members
  • 335 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh bleepinverse
  • Local time:03:29 PM

Posted 21 February 2014 - 04:33 AM

I apologize if I did not make this thread in the appropriate section. I noticed in WinPatrol that there are two different MSC listings running in the startup program section. Both are msseces.exe entries. One MSC is located in HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run. The other MSC is located in HKLM\Software\Microsoft\Windows\CurrentVersion\Run. I don't think that I had noticed how MSC runs from two different locations at the startup until tonight. Is this okay and not a problem?



BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:29 PM

Posted 21 February 2014 - 07:09 AM

msseces.exe is a legitimate startup entry related to Microsoft Security Essentials.

msseces.exe is loaded in the all users (HKLM) registry as a startup file name 'MSC' which loads as "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey.

Run keys are startup registry keys that are used to launch an application automatically when Windows loads.

There are two entries in WinPatrol because the startup is registered in two separate locations of Windows Registry.

This is the usual location
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe\" -hide -runkey"

This entry is for 64-bit Windows
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"MSC"="\"C:\\Program Files\\Microsoft Security Client\\msseces.exe\" -hide -runkey"

The Wow6432Node registry entry indicates a 64-bit Windows version. The operating system uses this key to display a separate view of HKEY_LOCAL_MACHINE\SOFTWARE for 32-bit applications that run on 64-bit Windows versions.

When a 32-bit application writes or reads a value under the HKEY_LOCAL_MACHINE\SOFTWARE\<company>\<product> subkey, the application reads from the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\<company>\<product> subkey.

64bitregistry.gif

On 64-bit Windows, portions of the registry entries are stored separately for 32-bit application and 64-bit applications and mapped into separate logical registry views using the registry redirector and registry reflection, because the 64-bit version of an application may use different registry keys and values than the 32-bit version. There are also shared registry keys that are not redirected or reflected.

The parent of each 64-bit registry node is the Image-Specific Node or ISN. The registry redirector transparently directs an application's registry access to the appropriate ISN subnode. Redirection subnodes in the registry tree are created automatically by the WOW64 component using the name Wow6432Node.

32-bit and 64-bit Application Data in the Registry
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Without_A_Monitor

Without_A_Monitor
  • Topic Starter

  • Members
  • 335 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh bleepinverse
  • Local time:03:29 PM

Posted 21 February 2014 - 03:20 PM

Once again, a many thanks for the insightful reply, quietman. I also am sorry to prompt you to post such basic and probably common knowledge of MSE. I thought that what you posted might be the case, but due to my lack of knowledge, I thought it would be best to post my question here. Thank you very much for the helpful and detailed response.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:29 PM

Posted 21 February 2014 - 03:24 PM

You're welcome.

No need to feel sorry about your question. My reply confirmed what you suspected and will help those less knowledgeable if they read this topic looking for an answer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 StevenGerrard

StevenGerrard

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 27 February 2014 - 02:54 PM

msseces.exe is a legitimate startup entry related to Microsoft Security Essentials.

msseces.exe is loaded in the all users (HKLM) registry as a startup file name 'MSC' which loads as "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey.

Run keys are startup registry keys that are used to launch an application automatically when Windows loads.

There are two entries in WinPatrol because the startup is registered in two separate locations of Windows Registry.

This is the usual location
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe\" -hide -runkey"

This entry is for 64-bit Windows
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"MSC"="\"C:\\Program Files\\Microsoft Security Client\\msseces.exe\" -hide -runkey"

The Wow6432Node registry entry indicates a 64-bit Windows version. The operating system uses this key to display a separate view of HKEY_LOCAL_MACHINE\SOFTWARE for 32-bit applications that run on 64-bit Windows versions.

When a 32-bit application writes or reads a value under the HKEY_LOCAL_MACHINE\SOFTWARE\<company>\<product> subkey, the application reads from the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\<company>\<product> subkey.

64bitregistry.gif
 

On 64-bit Windows, portions of the registry entries are stored separately for 32-bit application and 64-bit applications and mapped into separate logical registry views using the registry redirector and registry reflection, because the 64-bit version of an application may use different registry keys and values than the 32-bit version. There are also shared registry keys that are not redirected or reflected.

The parent of each 64-bit registry node is the Image-Specific Node or ISN. The registry redirector transparently directs an application's registry access to the appropriate ISN subnode. Redirection subnodes in the registry tree are created automatically by the WOW64 component using the name Wow6432Node.

32-bit and 64-bit Application Data in the Registry

 

thanks for your sharing it is useful for us..



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:29 PM

Posted 27 February 2014 - 03:18 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:29 PM

Posted 01 March 2014 - 06:24 AM

I apologize if I did not make this thread in the appropriate section. I noticed in WinPatrol that there are two different MSC listings running in the startup program section. Both are msseces.exe entries. One MSC is located in HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run. The other MSC is located in HKLM\Software\Microsoft\Windows\CurrentVersion\Run. I don't think that I had noticed how MSC runs from two different locations at the startup until tonight. Is this okay and not a problem?

 

Could you tell us the exact value of both MSC entries?

 

Because on my W7 x64 machine, I have the 64-bit entry, not the 32-bit entry: "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

 

I wonder if both values are the same or different on your machine.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Without_A_Monitor

Without_A_Monitor
  • Topic Starter

  • Members
  • 335 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh bleepinverse
  • Local time:03:29 PM

Posted 06 March 2014 - 10:07 PM

I'm sorry for the noobish question. Could you elaborate on what you mean by "exact value" for those two entries?

 

They both share the same file location as: C:\Program Files\Microsoft Security Client\MSSECES.EXE

 

 

 

As previously noted, the startup locations differ:  HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run ...and....HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

 

 

 

The former entry seemingly doesn't have a data value in the registry location provided.

The latter entry has the data value of..."C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey


Edited by Without_A_Monitor, 06 March 2014 - 10:13 PM.


#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:29 PM

Posted 07 March 2014 - 03:29 AM

I'm sorry for the noobish question. Could you elaborate on what you mean by "exact value" for those two entries?

 

They both share the same file location as: C:\Program Files\Microsoft Security Client\MSSECES.EXE

 

 

 

As previously noted, the startup locations differ:  HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run ...and....HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

 

 

 

The former entry seemingly doesn't have a data value in the registry location provided.

The latter entry has the data value of..."C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

 

Yes, that's what I wanted to know.

 

It surprises me that both point to the same file: why does a 32-bit registry run entry point to a 64-bit executable?

Maybe someone has an answer.

 

But don't worry, I'm not implying that this is something malicious.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:29 PM

Posted 07 March 2014 - 06:30 AM

I have sent the developer of WinPatrol (Bill Pytlovany/BillP Studios) an email with a link to this topic asking if he had any thoughts to add in regard to this.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Without_A_Monitor

Without_A_Monitor
  • Topic Starter

  • Members
  • 335 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh bleepinverse
  • Local time:03:29 PM

Posted 07 March 2014 - 02:51 PM

Much obliged for doing so, quietman.



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:29 PM

Posted 07 March 2014 - 05:14 PM

Bill emailed back and advised he was having issues trying to login to Bleeping Computer. Until he gets that resolved and can get here, he said I explained things well but could pass along the following additional information.
 

As you know the Wow6432Node is used for compatibility with (x86) apps and when a 32 bit app calls the registry their read/write is redirected to this tree for many registry values. For safety, WinPatrol will display both the native registry and Wow6432Node Run entries. Both are usually identical so if you delete one in WinPatrol, they both will be removed.

Theres nothing that guarantees a 64 bit apps has to be saved in the native Run registry. A 32 bit app will be redirected in the Wow6432Node unless it sets a flag to write to the native registry. For instance, if the setup program is a 32 bit app, it may end up being redirected to Wow6432Node instead of the native location. Im guessing at some time this was done. It may also be if this entry was disabled by WinPatrol or another program, when it was re-enabled it ended up in the redirected location. WinPatrol is still a 32 bit program but has the ability to access both locations.

I cant explain why one entry has the parameters and the other doesnt but like my example of disabling and re-enabling it someone could have dropped the parameter. I like to think it wasnt WinPatrol but it is something I will investigate. As noted, its not a malicious issue but could have been just a bit of sloppy programming by me or someone else who added the run command back.

Thanks again,

Bill Pytlovany
BillP Studios


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Without_A_Monitor

Without_A_Monitor
  • Topic Starter

  • Members
  • 335 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:teh bleepinverse
  • Local time:03:29 PM

Posted 07 March 2014 - 05:28 PM

I sincerely appreciate your help and informative post(ing), quietman. Additionally, a many thanks to Bill Pytlovany for his insight and contribution as well. You guys are great.

 

So, is there anything that I need/should do, or negative?


Edited by Without_A_Monitor, 07 March 2014 - 05:30 PM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:29 PM

Posted 07 March 2014 - 05:31 PM

You're welcome on behalf of Bill. Hopefully, he will get the login issued resolved.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,622 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:29 PM

Posted 07 March 2014 - 06:14 PM

Without_A_Monitor, are you familiar with regedit? If so, could you export both keys as a .txt file?

When you export as a text file, the last write time is also exported, like this:

 

Last Write Time:   19/11/2013 - 23:25
 

This could give you an idea when these keys were last changed.

 

If you are not familiar with regedit, we'll just leave it here.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users