Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

event viewer question; evidence of force quit rather than error?


  • Please log in to reply
2 replies to this topic

#1 thequietman

thequietman

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 19 September 2017 - 10:06 PM

Greetings Everyone!

 

I've been trying to determine, via the Event Viewer in Windows 10, if a program was intentionally force quit through the taskmanager rather than a software error.  

When I replicate the sequence, I'm unable to directly see an instance of taskmanager.

However, when repeating the sequence I do see, under security, events that appear right before the force quit that very closely match events right before the original incident - so there are strong similarities both under the app log and the security log. Would anyone be able to read these with me and tell me if the data indicate a force quit rather than a program error?

Here is a link for a side by side comparing the app closing in two parts on the original day then the replication, as well as suspicious security events before each; I highlighted the fields that show differences.  Are these differences relevant?

 

https://www.NoFile.io/f/aQVKysSTFyQ

 

My only caveat is that the app, FG64.exe, was since upgraded after the incident, so had to be uninstalled then reinstalled as the older version.  I'm not sure if that would change any designations here.

 

Thank you for any help and insight!


Edited by thequietman, 20 September 2017 - 02:05 AM.


BC AdBot (Login to Remove)

 


#2 jenae

jenae

  • Members
  • 846 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 20 September 2017 - 12:37 AM

Hi, maybe if you give us more info regarding what you see as the problem , details about the process and why you believe it is being shutdown? BTW you reference two PID's these have different numbers, process ID's (PID) are dynamic they change between boots.



#3 thequietman

thequietman
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 20 September 2017 - 01:28 AM

Thank you for the info re PIDs - I didn't know that. 

 

Some background: FG64 is a password protected security program for protecting files.  Under task manager two arms of the software appear individually.  During the original incident, both arms of the software were terminated.  Without the password this would only be possible by either a force quit from the task manager or a very unlikely app crash. 

 

I'm trying to determine, by looking at the app and security logs in the event log, if a force quit was performed on that day via task manager.  On the left hand column of the PDF, you'll see the app events from that original incident, and two security events that occurred directly before the incident.

 

Those same security events appeared when I did a force quit in a replicated session; those events are on the right hand column of the pdf.  I'm not able to see the use of task manager via the event logs; but I'm wondering if those security events indicate task manager was in fact accessed.

 

When we look at the information side by side - the original event, the replicated event - a great deal appears similar.  Part of my question comes down to the highlighted differences: are they all, such as the PIDs, dynamic and changing between boots?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users