Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Process Exploring Getting Replaced


  • Please log in to reply
9 replies to this topic

#1 sasschary

sasschary

  • Malware Study Hall Senior
  • 711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:05:53 PM

Posted 27 November 2017 - 05:22 PM

Hi y'all,

 

So, I've been using Sysinternals Process Explorer as a Task Manager replacement. I have it set to always replace Task Manager in the options menu. It always used to work, but recently, it has started reverting to Windows 10's task manager every couple weeks or so. I'll try to open my task manager and it will open the default one and will continue to do so until I find and open Process Explorer and enable task manager replacement again. Does anyone have any ideas on why that might happen and how to fix it?

 

Thanks,

sasschary


Member of the Bleeping Computer A.I.I. early response team!

BC AdBot (Login to Remove)

 


#2 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 2,971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:05:53 PM

Posted 27 November 2017 - 07:06 PM

Never heard of this before. I doubt it's a bug in Process Explorer, otherwise Mark would have fixed it already.

When you replace Task Manager with Process Explorer, it adds a registry value under:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe

called Debugger with value data "%USERPROFILE%\DESKTOP\PROCEXP64.EXE"

My guess is that some third-party program is deleting this value. Perhaps it would help if you were to monitor the key? (A better, long-term alternative than ProcMon.) See here for instructions...

https://blogs.msdn.microsoft.com/cobold/2011/11/29/monitoring-when-registry-keys-are-modified/

A record of what program edited the key would then be present in the Event Log, under Windows Logs\Security.


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#3 sasschary

sasschary
  • Topic Starter

  • Malware Study Hall Senior
  • 711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:05:53 PM

Posted 27 November 2017 - 08:37 PM

Hi bwv,

 

Thanks for that! I set up auditing, so now I guess I just wait until it reverts back... With that in place I think I should be able to figure out the problem, but if not I will post back here again.

 

Thanks again,

Sasschary


Member of the Bleeping Computer A.I.I. early response team!

#4 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 2,971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:05:53 PM

Posted 27 November 2017 - 08:39 PM

You're welcome! Never tried it before myself, so I'm not sure whether if it'll work.

 

Anyway, let me know what happens — I'm curious!

 

regards,

bwv848


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#5 sasschary

sasschary
  • Topic Starter

  • Malware Study Hall Senior
  • 711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:05:53 PM

Posted 27 November 2017 - 08:57 PM

I manually changed the registry to see if it works, and it does indeed work. I will report back later when I find out what's resetting the value.


Member of the Bleeping Computer A.I.I. early response team!

#6 sasschary

sasschary
  • Topic Starter

  • Malware Study Hall Senior
  • 711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:05:53 PM

Posted 04 December 2017 - 09:10 PM

Okay... So, Task Manager reverted to the default one again. But it wasn't picked up by the registry audit, and I suspect that may be because the registry key you mentioned earlier is deleted, not edited. I will look and see if I can find anything to detect the key being deleted instead of modified.


Member of the Bleeping Computer A.I.I. early response team!

#7 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 6,889 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:05:53 PM

Posted 05 December 2017 - 10:40 AM

I would be curious what you find, too.

 

For myself, I just create a desktop shortcut directly to Process Explorer, which gives me direct access when I want it while leaving Windows Task Manager easily accessible as well.


Brian  AKA  Bri the Tech Guy (my website address is in my profile) Windows 10 Home, 64-bit, Version 1709, Build 16299

       

    Here is a test to find out whether your mission in life is complete.  If you’re alive, it isn’t.
             ~ Lauren Bacall
              

 


#8 sasschary

sasschary
  • Topic Starter

  • Malware Study Hall Senior
  • 711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:05:53 PM

Posted 05 December 2017 - 11:42 AM

Okay, my audit is now set to log deletion of the key rather than modification.Now we wait...

 

 

 I just create a desktop shortcut directly to Process Explorer

This would work... However, I am one who dislikes having icons on my desktop, and so I always have desktop icons turned off.


Member of the Bleeping Computer A.I.I. early response team!

#9 sasschary

sasschary
  • Topic Starter

  • Malware Study Hall Senior
  • 711 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:05:53 PM

Posted 05 December 2017 - 11:15 PM

And already we have an answer! The key was deleted by Avast!, so I guess now I get to find some way to make it not reset my task manager...


Member of the Bleeping Computer A.I.I. early response team!

#10 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 2,971 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:05:53 PM

Posted 05 December 2017 - 11:35 PM

Glad you found the solution! Sorry for not replying earlier... was too busy today. I had meant to ask you to make sure you were setting up auditing to check for deleted keys AND modified keys, instead of modified keys as in the article, so that we would get Event ID 4660s. That was one thing I missed. :blush: Sorry about that!


Edited by bwv848, 05 December 2017 - 11:36 PM.

If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users