Jump to content

Access History in hive?...

Recommended Posts

Getting a bunch of events showing up I want to be sure isn't a sign of a larger issue. 

This is what I'm seeing in Event Viewer

The access history in hive \??\C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-18-11122018180023188-ntuser.dat was cleared updating 0 keys and creating 0 modified pages.

The access history in hive \??\C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\S-1-5-21-1049282478-3007765991-1735224761-1001-11122018180023224-ntuser.dat was cleared updating 0 keys and creating 0 modified pages.


A service was installed in the system.

Service Name:  MBAMWebProtection
Service File Name:  \SystemRoot\system32\DRIVERS\mwac.sys
Service Type:  kernel mode driver
Service Start Type:  demand start
Service Account:  

Link to post
Share on other sites

  • Staff

***This is an automated reply***


Thanks for posting in the Malwarebytes 3 Help forum.


If you are having technical issues with our Windows product, please do the following: 


If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  1. Download Malwarebytes Support Tool
  2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
  3. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  4. Place a checkmark next to Accept License Agreement and click Next
  5. You will be presented with a page stating, "Get Started!"
  6. Click the Advanced tab
    Repair menu_arrows.png
  7. Click the Gather Logs button
  8. A progress bar will appear and the program will proceed with getting logs from your computer
    Advanced Gather Logs_arrows.png
  9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Advanced Gather Logs completed_arrows.png
  10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
     notify me.jpeg  

Click "Reveal Hidden Contents" below for details on how to attach a file:


To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.


One of our experts will be able to assist you shortly.


If you are having licensing issues, please do the following: 


For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 


Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

Greetings and welcome,

Unless I am mistaken, I believe those .DAT files being referred to are backup copies of your system's registry hives created by Malwarebytes during a scan of the system (something it does to allow it to scan all user accounts on the system and their associated registry hives to detect/remove malware regardless of which user account that malware may be installed under) which Malwarebytes then deletes once the scan completes if no threats are detected.  I believe it is a safety measure and also has something to do with how Malwarebytes handles deleting items detected under other/offline user accounts for scans so it shouldn't be anything to worry about.

With regards to mwac.sys, this is the Malwarebytes driver used for the Web Protection component so it is normal for it to show up and register/activate and load into memory whenever Malwarebytes loads its protection and I also believe that it reloads this driver whenever Malwarebytes is started and may also unload/reload the driver following any database updates to refresh the Web Protection database and clear the cache (to add the new blocked sites into memory and remove any from memory which may no longer be blocked following database updates).

I hope this helps explain things a bit, and if anyone from the Malwarebytes staff has any further insights and/or corrections, then I concede to their knowledge as my personal knowledge on the subject is somewhat limited, however I did work for Malwarebytes in the past so I am familiar with much of its technology, however things may have been changed since that time and there may be more that I am not aware of.

Please let us know if there is anything else we might answer for you or assist you with and if you have any further questions about these entries.


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.