Jump to content

FOR PIETERC Permissions and Windows Defender


Go to solution Solved by Maurice Naggar,

Recommended Posts

p.s.   This system has a few automatic tasks set for running CCleaner  & its "cleaning" function.

I urge you to uninstall CCleaner.   For at least 2 reasons.   You do not need any chance of it doing any "cleaning" of the registry.

Beyond that, CCleaner was sold by Piriform to another entity.

The program CCleaner is no longer recommended by Experts. It's your choice but Windows 10 can already do the majority of maintenance on its own. 

Link to post
Share on other sites
  • Replies 108
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

@PieterC             Hi,      My name is Maurice. I will be helping and guiding you, going forward on this case. Let me know what first name you prefer to go by. Please follow my directi

Good afternoon.   I hope you are doing well. I have a new script here.    Please delete the prior file fixlist.txt   on the folder   FRST-tool Save as is  the new attached file fixlist.txt 

Also the results of the WMIC commands WMIC command results.txt

Posted Images

Your remark on Ccleaner has prompted me to uninstall that program via Revo Uninstaller before I executed the safe mode merge of mpsdrv.reg. The merge reported succes.

But: after restart in normal mode firewall did not start with the same error code 0x80070422.

 

Link to post
Share on other sites

Please do not use Revo uninstaller   for the remainder of this case.

I need a fresh report  from FRST   which I had you rename to FRSTENGLISH  & which I recall I had you move ro a special folder.

Please also run a new fresh report with the FRSTENGLISH   report tool

.

Right-click on FRSTENGLISH and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.


_Windows 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._
Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & follow-up & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is checked    -        listed under Optional scan on the FRST screen
and click the box "90 day files "
Press Scan button and wait.


The tool will produce three logfiles on your desktop: _FRST.txt_ , _Addition.txt
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Link to post
Share on other sites

I got the FRST reports.   Thanks.   It will take additional time to go thru all of it.

It looks to me that you used the Malwarebytes MBST tool to do some operation today Sept 29.

Are you doing things on your own ?   are you getting simultaneous help elsewhere ?

Link to post
Share on other sites

I need to be sure that you do not make any more changes on your own.

That you ask me first if you feel the need to run any sort of tool or fix or anything of that nature.

I  notice a few things here that cause me some concern

I notice   CleanWipe_14.3.558.1000.zip

I notice Tweaking.com - Windows Repair Setup Log.txt

mbst-fix-results.txt

mbst-clean-results.txt

I notice those having been used 29  SEPT

Link to post
Share on other sites

I do not recognise Cleanwipe, but you're right that I installed Tweaking.com in a more or less desperate attempt. I realised soon that this was a mistake and I have removed the program.

There is no second help going on. I used the Malwarebyte Removal tool thinking that this would eliminate a possible error-cause.

If I have caused difficulties I apologise sincerely. You have been patient and courteous and persistent and I would like you to continue trying to solve this mystery.

From now on I will refrain from spontaneous actions on my own.

 

 

 

 

 

 

Link to post
Share on other sites

RIGHT click the link with your mouse-pointer and select SAVE ...as....     & guide the folder for saving to DESKTOP     ( do not double click / do not 'run' the file / nor open  )

https://download.bleepingcomputer.com/win-services/win-10/SharedAccess.reg


Next
 
Look on the Desktop for the reg file  sharedaccess.reg
Double-click on sharedaccess.reg   and allow it to Merge   / monitor the process

IF that fails be sure to STOP   and let me know.

.

Now be sure that you do one Windows RESTART.    we need that so there is a new session  with hopefully Windows services in better state.   The sharedaccess service does have relevance to  Windows firewall & firewall policy.

.

Next

1- Use the Windows Explorer to go to the  folder where you have FRSTENGLISH. C:\FRST-tool  

We are going to use the tool to do a command-window run to query about some Windows services.

Please double-click on FRSTENGLISH 

2- Press Ctrl+Y (Ctrl and Y keys at the same time) 

3- A fixlist.txt file opens up, copy and paste the following into it all 6 lines below  : 

 

Start:: 

cmd: sc queryex mpsdrv
cmd: sc queryx MpsSvc
cmd: sc queryex bfe
cmd: sc queryex sharedaccess 

End:: 

 

4. Press Ctrl+S to save. Close the fixlist.txt file. 
5. Click the Fix button on the FRSTENGLISH. 

 

PLEASE have  patience when this starts. You will see a green progress bar start. Lots of patience.  
 
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. 

Please attach the Fixlog.txt in your reply. 

Link to post
Share on other sites

Could you kindly put Windows into Safe mode   ( just like last time )  and then do the steps to merge Sharedaccess.

Provide the result message.   in your next reply, but after restarting again to normal mode  & also then doing the steps for FRSTENGLISH

Link to post
Share on other sites

This Windows 10 has Controlled folder access option turned on.   We have to have it set to OFF

turn off Gecontroleerde mappentoegang

Can you do that and keep it OFF  for the entire duration of this case ?

I noticed a mention of Controlled folder access  being on in one of the reports.   Matter of fact it was on the 29th that the system log mentioned that the CFA option had prevented CHKDSK from running.

It more than likely has been the factor at play that had been preventing registry fixes.

So,  turn C F A  off   and then do the procedures I had mentioned  in my prior post   https://forums.malwarebytes.com/topic/264134-for-pieterc-permissions-and-windows-defender/?do=findComment&comment=1410913

 

Link to post
Share on other sites

I must observe that this case / situation has veered way far afield.   We are seemingly close to perhaps some dead end.

There is not a infection that I know of.  It's mainly been some missing registry entries,  a few Windows services missing,  and now seems like registry access permissions issues.   I may at some point need to call an end to this hunt  & maybe provide some other advice.

It may well be that one or so of the auto-started applications on this PC  have a hand in this.  That is why I suggest to put this Windows into a "clean boot startup"  meaning to suppress all auto-start apps that are not Microsoft, not Windows, not Malwarebytes.

How to perform a clean boot in Windows
https://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows

Study closely that article.  Keep a pen & paper handy & document the apps that you un-tick from auto-starting

Like I say, document your changes.   For your benefit / for later.

.

Then once the adjustments are made, do one Windows Restart.

Then do a  inquiry using Windows Powershell

  Start a Elevated Powershell command prompt-window.
    On the Windows taskbar, on the Search box, type in

powershell


    Wait and look for the results list.  Click on the line that shows Powershell with "Run as Administrator".
    Then you will see the Powershell window.
    Into that, we want to Copy & Paste  this command line.     

Get-Acl -Path HKLM:\System\CurrentControlSet\services | Format-List

Tap Enter

I would like to get a image-copy  ( screen image capture)  of the output on the screen

You may close the Powershell window when complete.

Link to post
Share on other sites

Thank you.  The result shows that administrators have full access right  ( e.g. permission )    to that registry key.   And by doing a clean boot start, hopefully any interference has been prevented.

Now, you should be able to merge in the SharedAcess service key into the registry.

Look on the Desktop for the reg file  sharedaccess.reg
Double-click on sharedaccess.reg   and allow it to Merge   / monitor the process

Link to post
Share on other sites

I am very sorry too.  As I noted before,  I think we will have to call a halt to this quest soon.

I want to be very very certain that Controlled Folder Access in this Windows 10 is OFF   ( since if it were on, it may be over zealous about the registry )

  1. Go to the Windows taskbar  &  then to the Windows  Search box.
  2. Search for Windows Security and click the top result to open the app.
  3. Click on Virus & threat protection.
  4. Under the "Ransomware protection" section, click the Manage ransomware protection option.

  5. on the Controlled folder access toggle switch  make certain it is set to OFF    ( all the way to the Left )

Edited by Maurice Naggar
Link to post
Share on other sites

I tried to check the registry via regedit.

In [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess] all the items were exactly as the SharedAccess.reg would have made it.

However as soon as I tried to open "Defaults" or "Epoch" or "Epoch2" or "Security" sub-items  I got the error that access was denied.

But the sub-items "Firewall Policy" and "Triggerinfo" were accessible.

So the blockade is very specific.

I must admit that I did not check all FirewallRules but I got the clear impression that the registry in the SharedAccess key was conform the SharedAccess.reg.

Everything else was.

Don't know if this helps. I'm stumped.

 

 

Link to post
Share on other sites

There is some sort of peculiar behavior here..   But there is not  a malware nor a infection.

As to the Windows 10 services, Maybe on some points, we did not know that the registry entry was already in place.

You started out the case with the indication that Malwarebytes for Windows reports no malware.

I have had you run a recent Windows Defender scan which reported no infection.

The MS Windows 10 Microsoft Defender is running, which was not so when the case started out.

It should be emphasized that we did make progress on this machine from the original opening.

We got Windows Update to work.   We got Windows Defender turned on.

.

The main charter of this sub-forum is about finding & removing malware.   There is none of that on this system.

It seems more and more likely I will be referring you elsewhere.

.

1- Use the Windows Explorer to go to the  folder where you have FRSTENGLISH. C:\FRST-tool  

We are going to use the tool to do a command-window run to query about some Windows services.

Please double-click on FRSTENGLISH 

2- Press Ctrl+Y (Ctrl and Y keys at the same time) 

3- A fixlist.txt file opens up, copy and paste the following into it all 7 lines below  : 

 

Start:: 

cmd: sc queryex mpsdrv
cmd: sc queryex MpsSvc
cmd: sc queryex bfe
cmd: sc queryex sharedaccess 

cmd: sc queryex windefend

End:: 

 

4. Press Ctrl+S to save. Close the fixlist.txt file. 
5. Click the Fix button on the FRSTENGLISH. 

 

PLEASE have  patience when this starts. You will see a green progress bar start. Lots of patience.  
 
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. 

Please attach the Fixlog.txt in your reply. 

 

Link to post
Share on other sites

Thanks for the report.  It appears to me that it is just 2 Windows services that we need to adjust & insure to be running   ( which are not now running)

We will insure their startup type is set to automatic  & that they are running.

MPSSVC is the ( Windows 10 ) windows defender firewall

MPSDRV is the windows defender firewall authorization driver

 

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )


It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
On that command prompt,  Copy & Paste this command

WMIC SERVICE WHERE Name="mpssvc" CALL ChangeStartMode "automatic"

press Enter-key on keyboard   and watch & write down the result

 

Next    Copy   & Paste this command

WMIC SERVICE WHERE Name="mpssvc" CALL startservice

press Enter-key on keyboard   and watch & write down the result

NEXT

Copy & Paste this command

WMIC SERVICE WHERE Name="mpsdrv" CALL ChangeStartMode "automatic"

press Enter-key on keyboard   and watch & write down the result

 

Next    Copy   & Paste this command

WMIC SERVICE WHERE Name="mpsdrv" CALL startservice

press Enter-key on keyboard   and watch & write down the result

Edited by Maurice Naggar
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.