svchost.exe & store.xml - Laptop Hard Drive

  • Thread starter Thread starter Dave Onex
  • Start date Start date
D

Dave Onex

Guest
Hi Folks;

I'm troubleshooting a problem with my laptop's hard drive not going to sleep
after 5 minutes. To that end I broke out Process Monitor to take a look at
what is accessing the hard drive.

What I'm finding is repeated attempts to CreateFile;

C:\Documents and Settings\All Users\Application
Data\Microsoft\Provisioning\store.xml

that results in a NAME NOT FOUND error or NAME COLLISION. I actually created
a store.xml file in that directory thinking that would make it go away - it
hasn't.

Does anyone know why svchost.exe is continually trying to create a file
called store.xml and how can I stop it?

Thanks!
Dave
 
RE: svchost.exe & store.xml - Laptop Hard Drive



"Dave Onex" wrote:

> Hi Folks;
>
> I'm troubleshooting a problem with my laptop's hard drive not going to sleep
> after 5 minutes. To that end I broke out Process Monitor to take a look at
> what is accessing the hard drive.
>
> What I'm finding is repeated attempts to CreateFile;
>
> C:\Documents and Settings\All Users\Application
> Data\Microsoft\Provisioning\store.xml
>
> that results in a NAME NOT FOUND error or NAME COLLISION. I actually created
> a store.xml file in that directory thinking that would make it go away - it
> hasn't.
>
> Does anyone know why svchost.exe is continually trying to create a file
> called store.xml and how can I stop it?
>
> Thanks!
> Dave

You can use Filemon to track down the causer of this..note it can be a
program need to access the internet to update or refresh its contacts like
Messenger or an AV.
FileMon for Windows v7.04
http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx

Back ground about the Provisioning service:
Wireless Network Provisioning
http://msdn.microsoft.com/en-us/library/ms806463.aspx

You can stop this service from the services control panel and see if that
will help to stop this activities.
HTH,
nass
---
http://www.nasstec.co.uk
 
Re: svchost.exe & store.xml - Laptop Hard Drive


"nass" <nass@discussions.microsoft.com> wrote in message
news:355D480F-215F-4456-8AF1-038E6F973650@microsoft.com...
>
>
> "Dave Onex" wrote:
>
> > Hi Folks;
> >
> > I'm troubleshooting a problem with my laptop's hard drive not going to
sleep
> > after 5 minutes. To that end I broke out Process Monitor to take a look
at
> > what is accessing the hard drive.
> >
> > What I'm finding is repeated attempts to CreateFile;
> >
> > C:\Documents and Settings\All Users\Application
> > Data\Microsoft\Provisioning\store.xml
> >
> > that results in a NAME NOT FOUND error or NAME COLLISION. I actually
created
> > a store.xml file in that directory thinking that would make it go away -
it
> > hasn't.
> >
> > Does anyone know why svchost.exe is continually trying to create a file
> > called store.xml and how can I stop it?
> >
> > Thanks!
> > Dave
>
> You can use Filemon to track down the causer of this..note it can be a
> program need to access the internet to update or refresh its contacts like
> Messenger or an AV.
> FileMon for Windows v7.04
> http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx
>
> Back ground about the Provisioning service:
> Wireless Network Provisioning
> http://msdn.microsoft.com/en-us/library/ms806463.aspx
>
> You can stop this service from the services control panel and see if that
> will help to stop this activities.
> HTH,
> nass
> ---
> http://www.nasstec.co.uk
>

Hi Nass;

Thanks for the reply - after much searching I could find zero information on
this issue although several have reported it.
I am using Process Monitor to see what's accessing the disk - that's how I
found out about C:\Documents and Settings\All Users\Application
Data\Microsoft\Provisioning\store.xml

What I didn't know is what it was related to and thanks to your help I do
:-)

I've checked the Network Provisioning Service in XP (Pro) and it was not
running. I've since disabled it but I'm still seeing something (it?) trying
to access/write to C:\Documents and Settings\All Users\Application
Data\Microsoft\Provisioning\store.xml

I'm sure we're on the right track and this is the only thing left that
Process Monitor shows is accessing the disk so it's just a matter of
shutting the darn thing down.

Any other ideas?

Thanks!
Dave
 
Re: svchost.exe & store.xml - Laptop Hard Drive

Always state your full Windows version (e.g., WinXP SP3) when posting to
this newsgroup, please.

What anti-virus application or security suite is installed? What
anti-spyware applications (other than Defender)? What third-party firewall
(if any)?
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/


Dave Onex wrote:
> I'm troubleshooting a problem with my laptop's hard drive not going to
> sleep
> after 5 minutes. To that end I broke out Process Monitor to take a look at
> what is accessing the hard drive.
>
> What I'm finding is repeated attempts to CreateFile;
>
> C:\Documents and Settings\All Users\Application
> Data\Microsoft\Provisioning\store.xml
>
> that results in a NAME NOT FOUND error or NAME COLLISION. I actually
> created
> a store.xml file in that directory thinking that would make it go away -
> it
> hasn't.
>
> Does anyone know why svchost.exe is continually trying to create a file
> called store.xml and how can I stop it?
 
Re: svchost.exe & store.xml - Laptop Hard Drive


"PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
news:O7ySBXgFJHA.3392@TK2MSFTNGP06.phx.gbl...
> Always state your full Windows version (e.g., WinXP SP3) when posting to
> this newsgroup, please.
>
> What anti-virus application or security suite is installed? What
> anti-spyware applications (other than Defender)? What third-party
firewall
> (if any)?
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> AumHa VSOP & Admin http://aumha.net
> DTS-L http://dts-l.net/
>
>
> Dave Onex wrote:
> > I'm troubleshooting a problem with my laptop's hard drive not going to
> > sleep
> > after 5 minutes. To that end I broke out Process Monitor to take a look
at
> > what is accessing the hard drive.
> >
> > What I'm finding is repeated attempts to CreateFile;
> >
> > C:\Documents and Settings\All Users\Application
> > Data\Microsoft\Provisioning\store.xml
> >
> > that results in a NAME NOT FOUND error or NAME COLLISION. I actually
> > created
> > a store.xml file in that directory thinking that would make it go away -
> > it
> > hasn't.
> >
> > Does anyone know why svchost.exe is continually trying to create a file
> > called store.xml and how can I stop it?
>

Hi Robear;

It's XP Pro SP#3 with all updates. There are no anti-virus applications
installed.

I've been using Process Monitor to show each (and all) applications that are
accessing the drive in real-time. The only thing left is the Wireless
Network Provisioning service (that's been disabled) trying to access
C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml

As far as we can see it shouldn't be doing that given that the service is
disabled. I've confirmed it in another fashion - by turning off the WiFi
card it stops trying to write/create/access that file.

Thanks;
Dave
 
Re: svchost.exe & store.xml - Laptop Hard Drive



"Dave Onex" wrote:

>
> "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
> news:O7ySBXgFJHA.3392@TK2MSFTNGP06.phx.gbl...
> > Always state your full Windows version (e.g., WinXP SP3) when posting to
> > this newsgroup, please.
> >
> > What anti-virus application or security suite is installed? What
> > anti-spyware applications (other than Defender)? What third-party
> firewall
> > (if any)?
> > --
> > ~Robear Dyer (PA Bear)
> > MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> > AumHa VSOP & Admin http://aumha.net
> > DTS-L http://dts-l.net/
> >
> >
> > Dave Onex wrote:
> > > I'm troubleshooting a problem with my laptop's hard drive not going to
> > > sleep
> > > after 5 minutes. To that end I broke out Process Monitor to take a look
> at
> > > what is accessing the hard drive.
> > >
> > > What I'm finding is repeated attempts to CreateFile;
> > >
> > > C:\Documents and Settings\All Users\Application
> > > Data\Microsoft\Provisioning\store.xml
> > >
> > > that results in a NAME NOT FOUND error or NAME COLLISION. I actually
> > > created
> > > a store.xml file in that directory thinking that would make it go away -
> > > it
> > > hasn't.
> > >
> > > Does anyone know why svchost.exe is continually trying to create a file
> > > called store.xml and how can I stop it?
> >
>
> Hi Robear;
>
> It's XP Pro SP#3 with all updates. There are no anti-virus applications
> installed.
>
> I've been using Process Monitor to show each (and all) applications that are
> accessing the drive in real-time. The only thing left is the Wireless
> Network Provisioning service (that's been disabled) trying to access
> C:\Documents and Settings\All
> Users\Application\Data\Microsoft\Provisioning\store.xml
>
> As far as we can see it shouldn't be doing that given that the service is
> disabled. I've confirmed it in another fashion - by turning off the WiFi
> card it stops trying to write/create/access that file.
>
> Thanks;
> Dave

Running without AV not a good idea or a Firewall!
Go through these Cleaning steps:
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
http://www.malwarebytes.org/rr-update/rr-free-setup.exe
http://www.malwarebytes.org/rr-update/rr-free-setup.exe
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm

Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Comodo BOClean : Anti-Malware Version 4.27
http://www.comodo.com/boclean/boclean.html
Run disk cleanup and also this tool:
http://www.ccleaner.com/download/builds/downloading-slim
download Hijackthis and send me the log.
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
Send me copy to my address is : to_you_ross(at remove this and repalce with
the obvious)yahoo.co.uk

( _ is underscore)
HTH
nass
--
http://www.nasstec.co.uk
 
Re: svchost.exe & store.xml - Laptop Hard Drive


"nass" <nass@discussions.microsoft.com> wrote in message
news:240F9B64-82AF-404E-960F-539615715768@microsoft.com...
>
>
> "Dave Onex" wrote:
>
> >
> > "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
> > news:O7ySBXgFJHA.3392@TK2MSFTNGP06.phx.gbl...
> > > Always state your full Windows version (e.g., WinXP SP3) when posting
to
> > > this newsgroup, please.
> > >
> > > What anti-virus application or security suite is installed? What
> > > anti-spyware applications (other than Defender)? What third-party
> > firewall
> > > (if any)?
> > > --
> > > ~Robear Dyer (PA Bear)
> > > MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> > > AumHa VSOP & Admin http://aumha.net
> > > DTS-L http://dts-l.net/
> > >
> > >
> > > Dave Onex wrote:
> > > > I'm troubleshooting a problem with my laptop's hard drive not going
to
> > > > sleep
> > > > after 5 minutes. To that end I broke out Process Monitor to take a
look
> > at
> > > > what is accessing the hard drive.
> > > >
> > > > What I'm finding is repeated attempts to CreateFile;
> > > >
> > > > C:\Documents and Settings\All Users\Application
> > > > Data\Microsoft\Provisioning\store.xml
> > > >
> > > > that results in a NAME NOT FOUND error or NAME COLLISION. I actually
> > > > created
> > > > a store.xml file in that directory thinking that would make it go
away -
> > > > it
> > > > hasn't.
> > > >
> > > > Does anyone know why svchost.exe is continually trying to create a
file
> > > > called store.xml and how can I stop it?
> > >
> >
> > Hi Robear;
> >
> > It's XP Pro SP#3 with all updates. There are no anti-virus applications
> > installed.
> >
> > I've been using Process Monitor to show each (and all) applications that
are
> > accessing the drive in real-time. The only thing left is the Wireless
> > Network Provisioning service (that's been disabled) trying to access
> > C:\Documents and Settings\All
> > Users\Application\Data\Microsoft\Provisioning\store.xml
> >
> > As far as we can see it shouldn't be doing that given that the service
is
> > disabled. I've confirmed it in another fashion - by turning off the WiFi
> > card it stops trying to write/create/access that file.
> >
> > Thanks;
> > Dave
>
> Running without AV not a good idea or a Firewall!
> Go through these Cleaning steps:
> 1... First, try to clean up your caches, Internet files and delete cookies
> by doing this:
> Click Start >> Control Panel >> Double click Network and Internet
> Connections >> Double click Internet Options.
> On the IE properties windows you will see these Tabs:
> General | Security | Privacy | Content | Connections | Programs |
> Advanced
> Under General Tab clear your History, Internet Files and Cookies.
> Then click on Advanced tab and scroll down to under the Browsing Option:
> [&] Browsing
> [ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
> Then click on Programs Tab and click Manage Add-Ons and Disable all non
> Verified Add-Ons (You should Renable them later one-by-one and see the
> culprit and update it or remove it.
> How to manage Add-Ons:
> http://support.microsoft.com/kb/883256
> Scan for malware from here:
> SuperAntispyware - Free
> http://www.superantispyware.com/superantispywarefreevspro.html
> http://www.malwarebytes.org/rr-update/rr-free-setup.exe
> http://www.malwarebytes.org/rr-update/rr-free-setup.exe
> http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
> http://onecare.live.com/standard/en-gb/default.htm
>
> Run a scan from here on-line:
> http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
> http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
> Download Avast Cleaner (offline scanner) from here:
> http://www.avast.com/eng/avast-virus-cleaner.html
> Comodo BOClean : Anti-Malware Version 4.27
> http://www.comodo.com/boclean/boclean.html
> Run disk cleanup and also this tool:
> http://www.ccleaner.com/download/builds/downloading-slim
> download Hijackthis and send me the log.
> (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
> Send me copy to my address is : to_you_ross(at remove this and repalce
with
> the obvious)yahoo.co.uk
>
> ( _ is underscore)
> HTH
> nass
> --
> http://www.nasstec.co.uk

Hi guys;

I don't know how we got sidetracked into this whole spyware/firewall issue
when the issue has been that the hard drive fails to power down due to
writes to C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
provisioning service.

=>That's the issue - not a malware infection. <=

If you must know the system runs behind ISA 2004 and the notebook does have
it's native firewall enabled as well. It's not infected - period.
We've been sidetracked by Pa Bear so let's come back to the original issue
at hand:

Why is ProcMon reporting access to C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
provisioning service when the service is disabled?

If you'll read my previous post this activity stops if I remove the wireless
card. So, again,

Why is ProcMon reporting access to C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
provisioning service when the service is disabled?
And more importantly, how can I stop this behavior?

Thanks;
Dave

BTW, I have a really great spyware/virus section
(http://www.asksomeone.net/forums/index.php?showforum=20) here. There's a
lot of great reference material there :-)
 
Re: svchost.exe & store.xml - Laptop Hard Drive

Dave Onex wrote:
>>> I'm troubleshooting a problem with my laptop's hard drive not going to
>>> sleep
>>> after 5 minutes. To that end I broke out Process Monitor to take a look
>>> at
>>> what is accessing the hard drive.
>>>
>>> What I'm finding is repeated attempts to CreateFile;
>>>
>>> C:\Documents and Settings\All Users\Application
>>> Data\Microsoft\Provisioning\store.xml
>>>
>>> that results in a NAME NOT FOUND error or NAME COLLISION. I actually
>>> created
>>> a store.xml file in that directory thinking that would make it go away -
>>> it
>>> hasn't.
>>>
>>> Does anyone know why svchost.exe is continually trying to create a file
>>> called store.xml and how can I stop it?
>>
>> Always state your full Windows version (e.g., WinXP SP3) when posting to
>> this newsgroup, please.
>>
>> What anti-virus application or security suite is installed? What
>> anti-spyware applications (other than Defender)? What third-party
>> firewall
>> (if any)?
>
> Hi Robear;
>
> It's XP Pro SP#3 with all updates. There are no anti-virus applications
> installed...
<snip>

That 's enough. Time to wipe 'n reload: http://www.dslreports.com/faq/10063

Protect Your PC!
http://www.microsoft.com/athome/security/computer/default.mspx
--
~PA Bear
 
Re: svchost.exe & store.xml - Laptop Hard Drive

Viruses and Spyware can cause that, it is the way they work and considering
you have none installed you are probably infected. How do you know you are
not infected without protection software to tell you that you are?

--
Ignore any posts made by the Stalker Leythos, he's still in love with me.
He started stalking me after I spurned his advances towards me.
He said he would stop Stalking me If I stopped mentioning his name.
As you can see that does not work. He is a sick obsessive STALKER.





"Dave Onex" <dave@onex.com> wrote in message
news:%236kpjEqFJHA.3392@TK2MSFTNGP06.phx.gbl...
>
> "nass" <nass@discussions.microsoft.com> wrote in message
> news:240F9B64-82AF-404E-960F-539615715768@microsoft.com...
>>
>>
>> "Dave Onex" wrote:
>>
>> >
>> > "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
>> > news:O7ySBXgFJHA.3392@TK2MSFTNGP06.phx.gbl...
>> > > Always state your full Windows version (e.g., WinXP SP3) when posting
> to
>> > > this newsgroup, please.
>> > >
>> > > What anti-virus application or security suite is installed? What
>> > > anti-spyware applications (other than Defender)? What third-party
>> > firewall
>> > > (if any)?
>> > > --
>> > > ~Robear Dyer (PA Bear)
>> > > MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>> > > AumHa VSOP & Admin http://aumha.net
>> > > DTS-L http://dts-l.net/
>> > >
>> > >
>> > > Dave Onex wrote:
>> > > > I'm troubleshooting a problem with my laptop's hard drive not going
> to
>> > > > sleep
>> > > > after 5 minutes. To that end I broke out Process Monitor to take a
> look
>> > at
>> > > > what is accessing the hard drive.
>> > > >
>> > > > What I'm finding is repeated attempts to CreateFile;
>> > > >
>> > > > C:\Documents and Settings\All Users\Application
>> > > > Data\Microsoft\Provisioning\store.xml
>> > > >
>> > > > that results in a NAME NOT FOUND error or NAME COLLISION. I
>> > > > actually
>> > > > created
>> > > > a store.xml file in that directory thinking that would make it go
> away -
>> > > > it
>> > > > hasn't.
>> > > >
>> > > > Does anyone know why svchost.exe is continually trying to create a
> file
>> > > > called store.xml and how can I stop it?
>> > >
>> >
>> > Hi Robear;
>> >
>> > It's XP Pro SP#3 with all updates. There are no anti-virus applications
>> > installed.
>> >
>> > I've been using Process Monitor to show each (and all) applications
>> > that
> are
>> > accessing the drive in real-time. The only thing left is the Wireless
>> > Network Provisioning service (that's been disabled) trying to access
>> > C:\Documents and Settings\All
>> > Users\Application\Data\Microsoft\Provisioning\store.xml
>> >
>> > As far as we can see it shouldn't be doing that given that the service
> is
>> > disabled. I've confirmed it in another fashion - by turning off the
>> > WiFi
>> > card it stops trying to write/create/access that file.
>> >
>> > Thanks;
>> > Dave
>>
>> Running without AV not a good idea or a Firewall!
>> Go through these Cleaning steps:
>> 1... First, try to clean up your caches, Internet files and delete
>> cookies
>> by doing this:
>> Click Start >> Control Panel >> Double click Network and Internet
>> Connections >> Double click Internet Options.
>> On the IE properties windows you will see these Tabs:
>> General | Security | Privacy | Content | Connections | Programs |
>> Advanced
>> Under General Tab clear your History, Internet Files and Cookies.
>> Then click on Advanced tab and scroll down to under the Browsing Option:
>> [&] Browsing
>> [ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
>> Then click on Programs Tab and click Manage Add-Ons and Disable all non
>> Verified Add-Ons (You should Renable them later one-by-one and see the
>> culprit and update it or remove it.
>> How to manage Add-Ons:
>> http://support.microsoft.com/kb/883256
>> Scan for malware from here:
>> SuperAntispyware - Free
>> http://www.superantispyware.com/superantispywarefreevspro.html
>> http://www.malwarebytes.org/rr-update/rr-free-setup.exe
>> http://www.malwarebytes.org/rr-update/rr-free-setup.exe
>> http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
>> http://onecare.live.com/standard/en-gb/default.htm
>>
>> Run a scan from here on-line:
>> http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
>> http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
>> Download Avast Cleaner (offline scanner) from here:
>> http://www.avast.com/eng/avast-virus-cleaner.html
>> Comodo BOClean : Anti-Malware Version 4.27
>> http://www.comodo.com/boclean/boclean.html
>> Run disk cleanup and also this tool:
>> http://www.ccleaner.com/download/builds/downloading-slim
>> download Hijackthis and send me the log.
>> (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
>> Send me copy to my address is : to_you_ross(at remove this and repalce
> with
>> the obvious)yahoo.co.uk
>>
>> ( _ is underscore)
>> HTH
>> nass
>> --
>> http://www.nasstec.co.uk
>
> Hi guys;
>
> I don't know how we got sidetracked into this whole spyware/firewall issue
> when the issue has been that the hard drive fails to power down due to
> writes to C:\Documents and Settings\All
> Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
> provisioning service.
>
> =>That's the issue - not a malware infection. <=
>
> If you must know the system runs behind ISA 2004 and the notebook does
> have
> it's native firewall enabled as well. It's not infected - period.
> We've been sidetracked by Pa Bear so let's come back to the original issue
> at hand:
>
> Why is ProcMon reporting access to C:\Documents and Settings\All
> Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
> provisioning service when the service is disabled?
>
> If you'll read my previous post this activity stops if I remove the
> wireless
> card. So, again,
>
> Why is ProcMon reporting access to C:\Documents and Settings\All
> Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
> provisioning service when the service is disabled?
> And more importantly, how can I stop this behavior?
>
> Thanks;
> Dave
>
> BTW, I have a really great spyware/virus section
> (http://www.asksomeone.net/forums/index.php?showforum=20) here. There's a
> lot of great reference material there :-)
>
>
>
 
Re: svchost.exe & store.xml - Laptop Hard Drive


"PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
news:eRCJ8aqFJHA.5572@TK2MSFTNGP03.phx.gbl...
> Dave Onex wrote:
> >>> I'm troubleshooting a problem with my laptop's hard drive not going to
> >>> sleep
> >>> after 5 minutes. To that end I broke out Process Monitor to take a
look
> >>> at
> >>> what is accessing the hard drive.
> >>>
> >>> What I'm finding is repeated attempts to CreateFile;
> >>>
> >>> C:\Documents and Settings\All Users\Application
> >>> Data\Microsoft\Provisioning\store.xml
> >>>
> >>> that results in a NAME NOT FOUND error or NAME COLLISION. I actually
> >>> created
> >>> a store.xml file in that directory thinking that would make it go
away -
> >>> it
> >>> hasn't.
> >>>
> >>> Does anyone know why svchost.exe is continually trying to create a
file
> >>> called store.xml and how can I stop it?
> >>
> >> Always state your full Windows version (e.g., WinXP SP3) when posting
to
> >> this newsgroup, please.
> >>
> >> What anti-virus application or security suite is installed? What
> >> anti-spyware applications (other than Defender)? What third-party
> >> firewall
> >> (if any)?
> >
> > Hi Robear;
> >
> > It's XP Pro SP#3 with all updates. There are no anti-virus applications
> > installed...
> <snip>
>
> That 's enough. Time to wipe 'n reload:
http://www.dslreports.com/faq/10063
>
> Protect Your PC!
> http://www.microsoft.com/athome/security/computer/default.mspx
> --
> ~PA Bear
>
You've got to be kidding me - you're a Microsoft MVP? Your recommendation is
a format? Do you even know what Process Monitor is or does?

I sure hope you don't 'help' too many others with advice like that.

I've got a squeaky clean laptop with only one process that's writing to the
drive and keeping it from entering sleep mode and you're advice is to format
it? I guess you don't understand the value in that.

It's unfortunate that you've hijacked a solution that was right on track
with Nass and turned it (and Nass) in completely the wrong direction - and
then recommend a format?

I really wish you hadn't jumped into this thread at all. Now that you have,
please check out the BTW, at the bottom of this post - that's MY site and it
will help you to actually help others remove infections - without formatting
the hard drive. Now, hopefully, you'll go away so that I can come back to
the actual isue with nass...

If nass is still out there and has any valuable input (as he did at the
start);

Hi guys;

I don't know how we got sidetracked into this whole spyware/firewall issue
when the issue has been that the hard drive fails to power down due to
writes to C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
provisioning service.

=>That's the issue - not a malware infection. <=

If you must know the system runs behind ISA 2004 and the notebook does have
it's native firewall enabled as well. It's not infected - period.
We've been sidetracked by Pa Bear so let's come back to the original issue
at hand:

Why is ProcMon reporting access to C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
provisioning service when the service is disabled?

If you'll read my previous post this activity stops if I remove the wireless
card. So, again,

Why is ProcMon reporting access to C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
provisioning service when the service is disabled?
And more importantly, how can I stop this behavior?

Thanks;
Dave

BTW, I have a really great spyware/virus section
(http://www.asksomeone.net/forums/index.php?showforum=20) here. There's a
lot of great reference material there :-)
 
Re: svchost.exe & store.xml - Laptop Hard Drive

Dave Onex wrote:
<snip>
>>> It's XP Pro SP#3 with all updates. There are no anti-virus applications
>>> installed...
>> <snip>
>>
>> That 's enough. Time to wipe 'n reload:
> http://www.dslreports.com/faq/10063
>>
>> Protect Your PC!
>> http://www.microsoft.com/athome/security/computer/default.mspx
>> --
>> ~PA Bear
>>
> You've got to be kidding me - you're a Microsoft MVP? Your recommendation
> is
> a format? Do you even know what Process Monitor is or does?...

Did you even bother to read http://www.dslreports.com/faq/10063?

I'm certainly familiar with Process Monitor and many other utilities that no
one's yet mentioned in this thread.

If you've been running without a functional and fully-updated anti-virus
application, God only knows how the machine may be compromised. You
certainly cannot trust the security of this machine IMHO.

Doing a wipe & reload's gonna take you much less time than trying to detect
the cause of this behavior and address it.

Feel free to ignore my posts.
 
Re: svchost.exe & store.xml - Laptop Hard Drive


"PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
news:u9zhn5qFJHA.1272@TK2MSFTNGP05.phx.gbl...
> Dave Onex wrote:
> <snip>
> >>> It's XP Pro SP#3 with all updates. There are no anti-virus
applications
> >>> installed...
> >> <snip>
> >>
> >> That 's enough. Time to wipe 'n reload:
> > http://www.dslreports.com/faq/10063
> >>
> >> Protect Your PC!
> >> http://www.microsoft.com/athome/security/computer/default.mspx
> >> --
> >> ~PA Bear
> >>
> > You've got to be kidding me - you're a Microsoft MVP? Your
recommendation
> > is
> > a format? Do you even know what Process Monitor is or does?...
>
> Did you even bother to read http://www.dslreports.com/faq/10063?
>
> I'm certainly familiar with Process Monitor and many other utilities that
no
> one's yet mentioned in this thread.
>
> If you've been running without a functional and fully-updated anti-virus
> application, God only knows how the machine may be compromised. You
> certainly cannot trust the security of this machine IMHO.
>
> Doing a wipe & reload's gonna take you much less time than trying to
detect
> the cause of this behavior and address it.
>
> Feel free to ignore my posts.
>

I can tell you right now what I'm going to find with a wipe and reload - the
exact same thing. While each of these protected machines is backed up daily
to tape library - I'm certainly not willing to take what will amount to a
day long detour to come back to the exact same issue.

I realize that most users are unaware of what's going on with their
computers and as indicated by the several thousand people that have had
their malware removed on my own personal site (hint hint) - without a
format. We have several severs, none of which are protected by
anti-virus/spyware and all have been running for +4 years that way. We have
an enterprise firewall installed (ISA 2004) and the few users we have are
all well versed in malware and well able to remove any infections that they
might have - all on their own accord.

Security is not something I take lightly, our VPN is a L2TP VPN and we run
our own Certificate server. We also run our own Windows Update Servers and I
could go on in depth for many hours about our network design, the levels of
security behind it, etc - but the fact of the matter is that I've now taken
a several hour long detour into an irrelevant area when the very first reply
to this thread was going directly to the heart of the problem...

If you want to gage my level of knowledge then spend a few hours on my site.
The reason I came here is in the hopes to meet up with someone (like nass)
who immediately pointed me in the right direction. I doubt I would ever have
determined that the issue is related to the Wireless Network Provisioning
service without his input. Unfortunately, this thread got quickly hijacked
into the wrong direction and the fact that I'm spending an inordinate amount
of time explaining my network's security design is just further proof of
that.

Please, I would ask that if anyone has more information that relates
directly to the issue of my laptop's hard drive not going to sleep because
of repeated access by the Wireless Network Provisioning service (that's been
disabled) trying to access C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml I would greatly
appreciate it.

Best & Thanks;
Dave
 
Re: svchost.exe & store.xml - Laptop Hard Drive



"Dave Onex" wrote:

>
> "nass" <nass@discussions.microsoft.com> wrote in message
> news:240F9B64-82AF-404E-960F-539615715768@microsoft.com...
> >
> >
> > "Dave Onex" wrote:
> >
> > >
> > > "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message
> > > news:O7ySBXgFJHA.3392@TK2MSFTNGP06.phx.gbl...
> > > > Always state your full Windows version (e.g., WinXP SP3) when posting
> to
> > > > this newsgroup, please.
> > > >
> > > > What anti-virus application or security suite is installed? What
> > > > anti-spyware applications (other than Defender)? What third-party
> > > firewall
> > > > (if any)?
> > > > --
> > > > ~Robear Dyer (PA Bear)
> > > > MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> > > > AumHa VSOP & Admin http://aumha.net
> > > > DTS-L http://dts-l.net/
> > > >
> > > >
> > > > Dave Onex wrote:
> > > > > I'm troubleshooting a problem with my laptop's hard drive not going
> to
> > > > > sleep
> > > > > after 5 minutes. To that end I broke out Process Monitor to take a
> look
> > > at
> > > > > what is accessing the hard drive.
> > > > >
> > > > > What I'm finding is repeated attempts to CreateFile;
> > > > >
> > > > > C:\Documents and Settings\All Users\Application
> > > > > Data\Microsoft\Provisioning\store.xml
> > > > >
> > > > > that results in a NAME NOT FOUND error or NAME COLLISION. I actually
> > > > > created
> > > > > a store.xml file in that directory thinking that would make it go
> away -
> > > > > it
> > > > > hasn't.
> > > > >
> > > > > Does anyone know why svchost.exe is continually trying to create a
> file
> > > > > called store.xml and how can I stop it?
> > > >
> > >
> > > Hi Robear;
> > >
> > > It's XP Pro SP#3 with all updates. There are no anti-virus applications
> > > installed.
> > >
> > > I've been using Process Monitor to show each (and all) applications that
> are
> > > accessing the drive in real-time. The only thing left is the Wireless
> > > Network Provisioning service (that's been disabled) trying to access
> > > C:\Documents and Settings\All
> > > Users\Application\Data\Microsoft\Provisioning\store.xml
> > >
> > > As far as we can see it shouldn't be doing that given that the service
> is
> > > disabled. I've confirmed it in another fashion - by turning off the WiFi
> > > card it stops trying to write/create/access that file.
> > >
> > > Thanks;
> > > Dave
> Hi guys;
>
> I don't know how we got sidetracked into this whole spyware/firewall issue
> when the issue has been that the hard drive fails to power down due to
> writes to C:\Documents and Settings\All
> Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
> provisioning service.
>
> =>That's the issue - not a malware infection. <=
>
> If you must know the system runs behind ISA 2004 and the notebook does have
> it's native firewall enabled as well. It's not infected - period.
> We've been sidetracked by Pa Bear so let's come back to the original issue
> at hand:
>
> Why is ProcMon reporting access to C:\Documents and Settings\All
> Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
> provisioning service when the service is disabled?
>
> If you'll read my previous post this activity stops if I remove the wireless
> card. So, again,
>
> Why is ProcMon reporting access to C:\Documents and Settings\All
> Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
> provisioning service when the service is disabled?
> And more importantly, how can I stop this behavior?
>
> Thanks;
> Dave
>
> BTW, I have a really great spyware/virus section
> (http://www.asksomeone.net/forums/index.php?showforum=20) here. There's a
> lot of great reference material there :-)

Do you know the the ISA have the feature to connect to WPS and update the
Xml file and also the DHCP?
the store.xml check for new domain or update the data with the ISA and DHCP
server, this why you getting the Activities.
Also if you have the roaming profile on this machine enabled and the
Bluetooth connection and previously connected to a hotspot wifi station?
Try to disble it in the registry in :
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services =
And also in the policies:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy

Name the new value EnableWPSCompatibility and set the data value to 1 to
enable it. You can disable it by setting the value to 0.
Rename the Store.xml to Store.xml .old and reboot your machine and see if
the ProcMon will show activities for the WNP service.
Make sure you logged ad admin to perform these steps and diable the Service.
BTW does the service still disabled innthe Services control panel or enabled
back again?
Let us know your wireless make/model and the Laptop model and what wireless
management utilty you are using is it the W Card or the windows WZC in your
next post if the above didn't help.
 
Re: svchost.exe & store.xml - Laptop Hard Drive

In article <Amezk.256$W06.65@flpi148.ffdc.sbc.com>, toidi@tpap.com
says...
> Ignore any posts made by the Stalker Leythos, he's still in love with me.
> He started stalking me after I spurned his advances towards me.
> He said he would stop Stalking me If I stopped mentioning his name.
> As you can see that does not work. He is a sick obsessive STALKER.
>

Stalking, even in usenet is a crime, there are enough pages from your
filthy site to prove you're stalking me in your posts, I have them
documented and certified authentic - it's your call now Stalker.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)
Public Service Warning: Learn about PCButts before you trust:
http://www.velocityreviews.com/forums/t513604-author-of-removeit.html
http://www.google.com/search?hl=en&q=pcbutts1+thief
 
Re: svchost.exe & store.xml - Laptop Hard Drive

Edited in-line...

Do you know the the ISA have the feature to connect to WPS and update the
> Xml file and also the DHCP?
> the store.xml check for new domain or update the data with the ISA and
> DHCP
> server, this why you getting the Activities.

I think you might be confusing IAS (Internet Authentication Service) with
ISA (Internet and Security Accelerator)
I'm not using IAS or Radius for authentication.


> Also if you have the roaming profile on this machine enabled and the
> Bluetooth connection and previously connected to a hotspot wifi station?
> Try to disble it in the registry in :
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services =
> And also in the policies:
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy
>
> Name the new value EnableWPSCompatibility and set the data value to 1 to
> enable it. You can disable it by setting the value to 0.
> Rename the Store.xml to Store.xml .old and reboot your machine and see if
> the ProcMon will show activities for the WNP service.

This machine is using a local profile - I believe the other settings relate
to IAS (which we're not using)

> Make sure you logged ad admin to perform these steps and diable the
> Service.
> BTW does the service still disabled innthe Services control panel or
> enabled
> back again?

Yes, even with the service disabled there is still activity to that file.
Upon closer examination though I'm not seeing disk activity (the HDD light)
when that file is accessed.
After watching the laptop for some time it seems to be powering down the
drive now :-)
I think it may be fixed and that the access to that file is not actually
accessing the disk (even though Procmon shows that it is).

> Let us know your wireless make/model and the Laptop model and what
> wireless
> management utilty you are using is it the W Card or the windows WZC in
> your
> next post if the above didn't help.
>

For future reference it's a Presario 900 with a LinkSys WPC54GX4 PCMCIA wifi
card.
Only the driver is loaded for the card (no other software) and I'm using
WZC.

I think the issue might be fixed. Even though Procmon still shows regular
access (about once each minute) to C:\Documents and Settings\All
Users\Application Data\Microsoft\Provisioning\store.xml it might be
accessing cached data as opposed to operating the drive.

Either way, the laptop is powering down the hard drive so I think we're all
set :-) Thanks very much for your help with this Nass!

Best;
Dave
 

Similar threads

R
Trojan:Win32/Skeeyah.A!rfn has infected my Lenovo Laptop and I can't find any solid advice on what to do next.
Replies
0
Views
105
resii_2021
R
M
Windows 10 How decrypt files on OS drive recovered from old laptop, now in external enclosure as USB on different laptop?
Replies
0
Views
127
Malases
M
S
All files on onedrive and hard drive encrypted by .vyb extension
Replies
0
Views
100
SimpleAlpaca
S
T
UAskEmbed Chrome Extension virus
Replies
0
Views
133
TrishaOko
T
K
Saving and Reading from Memory, Instead of Hard Drive
Replies
0
Views
82
Kevin993
K
Back
Top