Hello all,

I've seen this mysterious service get sent the start control, and I'm
having a very hard time tracking down what this is. I've seen a
couple other people post questions on places like experts exchange and
the like, but no one seems to be able to shed any light on it. So, I
took a stab at it, and I didn't get a definitive answer, but I did get
some clues.

First, the symptoms. This service only seems to get started when I'm
playing my favorite game, Battlefield 2142. It caught my attention
because I kept on getting disconnected from online play, and after
looking through the system logs, I found the 3F8AB4CH service being
sent the start control, and it coincided with the disconnects:

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 12/30/2006
Time: 2:16:28 AM
User: KATSUMOTO\Dom
Computer: KATSUMOTO
Description:
The 3f8ab4ch service was successfully sent a start control.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


The service was not listed in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. So, I started
filemon and regmon, filtered for 3F8AB4CH, and started the game back
up. When I exited, I found that the service is dynamically created,
and deleted, while in the game. Regmon logged a lot, but here's a
couple highlights:

1 169.53678894 services.exe:420 CreateKey
HKLM\System\CurrentControlSet\Services\3f8ab4ch SUCCESS Access:
0x2001F

5 169.54185486 services.exe:420 SetValue
HKLM\System\CurrentControlSet\Services\3f8ab4ch\ImagePath SUCCESS
"\??\C:\DOCUME~1\Dom\LOCALS~1\Temp\8YB83B"

30 169.55377197 services.exe:420 SetValue
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_3F8AB4CH\0000\ClassGUID
SUCCESS "{8ECC055D-047F-11D1-A537-0000F8753ED1}"

136 169.67526245 services.exe:420 SetValue
HKLM\System\CurrentControlSet\Services\3f8ab4ch\DeleteFlag SUCCESS
0x1

481 1629.92932129 services.exe:420 DeleteKey
HKLM\System\CurrentControlSet\Services\3f8ab4ch SUCCESS Key:
0xE1905388

So this thing is obviously supposed to be hidden. Next, since the
image (executable) was being launched (and deleted) from my temp
directory, I removed the delete permission on it. I went into the
game, played for a while, and when I came out, the file referenced in
the regmon log was still there. I opened it up with a hex editor, but
it offered no clues to its origins.

I suspect this may be part of punk buster, but I'm not sure. That GUID
it referenced points to AFD, which is a valid Microsoft service, AFD
Networking Support Environment.

If someone has any more info on this, please post! Thanks!

Anyway, if anyone wants to look at the image file:
http://rapidshare.com/files/9495800/8Yb83B.zip.html

Cheers-

Dom

Just a follow up, I'm pretty sure this is punk buster. I submitted an
online ticket to see if they will verify, and I'll follow up if I get a
response.


Dom



On Sat, 30 Dec 2006 03:41:36 -0500, dom wrote:

> Hello all,
>
> I've seen this mysterious service get sent the start control, and I'm
> having a very hard time tracking down what this is. I've seen a
> couple other people post questions on places like experts exchange and
> the like, but no one seems to be able to shed any light on it. So, I
> took a stab at it, and I didn't get a definitive answer, but I did get
> some clues.
>
> First, the symptoms. This service only seems to get started when I'm
> playing my favorite game, Battlefield 2142. It caught my attention
> because I kept on getting disconnected from online play, and after
> looking through the system logs, I found the 3F8AB4CH service being
> sent the start control, and it coincided with the disconnects:
>
> Event Type: Information
> Event Source: Service Control Manager
> Event Category: None
> Event ID: 7035
> Date: 12/30/2006
> Time: 2:16:28 AM
> User: KATSUMOTO\Dom
> Computer: KATSUMOTO
> Description:
> The 3f8ab4ch service was successfully sent a start control.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> The service was not listed in
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. So, I started
> filemon and regmon, filtered for 3F8AB4CH, and started the game back
> up. When I exited, I found that the service is dynamically created,
> and deleted, while in the game. Regmon logged a lot, but here's a
> couple highlights:
>
> 1 169.53678894 services.exe:420 CreateKey
> HKLM\System\CurrentControlSet\Services\3f8ab4ch SUCCESS Access:
> 0x2001F
>
> 5 169.54185486 services.exe:420 SetValue
> HKLM\System\CurrentControlSet\Services\3f8ab4ch\ImagePath SUCCESS
> "\??\C:\DOCUME~1\Dom\LOCALS~1\Temp\8YB83B"
>
> 30 169.55377197 services.exe:420 SetValue
> HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_3F8AB4CH\0000\ClassGUID
> SUCCESS "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
>
> 136 169.67526245 services.exe:420 SetValue
> HKLM\System\CurrentControlSet\Services\3f8ab4ch\DeleteFlag SUCCESS
> 0x1
>
> 481 1629.92932129 services.exe:420 DeleteKey
> HKLM\System\CurrentControlSet\Services\3f8ab4ch SUCCESS Key:
> 0xE1905388
>
> So this thing is obviously supposed to be hidden. Next, since the
> image (executable) was being launched (and deleted) from my temp
> directory, I removed the delete permission on it. I went into the
> game, played for a while, and when I came out, the file referenced in
> the regmon log was still there. I opened it up with a hex editor, but
> it offered no clues to its origins.
>
> I suspect this may be part of punk buster, but I'm not sure. That GUID
> it referenced points to AFD, which is a valid Microsoft service, AFD
> Networking Support Environment.
>
> If someone has any more info on this, please post! Thanks!
>
> Anyway, if anyone wants to look at the image file:
> http://rapidshare.com/files/9495800/8Yb83B.zip.html
>
> Cheers-
>
> Dom