odd entries in userenv.log

J

John Smith

Hi all,

Running XP SP2 and have some odd entries in
C:\WINDOWS\Debug\UserMode\userenv.log file.

The log is full of THOUSANDS of entries following this pattern:

USERENV(354.424) 12:01:26:046 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(354.424) 12:01:29:046 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(354.424) 12:01:32:062 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(354.424) 12:01:35:062 ProcessAutoexec: Cannot process autoexec.bat.
USERENV(354.424) 12:01:38:062 ProcessAutoexec: Cannot process autoexec.bat.

The are several every minute. The only thing that changes is the timestamp.

Running XP I don't have an autoexec.bat file and I can't imagine what would
be needing to access it --particularly every few seconds.

Anyone out there have an explanation for this?

Thanks.
 
M

Mark L. Ferguson

I would guess some virus or spyware was trying to write itself to that file.
 
J

John Smith

I thought that too at first, but the machine is about as clean as one can
get. Full scan of Norton antivirus (latest definitions) in safe mode turned
up clean... spybot, adaware and MS anti-spyware beta all turn up clean. No
weird BHO's or other crud. I run firefox and am a fairly advanced computer
user so I don't think it's that. Plus, if it was a virus, I can't imagine
that it would be logged by userenv as a system process.

If I create an empty autoexec.bat file in the root folder of the C:\ drive
the error goes away. Nothing ever modifies the file, though. Remove the
file and the error returns.
 
D

David Candy

You answered your own question. You hid autoexec.bat from windows. Dos and Win16 programs may expect it. It's processed after all other environmental commands at logon not boot.
 
J

John Smith

Yes, I understand that. My question is WHAT is using it. I don't run any
DOS or Win16 programs -- and they wouldn't be aware of userenv to log to it
anyway. My point is that XP does no create nor need an autoexec.bat file on
a clean install, so what could possible be polling for it every few seconds?


"David Candy" <.> wrote in message
You answered your own question. You hid autoexec.bat from windows. Dos and
Win16 programs may expect it. It's processed after all other environmental
commands at logon not boot.
 
D

David Candy

XP is. UserEnv.dll. You expect this if you hide the autoexec from it. That's why it's in the userenv log because userenv looks for it at every logon for every user. Entries in it replace all other ways of specifing variables.
 
J

John Smith

I actually went over to the GRC newsgroups and someone figured it out. The
354 marker in the original log entries is a hex value for process the ID
that made the entry. On my machine that PID is for Sygate Personall
Firewall Pro. So it was NOT native XP components looking for the file. Now
I am curious why the hell my firewall would be polling for that file every
few seconds.

----

"David Candy" <.> wrote in message
XP is. UserEnv.dll. You expect this if you hide the autoexec from it. That's
why it's in the userenv log because userenv looks for it at every logon for
every user. Entries in it replace all other ways of specifing variables.
 
D

David Candy

Something you say is not true. What exactly I don't know. Post the surrounding lines. But I'm out for next 3 1/2 hours (watch the sun rise at the beach).
 
J

John Smith

OK. This is an example of on of the entries in userenv.log:

USERENV(354.424) 12:01:26:046 ProcessAutoexec: Cannot process
autoexec.bat.

All entries are exactly the same execpt the time stamp is different.
According to those in the know (supposedly), the "354" section of the entry
is a hex value for the PID that generated the error in the log. In my case
that PID comes back to smc.exe, which is Sygate Personall Firewall Pro.

As I posted previously, if I create an empty autoexec.bat file in the root
folder of my C:\ driver the error stops occurring. If I remove my empty
autoexec.bat file the error will again start logging in userenv.log every
few seconds. If I shut down the Sygate firewall the errors stop, even with
the autoexec.bat file still nonexistant.

I still have no idea why the firewall would be polling for the file.




"David Candy" <.> wrote in message
Something you say is not true. What exactly I don't know. Post the
surrounding lines. But I'm out for next 3 1/2 hours (watch the sun rise at
the beach).
 
D

David Candy

The thing is every computer has those entries if no autoexec. I monitered autoexec's file access while switching users. I show lsass (that's the security system) and msmsgs (that's MS Messenger) accessing the autoexec.

All this means is some program is being blamed for accessing autoexec when it isn't. Yours show sysgate, mine shows messenger. Yet I doubt either is. Yet both are being started at this time. I'll stick with original explanation. It's normal.

This does not surprise me. Windows has trouble monitoring itself for security reason, performance reasons, and for long lost historical reasons.
 
D

David Candy

Disable sysgate and see if it morphs to a different program.

--
----------------------------------------------------------
http://www.uscricket.com
"David Candy" <.> wrote in message The thing is every computer has those entries if no autoexec. I monitered autoexec's file access while switching users. I show lsass (that's the security system) and msmsgs (that's MS Messenger) accessing the autoexec.

All this means is some program is being blamed for accessing autoexec when it isn't. Yours show sysgate, mine shows messenger. Yet I doubt either is. Yet both are being started at this time. I'll stick with original explanation. It's normal.

This does not surprise me. Windows has trouble monitoring itself for security reason, performance reasons, and for long lost historical reasons.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top