Spurious RunOnce value insertion

[Matti Lamprhey]

[I'm running Win XP SP2, which I assume is within the ambit of this
group -- if not, please suggest where else I should try!]

Recently when starting up WinXP I've been getting an error message as
the desktop is displayed -- it seems to happen on about 25% of startups
but I haven't deduced the pattern yet. The message says that
Y:\Setup.exe is not found. The Y: drive is my primary optical drive.
By searching the Registry I've found that this is being triggered by a
value in HKEY_LOCAL_MACHINE\...\RunOnce named HP_AIO_SETUP_MUTEX and
with the command line Y:\Setup.exe. I delete the key each time this
happens, but the problem is that something is occasionally putting it
back in!

I've not been running any HP setup software during this period -- the
last time I did so was around 10 days before this problem first
occurred. I have recently installed Webroot's SpySweeper and Desktop
Firewall, and Norton AntiVirus 2006.

Does anyone have any ideas how I can track this down?

Matti

 

[Dave Patrick]

You might look through these.

http://www.google.com/search?q=HP_AIO_SETUP_MUTEX&hl=en&lr=lang_en&newwindow=1&filter=0

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| [I'm running Win XP SP2, which I assume is within the ambit of this
| group -- if not, please suggest where else I should try!]
|
| Recently when starting up WinXP I've been getting an error message as
| the desktop is displayed -- it seems to happen on about 25% of startups
| but I haven't deduced the pattern yet. The message says that
| Y:\Setup.exe is not found. The Y: drive is my primary optical drive.
| By searching the Registry I've found that this is being triggered by a
| value in HKEY_LOCAL_MACHINE\...\RunOnce named HP_AIO_SETUP_MUTEX and
| with the command line Y:\Setup.exe. I delete the key each time this
| happens, but the problem is that something is occasionally putting it
| back in!
|
| I've not been running any HP setup software during this period -- the
| last time I did so was around 10 days before this problem first
| occurred. I have recently installed Webroot's SpySweeper and Desktop
| Firewall, and Norton AntiVirus 2006.
|
| Does anyone have any ideas how I can track this down?
|
| Matti
|
|

 

[Matti Lamprhey]

Thanks -- I checked through those but couldn't find anything definitive
to take action on. I'll carry on investigating.

Matti

 

[Mark V]

[I'm running Win XP SP2, which I assume is within the ambit of
this group -- if not, please suggest where else I should try!]

Recently when starting up WinXP I've been getting an error
message as the desktop is displayed -- it seems to happen on
about 25% of startups but I haven't deduced the pattern yet.
The message says that Y:\Setup.exe is not found. The Y: drive
is my primary optical drive. By searching the Registry I've
found that this is being triggered by a value in
HKEY_LOCAL_MACHINE\...\RunOnce named HP_AIO_SETUP_MUTEX and with
the command line Y:\Setup.exe. I delete the key each time this
happens, but the problem is that something is occasionally
putting it back in!

I've not been running any HP setup software during this period
-- the last time I did so was around 10 days before this problem
first occurred. I have recently installed Webroot's SpySweeper
and Desktop Firewall, and Norton AntiVirus 2006.

Does anyone have any ideas how I can track this down?

"Watch" that key using Sysinternals REGMON.EXE and you may find
_when_ it gets written and _what_ process wrote it. Possibly it is
written on a schedule and further that might be a Sched. Task.

Look for other components of HP software that execute every boot or
every logon. Possibly a shortcut in a Startup folder.

 

[Matti Lamprhey]

"Watch" that key using Sysinternals REGMON.EXE and you may find
_when_ it gets written and _what_ process wrote it. Possibly it is
written on a schedule and further that might be a Sched. Task.

Thanks! I've dl'd the latest version of Regmon (7.03) and (so far) it's
shown nothing odd happening to RunOnce while I'm logged in. I have
established that I can reproduce the problem by checking (with RegEdit)
that the Mutex value isn't there immediately prior to a reboot but gets
inserted during the reboot. I've tried Regmon's boot-time logging
option, but it isn't working for me. Checking with sysinternals' Forum,
it seems that there's a problem with this option with the current
version of Regmon - just my luck!

Look for other components of HP software that execute every boot or
every logon. Possibly a shortcut in a Startup folder.

I'll try this.

Matti

 

[Mark V]

Thanks! I've dl'd the latest version of Regmon (7.03) and (so
far) it's shown nothing odd happening to RunOnce while I'm
logged in. I have established that I can reproduce the problem
by checking (with RegEdit) that the Mutex value isn't there
immediately prior to a reboot but gets inserted during the
reboot. I've tried Regmon's boot-time logging option, but it
isn't working for me. Checking with sysinternals' Forum, it
seems that there's a problem with this option with the current
version of Regmon - just my luck!

While I have not tested this in version 7.03 I think (the thread I
read) was user error. On Log Boot Regmon is still running after
login (Administrator auth. required of course). Either reboot
again or start Regmon and then close it. No promises. I will try
to test it later. W2K here.

I'll try this.

Somewhat more common nowadays for software to put something in a
startup folder for one purpose (pre-load DLLs perhaps) and then do
"other stuff on the side" as well...

Also suggest various HP support groups/fora as this may be "well
known" and even fix-able.

 

[Matti Lamprhey]

While I have not tested this in version 7.03 I think (the thread I
read) was user error. On Log Boot Regmon is still running after
login (Administrator auth. required of course). Either reboot
again or start Regmon and then close it. No promises. I will try
to test it later. W2K here.

User error?? The way I read that thread, the problem has been confirmed
in the most recent versions of Regmon. I have Admin authority, and the
regmon.log file is not being created in my systemroot directory or
anywhere else for that matter.

Matti

 

[Mark V]

User error?? The way I read that thread, the problem has been

I read the wrong thread... Sorry.
The thread in question all is pre current release...

confirmed in the most recent versions of Regmon. I have Admin
authority, and the regmon.log file is not being created in my
systemroot directory or anywhere else for that matter.

Just to be sure, download fresh and regmon.exe should be

Regmon.exe 427584 2006-07-14 09:18:12
Regmon.exe is version 7.3.0.0 (7.300)
72194758c23d8970cc75f7d27cf8a402 *Regmon.exe

Check it by MD5 since a "7.03" was released at least twice.

FWIW it works here exactly as expected and yields a log of approx
30MB. W2K, SP4+ (I have no XP or W2K3 here) No A-V or other Real-
Time utils running at the time. And especially no process/reg/file
monitors blocking the changes.

Otherwise I do not know but you should post in their forum with
details and/or email Mark R. directly with same.

I'll walk through the registry changes it makes to work for a Boot-
time log if necessary.

General procedure: Close other running apps and any R-T monitor
utils. Run Regmon, check the "Log Boot" option, dismiss the
dialog, close it, restart system. After login (to stop the
logging), run Regmon and confirm or uncheck the option and close
Regmon.

 

[Matti Lamprhey]

[...]
General procedure: Close other running apps and any R-T monitor
utils. Run Regmon, check the "Log Boot" option, dismiss the
dialog, close it, restart system. After login (to stop the
logging), run Regmon and confirm or uncheck the option and close
Regmon.

User error in my case, then! I didn't realize that last step was
necessary, and having taken it I now have a 92MB REGMON.LOG file to
examine.

Interesting -- I can see the rogue value being added to HKLM\...\RunOnce
and then having its presence verified. Considering that this behaviour
smells of spyware, the process which is exhibiting it is rather
surprising! I'll say no more until its authors have responded to my
e-mail about it ...

Thank you VERY MUCH for your patient assistance on this.

Matti

 

[Mark V]

[...]
General procedure: Close other running apps and any R-T
monitor utils. Run Regmon, check the "Log Boot" option,
dismiss the dialog, close it, restart system. After login (to
stop the logging), run Regmon and confirm or uncheck the option
and close Regmon.

User error in my case, then! I didn't realize that last step
was necessary, and having taken it I now have a 92MB REGMON.LOG
file to examine.

Interesting -- I can see the rogue value being added to
HKLM\...\RunOnce and then having its presence verified.
Considering that this behaviour smells of spyware, the process
which is exhibiting it is rather surprising! I'll say no more
until its authors have responded to my e-mail about it ...

Thank you VERY MUCH for your patient assistance on this.

You are very welcome, hope it will be useful in the future and
"pass it on" at opportunity.