D
dom
Hello all,
I've seen this mysterious service get sent the start control, and I'm
having a very hard time tracking down what this is. I've seen a
couple other people post questions on places like experts exchange and
the like, but no one seems to be able to shed any light on it. So, I
took a stab at it, and I didn't get a definitive answer, but I did get
some clues.
First, the symptoms. This service only seems to get started when I'm
playing my favorite game, Battlefield 2142. It caught my attention
because I kept on getting disconnected from online play, and after
looking through the system logs, I found the 3F8AB4CH service being
sent the start control, and it coincided with the disconnects:
Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 12/30/2006
Time: 2:16:28 AM
User: KATSUMOTO\Dom
Computer: KATSUMOTO
Description:
The 3f8ab4ch service was successfully sent a start control.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
The service was not listed in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. So, I started
filemon and regmon, filtered for 3F8AB4CH, and started the game back
up. When I exited, I found that the service is dynamically created,
and deleted, while in the game. Regmon logged a lot, but here's a
couple highlights:
1 169.53678894 services.exe:420 CreateKey
HKLM\System\CurrentControlSet\Services\3f8ab4ch SUCCESS Access:
0x2001F
5 169.54185486 services.exe:420 SetValue
HKLM\System\CurrentControlSet\Services\3f8ab4ch\ImagePath SUCCESS
"\??\C:\DOCUME~1\Dom\LOCALS~1\Temp\8YB83B"
30 169.55377197 services.exe:420 SetValue
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_3F8AB4CH\0000\ClassGUID
SUCCESS "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
136 169.67526245 services.exe:420 SetValue
HKLM\System\CurrentControlSet\Services\3f8ab4ch\DeleteFlag SUCCESS
0x1
481 1629.92932129 services.exe:420 DeleteKey
HKLM\System\CurrentControlSet\Services\3f8ab4ch SUCCESS Key:
0xE1905388
So this thing is obviously supposed to be hidden. Next, since the
image (executable) was being launched (and deleted) from my temp
directory, I removed the delete permission on it. I went into the
game, played for a while, and when I came out, the file referenced in
the regmon log was still there. I opened it up with a hex editor, but
it offered no clues to its origins.
I suspect this may be part of punk buster, but I'm not sure. That GUID
it referenced points to AFD, which is a valid Microsoft service, AFD
Networking Support Environment.
If someone has any more info on this, please post! Thanks!
Anyway, if anyone wants to look at the image file:
http://rapidshare.com/files/9495800/8Yb83B.zip.html
Cheers-
Dom
I've seen this mysterious service get sent the start control, and I'm
having a very hard time tracking down what this is. I've seen a
couple other people post questions on places like experts exchange and
the like, but no one seems to be able to shed any light on it. So, I
took a stab at it, and I didn't get a definitive answer, but I did get
some clues.
First, the symptoms. This service only seems to get started when I'm
playing my favorite game, Battlefield 2142. It caught my attention
because I kept on getting disconnected from online play, and after
looking through the system logs, I found the 3F8AB4CH service being
sent the start control, and it coincided with the disconnects:
Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date: 12/30/2006
Time: 2:16:28 AM
User: KATSUMOTO\Dom
Computer: KATSUMOTO
Description:
The 3f8ab4ch service was successfully sent a start control.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
The service was not listed in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. So, I started
filemon and regmon, filtered for 3F8AB4CH, and started the game back
up. When I exited, I found that the service is dynamically created,
and deleted, while in the game. Regmon logged a lot, but here's a
couple highlights:
1 169.53678894 services.exe:420 CreateKey
HKLM\System\CurrentControlSet\Services\3f8ab4ch SUCCESS Access:
0x2001F
5 169.54185486 services.exe:420 SetValue
HKLM\System\CurrentControlSet\Services\3f8ab4ch\ImagePath SUCCESS
"\??\C:\DOCUME~1\Dom\LOCALS~1\Temp\8YB83B"
30 169.55377197 services.exe:420 SetValue
HKLM\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_3F8AB4CH\0000\ClassGUID
SUCCESS "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
136 169.67526245 services.exe:420 SetValue
HKLM\System\CurrentControlSet\Services\3f8ab4ch\DeleteFlag SUCCESS
0x1
481 1629.92932129 services.exe:420 DeleteKey
HKLM\System\CurrentControlSet\Services\3f8ab4ch SUCCESS Key:
0xE1905388
So this thing is obviously supposed to be hidden. Next, since the
image (executable) was being launched (and deleted) from my temp
directory, I removed the delete permission on it. I went into the
game, played for a while, and when I came out, the file referenced in
the regmon log was still there. I opened it up with a hex editor, but
it offered no clues to its origins.
I suspect this may be part of punk buster, but I'm not sure. That GUID
it referenced points to AFD, which is a valid Microsoft service, AFD
Networking Support Environment.
If someone has any more info on this, please post! Thanks!
Anyway, if anyone wants to look at the image file:
http://rapidshare.com/files/9495800/8Yb83B.zip.html
Cheers-
Dom