Jose,
I concur with your logic to test the file integrity of "rstrui.exe" by
copying and renaming.
However, it is not amongst the files covered by Windows Files Protection and so would
not appear in the folder :
c:\windows\system32\dllcache
...But, could be copied (expanded) from the i386 folder on the XP installation cd-rom
(no extra service packs installed) :
expand x:\i386\rstrui.ex_ c:\windows\system32\restore\rstrui.exe
(where [x:] is replaced for your cd/dvd drive letter)
...or copied (directly) from the i386 folder within c:\windows\ServicePackFiles
folder (if a service pack has been installed after the original installation) :
copy c:\windows\ServicePackFiles\i386\rstrui.exe c:\windows\system32\restore
...then rename it from there.
==
Cheers, Tim Meddick, Peckham, London.
On Aug 7, 2:55 pm,
If c:\windows\system32\restore\rstrui.exe will not run, COPY (not
rename) it to something else - chip09.exe or something like that and
then see if chip09.exe will launch when double clicked, a Start, Run,
or from a command window. This does not change the shortcut of
course.
If chip09.exe launches SR, you are still infected and rstrui.exe is
not being allowed to run.
If chip09.exe does not launch, the executable may be compromised so
search for another copy of rstrui.exe on your system and copy it into
c:\windows\system32\restore. Try again. Copy and try chip09.exe (it
must run in that folder).
c:\windows\servicepackfiles\i386
c:\windows\system32\dllcache
Acknowledged. Likely is the operative word!
It is here on my computer, but not on another - huh... It is for sure
in the servicepackfiles\i386 on all computers I checked.
Before embarking on more time consuming methods, you know my goal is
just to determine if the rstrui.exe is not allowed to run by name
alone or if the executable has been compromised. It must run from the
restore folder of course.
Troubleshooting time for this operation should be very quick and based
on the results, next steps taken.
If the OP has an XP CD, it can be expanded as you indicated. OPs
rarely seem to have this luxury, so I propose options that will not
require it. Expanding will result of course in rstrui.exe which still
may not run because of the name and then copying to a different name
will still need to be done.
Copying rstrui from another PC of the same type would achieve the same
results, but more efficient methods should be tried first.
Your:
copy c:\windows\ServicePackFiles\i386\rstrui.exe c:\windows
\system32\restore
....then rename it from there.
is indeed an efficient method. Shades of regedit not launching
(nothing happens!) but a copy works just fine, easy to fix.
The OP has also not reported any results from running chip09.exe
either.
The association to Norton is a different issue all together. In the
Norton scenario, SR at least launches, SR is executed but the says
restoration is incomplete... I have not read where Norton prevents SR
from launching or creating a new RP.
Here it sounds like SR doesn't even launch, so for the moment, I am
ruling out at least that particular Norton anomaly (which the OP also
says is not installed) - it is not the same symptom and it is not this
problem - provided the problem is being reported accurately...