Perfmon

[Guest]

Is perfmon.exe a critical system file?
Or would the computer still be able to boot properly if the file has been
removed from the system (including the registry entries - all of them
regarding perfmon)

Situation:
Windows server 2003, had a virus attack, junior administrator deleted the
virus "perfhmon.exe" from the system and all registry entries, but in doing
so also deleted the legitimate "perfmon.exe" and its registy entries.
I would like to know how i may be able to re-install the files and their
corresponding registry entries.

Any help would be greatly appreciated.

 

[Wesley Vogel]

Machine should boot fine.

Windows File Protection should replace a perfmon.exe deleted from
%windir%\system32 with a copy from %windir%\system32\dllcache.

However if perfmon.exe is deleted from %windir%\system32\dllcache first,
that won't happen.

On XP Pro CD perfmon.exe is PERFMON.EX_ in the I386 folder.

I would assume that it is similar in 2003.

Expand PERFMON.EX_ from I386 folder to %windir%\system32

Expand PERFMON.EX_ from I386 folder to %windir%\system32\dllcache
or copy perfmon.exe from %windir%\system32 and paste in
%windir%\system32\dllcache

There is also a perfmon.msc, perfmon.ms_ on CD. Same deal

Expand PERFMON.EX_ from I386 folder to %windir%\system32

perfmon.exe should be in %windir%\system32 and %windir%\system32\dllcache


--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

Thanks Wesley.

That is a huge relief, but i still have a huge concern about the registry
files that were removed.. (all "perfmon" entries were removed from the
registry.) is there any way to restore them from the windows CD? (no backup
avaliable)

 

[Wesley Vogel]

Beats me. Does the Event Viewer work? Does the Performance (perfmon.msc)
snap-in work?

{72967903-68EC-11D0-B729-00AA0062CBB7} = WBEM PerfMon Property Provider
{F00B4404-F8F1-11CE-A5B6-00AA00680C3F} = WBEM PerfMon Instance Provider
Search of my registry for perfmon.
HKEY_CLASSES_ROOT\Applications\perfmon.exe
HKEY_CLASSES_ROOT\CLSID\{72967903-68EC-11D0-B729-00AA0062CBB7}
HKEY_CLASSES_ROOT\CLSID\{F00B4404-F8F1-11CE-A5B6-00AA00680C3F}
HKEY_CLASSES_ROOT\PerfFile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\perfmon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72967903-68EC-11D0-B729-00AA0062C
BB7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F00B4404-F8F1-11CE-A5B6-00AA00680
C3F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PerfFile\shell\open\command
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application
Sources
REG_MULTI_SZ
WSH
WMIAdapter
WmdmPmSN
WinMgmt
Winlogon
Windows Product Activation
Windows 3.1 Migration
WebClient
VSS
VBRuntime
Userinit
Userenv
UploadM
UPHClean
Tlntsvr
SysmonLog
SpoolerCtrs
Software Installation
SclgNtfy
SceSrv
SceCli
safrslv
SAFrdms
PerfProc
PerfOS
PerfNet
Perfmon
Perflib
PerfDisk
Perfctrs
Offline Files
Oakley
Ntbackup.ini
ntbackup
NeroCheck
MsiInstaller
MSDTC Client
MSDTC
mnmsrvc
Microsoft Office 10
Microsoft H.323 Telephony Service Provider
LoadPerf
HelpSvc
Folder Redirection
File Deployment
EventSystem
ESENT
EAPOL
DrWatson
DiskQuota
DataDynamics ActiveBar 1.0
crypt32
COM+
Ci
Chkdsk
Avg7UpdSvc
Avg7Alrt
AVG7
AutoEnrollment
Autochk
Application Management
Application Hang
Application Error
Application
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Perfmo
n
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application
same as ControlSet001\Services\Eventlog\Application
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Perfmo
n
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
same as ControlSet001\Services\Eventlog\Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Pe
rfmon


--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

Thanks for your timely response.. i will try adding those entries to my
registry and see if it works..

are the ID's similar to this "72967903-68EC-11D0-B729-00AA0062CBB7" SID's?
or are they the same on every installation?

Event viewer seems to be working fine, and every thing else (including
perfmon.msc) the problem i am having is with the "Performance Logs and
Alerts" service. i get the following error when trying to run the service...
"Configuration Manager: A required entry in the registy is missing or an
attempt to write to the registry failed" and " The system cannot find the
file specified"

i ran a search on the system for "perf" these are what i found.
perfc009.dat
perfci.h
perfci.ini
perfcounter.dll
perfctrs.dll
perfd009.dat
perfdisk.dll
perffilt.h
perffilt.ini
perfh009.dat
perfi009.dat
perfmon.exe
perfmon.msc
perfnet.dll
perfnw.dll
perfos.dll
perproc.dll
perfstingbackup.ini
perfts.dll
perfwci.ini

all located in the system32 folder.

 

[Wesley Vogel]

They are CLSIDs and the need to be inside the accolades {inside here}.
Short for Class ID. CLSIDs can identify a lot of things, such as special
folders or processes.

{20D04FE0-3AEA-1069-A2D8-08002B30309D} is My Computer
{85BBD920-42A0-1069-A2E4-08002B30309D} is Briefcase

All kinds of things have a CLSID. They are a Globally Unique IDentifier.

For your Configuration Manager problem...

You need to have the Event ID & the Event Source.

To view Windows XP Events and Errors, type the Source (for example, Print)
and/or the Event code (for example, 20) into the ID field, then click the Go
button. Source and Event codes may be found in the Event Viewer logs.

Windows XP Home/Professional Events and Errors
http://www.microsoft.com/technet/su...ows Operating System&MajorMinor=5.1&LCID=1033


--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

Solved:
Well luck had it that we had a power outage for a substantial time.
When the systems came back on line the perfmon issues were resolved.
Note: that prior the the power outage, the following CLSID's were re-created
manually (from a seperate Windows 2003 Server Installation):

HKEY_CLASSES_ROOT\Applications\perfmon.exe
HKEY_CLASSES_ROOT\CLSID\{72967903-68EC-11D0-B729-00AA0062CBB7}
HKEY_CLASSES_ROOT\CLSID\{F00B4404-F8F1-11CE-A5B6-00AA00680C3F}
HKEY_CLASSES_ROOT\PerfFile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\perfmon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72967903-68EC-11D0-B729-00AA0062C
BB7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F00B4404-F8F1-11CE-A5B6-00AA00680
C3F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PerfFile\shell\open\command
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application

The following files were also re-created manually (also from a very old
backup, and again another Windows 2003 Server installation):

perfc009.dat
perfci.h
perfci.ini
perfcounter.dll
perfctrs.dll
perfd009.dat
perfdisk.dll
perffilt.h
perffilt.ini
perfh009.dat
perfi009.dat
perfmon.exe
perfmon.msc
perfnet.dll
perfnw.dll
perfos.dll
perproc.dll
perfstingbackup.ini
perfts.dll
perfwci.ini

The system Obviously re-established the connection to the files, and
automatically re-created certain entries for the service.
Whether or not any of my "tempering" solved the problem is unclear, it could
be that windows will re-create the missing entries as part of the windows
protected files system. (similar to what happens when the WMI entries are
removed)

Thanks Wesley Vogel for all your assistance!!