svchost.exe & store.xml - Laptop Hard Drive

[Dave Onex]

Hi Folks;

I'm troubleshooting a problem with my laptop's hard drive not going to sleep
after 5 minutes. To that end I broke out Process Monitor to take a look at
what is accessing the hard drive.

What I'm finding is repeated attempts to CreateFile;

C:\Documents and Settings\All Users\Application
Data\Microsoft\Provisioning\store.xml

that results in a NAME NOT FOUND error or NAME COLLISION. I actually created
a store.xml file in that directory thinking that would make it go away - it
hasn't.

Does anyone know why svchost.exe is continually trying to create a file
called store.xml and how can I stop it?

Thanks!
Dave

 

[nass]

Hi Folks;

I'm troubleshooting a problem with my laptop's hard drive not going to sleep
after 5 minutes. To that end I broke out Process Monitor to take a look at
what is accessing the hard drive.

What I'm finding is repeated attempts to CreateFile;

C:\Documents and Settings\All Users\Application
Data\Microsoft\Provisioning\store.xml

that results in a NAME NOT FOUND error or NAME COLLISION. I actually created
a store.xml file in that directory thinking that would make it go away - it
hasn't.

Does anyone know why svchost.exe is continually trying to create a file
called store.xml and how can I stop it?

Thanks!
Dave

You can use Filemon to track down the causer of this..note it can be a
program need to access the internet to update or refresh its contacts like
Messenger or an AV.
FileMon for Windows v7.04
http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx

Back ground about the Provisioning service:
Wireless Network Provisioning
http://msdn.microsoft.com/en-us/library/ms806463.aspx

You can stop this service from the services control panel and see if that
will help to stop this activities.
HTH,
nass

 

[Dave Onex]

You can use Filemon to track down the causer of this..note it can be a
program need to access the internet to update or refresh its contacts like
Messenger or an AV.
FileMon for Windows v7.04
http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx

Back ground about the Provisioning service:
Wireless Network Provisioning
http://msdn.microsoft.com/en-us/library/ms806463.aspx

You can stop this service from the services control panel and see if that
will help to stop this activities.
HTH,
nass

Hi Nass;

Thanks for the reply - after much searching I could find zero information on
this issue although several have reported it.
I am using Process Monitor to see what's accessing the disk - that's how I
found out about C:\Documents and Settings\All Users\Application
Data\Microsoft\Provisioning\store.xml

What I didn't know is what it was related to and thanks to your help I do


I've checked the Network Provisioning Service in XP (Pro) and it was not
running. I've since disabled it but I'm still seeing something (it?) trying
to access/write to C:\Documents and Settings\All Users\Application
Data\Microsoft\Provisioning\store.xml

I'm sure we're on the right track and this is the only thing left that
Process Monitor shows is accessing the disk so it's just a matter of
shutting the darn thing down.

Any other ideas?

Thanks!
Dave

 

[PA Bear [MS MVP]]

Always state your full Windows version (e.g., WinXP SP3) when posting to
this newsgroup, please.

What anti-virus application or security suite is installed? What
anti-spyware applications (other than Defender)? What third-party firewall
(if any)?

 

[Dave Onex]

Always state your full Windows version (e.g., WinXP SP3) when posting to
this newsgroup, please.

What anti-virus application or security suite is installed? What
anti-spyware applications (other than Defender)? What third-party firewall
(if any)?
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

Hi Robear;

It's XP Pro SP#3 with all updates. There are no anti-virus applications
installed.

I've been using Process Monitor to show each (and all) applications that are
accessing the drive in real-time. The only thing left is the Wireless
Network Provisioning service (that's been disabled) trying to access
C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml

As far as we can see it shouldn't be doing that given that the service is
disabled. I've confirmed it in another fashion - by turning off the WiFi
card it stops trying to write/create/access that file.

Thanks;
Dave

 

[nass]

Hi Robear;

It's XP Pro SP#3 with all updates. There are no anti-virus applications
installed.

I've been using Process Monitor to show each (and all) applications that are
accessing the drive in real-time. The only thing left is the Wireless
Network Provisioning service (that's been disabled) trying to access
C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml

As far as we can see it shouldn't be doing that given that the service is
disabled. I've confirmed it in another fashion - by turning off the WiFi
card it stops trying to write/create/access that file.

Thanks;
Dave

Running without AV not a good idea or a Firewall!
Go through these Cleaning steps:
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
http://www.malwarebytes.org/rr-update/rr-free-setup.exe
http://www.malwarebytes.org/rr-update/rr-free-setup.exe
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm

Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Comodo BOClean : Anti-Malware Version 4.27
http://www.comodo.com/boclean/boclean.html
Run disk cleanup and also this tool:
http://www.ccleaner.com/download/builds/downloading-slim
download Hijackthis and send me the log.
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
Send me copy to my address is : to_you_ross(at remove this and repalce with
the obvious)yahoo.co.uk

( _ is underscore)
HTH
nass

 

[Dave Onex]

look
at

Hi Robear;

It's XP Pro SP#3 with all updates. There are no anti-virus applications
installed.

I've been using Process Monitor to show each (and all) applications that are
accessing the drive in real-time. The only thing left is the Wireless
Network Provisioning service (that's been disabled) trying to access
C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml

As far as we can see it shouldn't be doing that given that the service is
disabled. I've confirmed it in another fashion - by turning off the WiFi
card it stops trying to write/create/access that file.

Thanks;
Dave

Running without AV not a good idea or a Firewall!
Go through these Cleaning steps:
1... First, try to clean up your caches, Internet files and delete cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
http://www.malwarebytes.org/rr-update/rr-free-setup.exe
http://www.malwarebytes.org/rr-update/rr-free-setup.exe
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm

Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Comodo BOClean : Anti-Malware Version 4.27
http://www.comodo.com/boclean/boclean.html
Run disk cleanup and also this tool:
http://www.ccleaner.com/download/builds/downloading-slim
download Hijackthis and send me the log.
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
Send me copy to my address is : to_you_ross(at remove this and repalce with
the obvious)yahoo.co.uk

( _ is underscore)
HTH
nass

Hi guys;

I don't know how we got sidetracked into this whole spyware/firewall issue
when the issue has been that the hard drive fails to power down due to
writes to C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
provisioning service.

=>That's the issue - not a malware infection. <=

If you must know the system runs behind ISA 2004 and the notebook does have
it's native firewall enabled as well. It's not infected - period.
We've been sidetracked by Pa Bear so let's come back to the original issue
at hand:

Why is ProcMon reporting access to C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
provisioning service when the service is disabled?

If you'll read my previous post this activity stops if I remove the wireless
card. So, again,

Why is ProcMon reporting access to C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
provisioning service when the service is disabled?
And more importantly, how can I stop this behavior?

Thanks;
Dave

BTW, I have a really great spyware/virus section
(http://www.asksomeone.net/forums/index.php?showforum=20) here. There's a
lot of great reference material there

 

[PA Bear [MS MVP]]

Hi Robear;

It's XP Pro SP#3 with all updates. There are no anti-virus applications
installed...

<snip>

That 's enough. Time to wipe 'n reload: http://www.dslreports.com/faq/10063

Protect Your PC!
http://www.microsoft.com/athome/security/computer/default.mspx

 

[The Real Truth MVP]

Viruses and Spyware can cause that, it is the way they work and considering
you have none installed you are probably infected. How do you know you are
not infected without protection software to tell you that you are?

--
Ignore any posts made by the Stalker Leythos, he's still in love with me.
He started stalking me after I spurned his advances towards me.
He said he would stop Stalking me If I stopped mentioning his name.
As you can see that does not work. He is a sick obsessive STALKER.

Always state your full Windows version (e.g., WinXP SP3) when posting to
this newsgroup, please.

What anti-virus application or security suite is installed? What
anti-spyware applications (other than Defender)? What third-party
firewall
(if any)?
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/


Dave Onex wrote:
I'm troubleshooting a problem with my laptop's hard drive not going to
sleep
after 5 minutes. To that end I broke out Process Monitor to take a look
at
what is accessing the hard drive.

What I'm finding is repeated attempts to CreateFile;

C:\Documents and Settings\All Users\Application
Data\Microsoft\Provisioning\store.xml

that results in a NAME NOT FOUND error or NAME COLLISION. I
actually
created
a store.xml file in that directory thinking that would make it go away -
it
hasn't.

Does anyone know why svchost.exe is continually trying to create a file
called store.xml and how can I stop it?


Hi Robear;

It's XP Pro SP#3 with all updates. There are no anti-virus applications
installed.

I've been using Process Monitor to show each (and all) applications
that are
accessing the drive in real-time. The only thing left is the Wireless
Network Provisioning service (that's been disabled) trying to access
C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml

As far as we can see it shouldn't be doing that given that the service is
disabled. I've confirmed it in another fashion - by turning off the
WiFi
card it stops trying to write/create/access that file.

Thanks;
Dave

Running without AV not a good idea or a Firewall!
Go through these Cleaning steps:
1... First, try to clean up your caches, Internet files and delete
cookies
by doing this:
Click Start >> Control Panel >> Double click Network and Internet
Connections >> Double click Internet Options.
On the IE properties windows you will see these Tabs:
General | Security | Privacy | Content | Connections | Programs |
Advanced
Under General Tab clear your History, Internet Files and Cookies.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.
Then click on Programs Tab and click Manage Add-Ons and Disable all non
Verified Add-Ons (You should Renable them later one-by-one and see the
culprit and update it or remove it.
How to manage Add-Ons:
http://support.microsoft.com/kb/883256
Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
http://www.malwarebytes.org/rr-update/rr-free-setup.exe
http://www.malwarebytes.org/rr-update/rr-free-setup.exe
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm

Run a scan from here on-line:
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Download Avast Cleaner (offline scanner) from here:
http://www.avast.com/eng/avast-virus-cleaner.html
Comodo BOClean : Anti-Malware Version 4.27
http://www.comodo.com/boclean/boclean.html
Run disk cleanup and also this tool:
http://www.ccleaner.com/download/builds/downloading-slim
download Hijackthis and send me the log.
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
Send me copy to my address is : to_you_ross(at remove this and repalce with
the obvious)yahoo.co.uk

( _ is underscore)
HTH
nass

Hi guys;

I don't know how we got sidetracked into this whole spyware/firewall issue
when the issue has been that the hard drive fails to power down due to
writes to C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
provisioning service.

=>That's the issue - not a malware infection. <=

If you must know the system runs behind ISA 2004 and the notebook does
have
it's native firewall enabled as well. It's not infected - period.
We've been sidetracked by Pa Bear so let's come back to the original issue
at hand:

Why is ProcMon reporting access to C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
provisioning service when the service is disabled?

If you'll read my previous post this activity stops if I remove the
wireless
card. So, again,

Why is ProcMon reporting access to C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
provisioning service when the service is disabled?
And more importantly, how can I stop this behavior?

Thanks;
Dave

BTW, I have a really great spyware/virus section
(http://www.asksomeone.net/forums/index.php?showforum=20) here. There's a
lot of great reference material there

 

[Dave Onex]

<snip>

That 's enough. Time to wipe 'n reload: http://www.dslreports.com/faq/10063

Protect Your PC!
http://www.microsoft.com/athome/security/computer/default.mspx

You've got to be kidding me - you're a Microsoft MVP? Your recommendation is
a format? Do you even know what Process Monitor is or does?

I sure hope you don't 'help' too many others with advice like that.

I've got a squeaky clean laptop with only one process that's writing to the
drive and keeping it from entering sleep mode and you're advice is to format
it? I guess you don't understand the value in that.

It's unfortunate that you've hijacked a solution that was right on track
with Nass and turned it (and Nass) in completely the wrong direction - and
then recommend a format?

I really wish you hadn't jumped into this thread at all. Now that you have,
please check out the BTW, at the bottom of this post - that's MY site and it
will help you to actually help others remove infections - without formatting
the hard drive. Now, hopefully, you'll go away so that I can come back to
the actual isue with nass...

If nass is still out there and has any valuable input (as he did at the
start);

Hi guys;

I don't know how we got sidetracked into this whole spyware/firewall issue
when the issue has been that the hard drive fails to power down due to
writes to C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
provisioning service.

=>That's the issue - not a malware infection. <=

If you must know the system runs behind ISA 2004 and the notebook does have
it's native firewall enabled as well. It's not infected - period.
We've been sidetracked by Pa Bear so let's come back to the original issue
at hand:

Why is ProcMon reporting access to C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
provisioning service when the service is disabled?

If you'll read my previous post this activity stops if I remove the wireless
card. So, again,

Why is ProcMon reporting access to C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
provisioning service when the service is disabled?
And more importantly, how can I stop this behavior?

Thanks;
Dave

BTW, I have a really great spyware/virus section
(http://www.asksomeone.net/forums/index.php?showforum=20) here. There's a
lot of great reference material there

 

[PA Bear [MS MVP]]

Dave Onex wrote:

You've got to be kidding me - you're a Microsoft MVP? Your recommendation
is
a format? Do you even know what Process Monitor is or does?...

Did you even bother to read http://www.dslreports.com/faq/10063?

I'm certainly familiar with Process Monitor and many other utilities that no
one's yet mentioned in this thread.

If you've been running without a functional and fully-updated anti-virus
application, God only knows how the machine may be compromised. You
certainly cannot trust the security of this machine IMHO.

Doing a wipe & reload's gonna take you much less time than trying to detect
the cause of this behavior and address it.

Feel free to ignore my posts.

 

[Dave Onex]

Dave Onex wrote:


Did you even bother to read http://www.dslreports.com/faq/10063?

I'm certainly familiar with Process Monitor and many other utilities that no
one's yet mentioned in this thread.

If you've been running without a functional and fully-updated anti-virus
application, God only knows how the machine may be compromised. You
certainly cannot trust the security of this machine IMHO.

Doing a wipe & reload's gonna take you much less time than trying to detect
the cause of this behavior and address it.

Feel free to ignore my posts.

I can tell you right now what I'm going to find with a wipe and reload - the
exact same thing. While each of these protected machines is backed up daily
to tape library - I'm certainly not willing to take what will amount to a
day long detour to come back to the exact same issue.

I realize that most users are unaware of what's going on with their
computers and as indicated by the several thousand people that have had
their malware removed on my own personal site (hint hint) - without a
format. We have several severs, none of which are protected by
anti-virus/spyware and all have been running for +4 years that way. We have
an enterprise firewall installed (ISA 2004) and the few users we have are
all well versed in malware and well able to remove any infections that they
might have - all on their own accord.

Security is not something I take lightly, our VPN is a L2TP VPN and we run
our own Certificate server. We also run our own Windows Update Servers and I
could go on in depth for many hours about our network design, the levels of
security behind it, etc - but the fact of the matter is that I've now taken
a several hour long detour into an irrelevant area when the very first reply
to this thread was going directly to the heart of the problem...

If you want to gage my level of knowledge then spend a few hours on my site.
The reason I came here is in the hopes to meet up with someone (like nass)
who immediately pointed me in the right direction. I doubt I would ever have
determined that the issue is related to the Wireless Network Provisioning
service without his input. Unfortunately, this thread got quickly hijacked
into the wrong direction and the fact that I'm spending an inordinate amount
of time explaining my network's security design is just further proof of
that.

Please, I would ask that if anyone has more information that relates
directly to the issue of my laptop's hard drive not going to sleep because
of repeated access by the Wireless Network Provisioning service (that's been
disabled) trying to access C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml I would greatly
appreciate it.

Best & Thanks;
Dave

 

[nass]

Hi guys;

I don't know how we got sidetracked into this whole spyware/firewall issue
when the issue has been that the hard drive fails to power down due to
writes to C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
provisioning service.

=>That's the issue - not a malware infection. <=

If you must know the system runs behind ISA 2004 and the notebook does have
it's native firewall enabled as well. It's not infected - period.
We've been sidetracked by Pa Bear so let's come back to the original issue
at hand:

Why is ProcMon reporting access to C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
provisioning service when the service is disabled?

If you'll read my previous post this activity stops if I remove the wireless
card. So, again,

Why is ProcMon reporting access to C:\Documents and Settings\All
Users\Application\Data\Microsoft\Provisioning\store.xml by the wireless
provisioning service when the service is disabled?
And more importantly, how can I stop this behavior?

Thanks;
Dave

BTW, I have a really great spyware/virus section
(http://www.asksomeone.net/forums/index.php?showforum=20) here. There's a
lot of great reference material there

Do you know the the ISA have the feature to connect to WPS and update the
Xml file and also the DHCP?
the store.xml check for new domain or update the data with the ISA and DHCP
server, this why you getting the Activities.
Also if you have the roaming profile on this machine enabled and the
Bluetooth connection and previously connected to a hotspot wifi station?
Try to disble it in the registry in :
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services =
And also in the policies:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy

Name the new value EnableWPSCompatibility and set the data value to 1 to
enable it. You can disable it by setting the value to 0.
Rename the Store.xml to Store.xml .old and reboot your machine and see if
the ProcMon will show activities for the WNP service.
Make sure you logged ad admin to perform these steps and diable the Service.
BTW does the service still disabled innthe Services control panel or enabled
back again?
Let us know your wireless make/model and the Laptop model and what wireless
management utilty you are using is it the W Card or the windows WZC in your
next post if the above didn't help.

 

[Dave Onex]

Edited in-line...

Do you know the the ISA have the feature to connect to WPS and update the

Xml file and also the DHCP?
the store.xml check for new domain or update the data with the ISA and
DHCP
server, this why you getting the Activities.

I think you might be confusing IAS (Internet Authentication Service) with
ISA (Internet and Security Accelerator)
I'm not using IAS or Radius for authentication.

Also if you have the roaming profile on this machine enabled and the
Bluetooth connection and previously connected to a hotspot wifi station?
Try to disble it in the registry in :
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services =
And also in the policies:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy

Name the new value EnableWPSCompatibility and set the data value to 1 to
enable it. You can disable it by setting the value to 0.
Rename the Store.xml to Store.xml .old and reboot your machine and see if
the ProcMon will show activities for the WNP service.

This machine is using a local profile - I believe the other settings relate
to IAS (which we're not using)

Make sure you logged ad admin to perform these steps and diable the
Service.
BTW does the service still disabled innthe Services control panel or
enabled
back again?

Yes, even with the service disabled there is still activity to that file.
Upon closer examination though I'm not seeing disk activity (the HDD light)
when that file is accessed.
After watching the laptop for some time it seems to be powering down the
drive now
I think it may be fixed and that the access to that file is not actually
accessing the disk (even though Procmon shows that it is).

Let us know your wireless make/model and the Laptop model and what
wireless
management utilty you are using is it the W Card or the windows WZC in
your
next post if the above didn't help.

For future reference it's a Presario 900 with a LinkSys WPC54GX4 PCMCIA wifi
card.
Only the driver is loaded for the card (no other software) and I'm using
WZC.

I think the issue might be fixed. Even though Procmon still shows regular
access (about once each minute) to C:\Documents and Settings\All
Users\Application Data\Microsoft\Provisioning\store.xml it might be
accessing cached data as opposed to operating the drive.

Either way, the laptop is powering down the hard drive so I think we're all
set Thanks very much for your help with this Nass!

Best;
Dave