understanding files

[Terry]

Hey all,

I have some questions about some exe, dll, and other
files. I'm hoping someone may help me understand the os
better.

1. lsass.exe, csrss.exe
I know these files belong to windows, but what do they
actually do. My research on lasass.exe suggests that some
services use this name. I disabled these services,
however, the file is still shown in the task manager.

2. oobebaln.exe
I found this file in the C:\Windows\system32\oobe directory
What is it? When I tried deleting it, it strangely
reappears. I can't seem to get rid of it

3. tcpsvcs.exe
I'm a bit concerned about this one. It listens on ports
7,9,13,17, and 19. Research suggests that the Terminal
service uses this. However, it isn't installed by default
on xp home. So why do I have it tcpsvc.exe running? I've
disabled it by renaming it to tcpsvc.old for now.

4. mshta.exe
What is this file and what does it do?
It's called upon from the registry key
HKLM\software\classes\htafile\shell\open\command

5. ntoskrnl.exe
Apparently this execuable is apart of the boot process,
right? The task manager calls it "system" with process id
4.
What does this file actually do and why does it listen on
UPD and TCP 445?

6. mscdexnt.exe, redir.exe, dosx.exe

what do these execuables do and are they necessary?
C:\windows\system32\autoexec.nt loads them

7. himem.sys
what is this file and is it necessary? C:\windows\system32
\config.nt loads it


8. ginstall.dll
I have no idea what this does
It's loads via C:\windows\wininit.ini
What does it do?

9. timer.drv
I don't know what does either. C:\Windows\system.ini
loads it

10. Wscript.exe

I know many script files uses this execuable, but what
does it actually do and is it necessary?

"vbsfile", "vbefile", "jsfile", "jsefile", "wshfile",
and "wsffile"
calls to wscript.exe in the registry key
HKCR\" "\shell\open\command


11. Shell32.dll, webcheck.dll, stobject.dll, upnpui.dll

What do these dll do and are they necessary? They are all
loaded by the registry key
HKLM\software\microsoft\windows\currentversion\shellservice
objectdataload

12. ntvdm.exe, krnl386
The key HKLM\system\currentcontrolset\wow\cmdline points
to ntvdm.exe
and the key HKLM\system\currentcontrolset\wow\wowcmdline
points to krnl386

What do both of these files do?

13. dcsws2.dll, mswsock.dll, rsvpsp.dll

The key HKLM\Systemcurrentcontrolset\services\winsock2
\parameters\protocol_caatalog9\catalog_entries\

uses these dll files. What are the files and what is the
key referring to?

14. javasup.vxd
I know this is an important file for java but what does it
actually do?

It can be found in the key
HKLM\system\currentcontrolset\services\vxd\javasup\

15. Explorer.exe
Can someone verify that explorer.exe is load from two
locations

I have it loaded from C:\windows\system.ini [boot] shell
and from
HKLM\\software\microsoft\windowsnt\currentversion\winlogon\
shell

16. msconfig

Msconfig from run shows

system.ini loads

"; for 16-bit app support"
"[drivers]"
"[mci]"
"[dirver32]"
"[386enh]"

win.ini loads

"; for 16-bit app support"
"[fonts]"
"[extensions]"
"[mci extensions]"
"[files]"
"[mial]"
"[mci extensions.bak]"

which box is safe to uncheck for general use?


I know there're a lot of questions here, so any help at
all would definitely be wonderful.


With appreciation,
Terry

 

[Kelly]

This is not a normal compilation of a newsgroup in 'general' question and
you shouldn't expect to receive a thorough reply. You seem to have
multi-segmented areas involved here and need to do research on them
respectively. Good luck!

/taskbarplus!.htm

Hey all,

I have some questions about some exe, dll, and other
files. I'm hoping someone may help me understand the os
better.

1. lsass.exe, csrss.exe
I know these files belong to windows, but what do they
actually do. My research on lasass.exe suggests that some
services use this name. I disabled these services,
however, the file is still shown in the task manager.

2. oobebaln.exe
I found this file in the C:\Windows\system32\oobe directory
What is it? When I tried deleting it, it strangely
reappears. I can't seem to get rid of it

3. tcpsvcs.exe
I'm a bit concerned about this one. It listens on ports
7,9,13,17, and 19. Research suggests that the Terminal
service uses this. However, it isn't installed by default
on xp home. So why do I have it tcpsvc.exe running? I've
disabled it by renaming it to tcpsvc.old for now.

4. mshta.exe
What is this file and what does it do?
It's called upon from the registry key
HKLM\software\classes\htafile\shell\open\command

5. ntoskrnl.exe
Apparently this execuable is apart of the boot process,
right? The task manager calls it "system" with process id
4.
What does this file actually do and why does it listen on
UPD and TCP 445?

6. mscdexnt.exe, redir.exe, dosx.exe

what do these execuables do and are they necessary?
C:\windows\system32\autoexec.nt loads them

7. himem.sys
what is this file and is it necessary? C:\windows\system32
\config.nt loads it


8. ginstall.dll
I have no idea what this does
It's loads via C:\windows\wininit.ini
What does it do?

9. timer.drv
I don't know what does either. C:\Windows\system.ini
loads it

10. Wscript.exe

I know many script files uses this execuable, but what
does it actually do and is it necessary?

"vbsfile", "vbefile", "jsfile", "jsefile", "wshfile",
and "wsffile"
calls to wscript.exe in the registry key
HKCR\" "\shell\open\command


11. Shell32.dll, webcheck.dll, stobject.dll, upnpui.dll

What do these dll do and are they necessary? They are all
loaded by the registry key
HKLM\software\microsoft\windows\currentversion\shellservice
objectdataload

12. ntvdm.exe, krnl386
The key HKLM\system\currentcontrolset\wow\cmdline points
to ntvdm.exe
and the key HKLM\system\currentcontrolset\wow\wowcmdline
points to krnl386

What do both of these files do?

13. dcsws2.dll, mswsock.dll, rsvpsp.dll

The key HKLM\Systemcurrentcontrolset\services\winsock2
\parameters\protocol_caatalog9\catalog_entries\

uses these dll files. What are the files and what is the
key referring to?

14. javasup.vxd
I know this is an important file for java but what does it
actually do?

It can be found in the key
HKLM\system\currentcontrolset\services\vxd\javasup\

15. Explorer.exe
Can someone verify that explorer.exe is load from two
locations

I have it loaded from C:\windows\system.ini [boot] shell
and from
HKLM\\software\microsoft\windowsnt\currentversion\winlogon\
shell

16. msconfig

Msconfig from run shows

system.ini loads

"; for 16-bit app support"
"[drivers]"
"[mci]"
"[dirver32]"
"[386enh]"

win.ini loads

"; for 16-bit app support"
"[fonts]"
"[extensions]"
"[mci extensions]"
"[files]"
"[mial]"
"[mci extensions.bak]"

which box is safe to uncheck for general use?


I know there're a lot of questions here, so any help at
all would definitely be wonderful.


With appreciation,
Terry

 

[Rob Schneider]

If you search Google for these files names, you'll get information.
You'll also find via this approach the web sites that go to the effort
of providing information about these files. Your other resource is the
Microsoft Knowledgebase on their web site.

Hope this is useful to you. Let us know.

rms

Hey all,

I have some questions about some exe, dll, and other
files. I'm hoping someone may help me understand the os
better.

1. lsass.exe, csrss.exe
I know these files belong to windows, but what do they
actually do. My research on lasass.exe suggests that some
services use this name. I disabled these services,
however, the file is still shown in the task manager.

2. oobebaln.exe
I found this file in the C:\Windows\system32\oobe directory
What is it? When I tried deleting it, it strangely
reappears. I can't seem to get rid of it

3. tcpsvcs.exe
I'm a bit concerned about this one. It listens on ports
7,9,13,17, and 19. Research suggests that the Terminal
service uses this. However, it isn't installed by default
on xp home. So why do I have it tcpsvc.exe running? I've
disabled it by renaming it to tcpsvc.old for now.

4. mshta.exe
What is this file and what does it do?
It's called upon from the registry key
HKLM\software\classes\htafile\shell\open\command

5. ntoskrnl.exe
Apparently this execuable is apart of the boot process,
right? The task manager calls it "system" with process id
4.
What does this file actually do and why does it listen on
UPD and TCP 445?

6. mscdexnt.exe, redir.exe, dosx.exe

what do these execuables do and are they necessary?
C:\windows\system32\autoexec.nt loads them

7. himem.sys
what is this file and is it necessary? C:\windows\system32
\config.nt loads it


8. ginstall.dll
I have no idea what this does
It's loads via C:\windows\wininit.ini
What does it do?

9. timer.drv
I don't know what does either. C:\Windows\system.ini
loads it

10. Wscript.exe

I know many script files uses this execuable, but what
does it actually do and is it necessary?

"vbsfile", "vbefile", "jsfile", "jsefile", "wshfile",
and "wsffile"
calls to wscript.exe in the registry key
HKCR\" "\shell\open\command


11. Shell32.dll, webcheck.dll, stobject.dll, upnpui.dll

What do these dll do and are they necessary? They are all
loaded by the registry key
HKLM\software\microsoft\windows\currentversion\shellservice
objectdataload

12. ntvdm.exe, krnl386
The key HKLM\system\currentcontrolset\wow\cmdline points
to ntvdm.exe
and the key HKLM\system\currentcontrolset\wow\wowcmdline
points to krnl386

What do both of these files do?

13. dcsws2.dll, mswsock.dll, rsvpsp.dll

The key HKLM\Systemcurrentcontrolset\services\winsock2
\parameters\protocol_caatalog9\catalog_entries\

uses these dll files. What are the files and what is the
key referring to?

14. javasup.vxd
I know this is an important file for java but what does it
actually do?

It can be found in the key
HKLM\system\currentcontrolset\services\vxd\javasup\

15. Explorer.exe
Can someone verify that explorer.exe is load from two
locations

I have it loaded from C:\windows\system.ini [boot] shell
and from
HKLM\\software\microsoft\windowsnt\currentversion\winlogon\
shell

16. msconfig

Msconfig from run shows

system.ini loads

"; for 16-bit app support"
"[drivers]"
"[mci]"
"[dirver32]"
"[386enh]"

win.ini loads

"; for 16-bit app support"
"[fonts]"
"[extensions]"
"[mci extensions]"
"[files]"
"[mial]"
"[mci extensions.bak]"

which box is safe to uncheck for general use?


I know there're a lot of questions here, so any help at
all would definitely be wonderful.


With appreciation,
Terry

 

[Gerry Cornell]

Terry

Instead of using Google you might try researching using this link:

http://vivisimo.com/

I got an excellent answer for "oobebaln.exe".

However, you might ask yourself whether you are approaching a perceived problem from the right direction? My Win XP system has around 1,200 exe files. It is not really practical to research that number of files over a short time span. In any event how do you know that "oobebaln.exe" is really "oobebaln.exe" and not a wolf in a sheep's clothing?

What is your underlying reason for the recently acquired thirst for acquisition of knowledge about specific exe files?

--

~~~~~~


Hope this helps.

Gerry
~~~~~~~~~~~~~~~~~~~~~~~~
FCA
(e-mail address removed)
Stourport, Worcs, England
Enquire, plan and execute.
~~~~~~~~~~~~~~~~~~~~~~~~
Please tell the newsgroup how any
suggested solution worked for you.

~~~~~~~~~~~~~~~~~~~~~~~~

Hey all,

I have some questions about some exe, dll, and other
files. I'm hoping someone may help me understand the os
better.

1. lsass.exe, csrss.exe
I know these files belong to windows, but what do they
actually do. My research on lasass.exe suggests that some
services use this name. I disabled these services,
however, the file is still shown in the task manager.

2. oobebaln.exe
I found this file in the C:\Windows\system32\oobe directory
What is it? When I tried deleting it, it strangely
reappears. I can't seem to get rid of it

3. tcpsvcs.exe
I'm a bit concerned about this one. It listens on ports
7,9,13,17, and 19. Research suggests that the Terminal
service uses this. However, it isn't installed by default
on xp home. So why do I have it tcpsvc.exe running? I've
disabled it by renaming it to tcpsvc.old for now.

4. mshta.exe
What is this file and what does it do?
It's called upon from the registry key
HKLM\software\classes\htafile\shell\open\command

5. ntoskrnl.exe
Apparently this execuable is apart of the boot process,
right? The task manager calls it "system" with process id
4.
What does this file actually do and why does it listen on
UPD and TCP 445?

6. mscdexnt.exe, redir.exe, dosx.exe

what do these execuables do and are they necessary?
C:\windows\system32\autoexec.nt loads them

7. himem.sys
what is this file and is it necessary? C:\windows\system32
\config.nt loads it


8. ginstall.dll
I have no idea what this does
It's loads via C:\windows\wininit.ini
What does it do?

9. timer.drv
I don't know what does either. C:\Windows\system.ini
loads it

10. Wscript.exe

I know many script files uses this execuable, but what
does it actually do and is it necessary?

"vbsfile", "vbefile", "jsfile", "jsefile", "wshfile",
and "wsffile"
calls to wscript.exe in the registry key
HKCR\" "\shell\open\command


11. Shell32.dll, webcheck.dll, stobject.dll, upnpui.dll

What do these dll do and are they necessary? They are all
loaded by the registry key
HKLM\software\microsoft\windows\currentversion\shellservice
objectdataload

12. ntvdm.exe, krnl386
The key HKLM\system\currentcontrolset\wow\cmdline points
to ntvdm.exe
and the key HKLM\system\currentcontrolset\wow\wowcmdline
points to krnl386

What do both of these files do?

13. dcsws2.dll, mswsock.dll, rsvpsp.dll

The key HKLM\Systemcurrentcontrolset\services\winsock2
\parameters\protocol_caatalog9\catalog_entries\

uses these dll files. What are the files and what is the
key referring to?

14. javasup.vxd
I know this is an important file for java but what does it
actually do?

It can be found in the key
HKLM\system\currentcontrolset\services\vxd\javasup\

15. Explorer.exe
Can someone verify that explorer.exe is load from two
locations

I have it loaded from C:\windows\system.ini [boot] shell
and from
HKLM\\software\microsoft\windowsnt\currentversion\winlogon\
shell

16. msconfig

Msconfig from run shows

system.ini loads

"; for 16-bit app support"
"[drivers]"
"[mci]"
"[dirver32]"
"[386enh]"

win.ini loads

"; for 16-bit app support"
"[fonts]"
"[extensions]"
"[mci extensions]"
"[files]"
"[mial]"
"[mci extensions.bak]"

which box is safe to uncheck for general use?


I know there're a lot of questions here, so any help at
all would definitely be wonderful.


With appreciation,
Terry

 

[cquirke (MVP Win9x)]

Hi, one!

Dunno; pass

OOBE = Out Of Box Experience; basically, a "hello newbie" thing that
runs as soon as you turn on for the first time, AFAIK.

WinME and XP have a more aggressive SFP (System File Protection) that
will replace monitored system files on the fly when these are renamed
away or deleted. That's prolly what's happening here.

Dunno, sorry

It's the interpretation engine for .HTA (HyperText Application) files,
which can be and have been exploited by malware. In Win9x I rename
away the MSHTA.EXE engine from DOS mode to prevent the interpretation
of .HTA files, as neither I nor the system uses them. XP is more
likely to use them (some patching processes may rely on them) so I've
been more conservative and left it in place.

SFP will defend the file, and patches that upgrade it (or some system
upgrades such as IE 6 SP1) will add it back anyway. I better risk
management would be to either unlink .HTA from htafile, or change the
"open" action for htafile to something safer than MSHTA.EXE - all done
via RegEdit, and the usual caveats apply.

Yep. You do NOT want to pick a fight with this dude!

If your C:\BOOT.INI syntax gets whacked, you may get spurious reports
of failure with this file as the boot process fails.

Dunno. dunno and something to do with running DOS apps, AFAIK.

OK; then I'd guess generic CD-ROM support, LAN redirection support and
DOS executive, respectively. The .NT files are used to init the
emulated environment for DOS apps.

As above. Intel's x86 processors start up in real mode, and in the
DOS days, HiMem.sys was an optional XMS (eXtended Memory Services)
driver that switched the processor into a mode that could read RAM
beyond the 1M barrier. So it's part of the emulated DOS environment.

Me neither :-?

Wininit.ini is a one-shot settings file that is interpreted early in
the boot process; it's intended for use by software (un)installers
that need to make changes involving files that are normally in use.

The (un)installer typically does what it can, then sets up a
Wininit.ini (or registry RunOnce keys) to do the rest when Windows
restarts, then prompts you to restart Windows. Once it's been
interpreted, Wininit.ini is renamed Wininit.bak and will no lo longer
be active on subsequent boots.

Malware can use Wininit.ini as part of the startup axis, in order to
run itself as part of Windows. Suspect this, or a botched installer,
if the file keeps re-appearing instead of being renamed .bak when done

Dunno, but it may be a RTC (Real Time Clock) driver; the .DRV
extension refers to low-level Windows driver code, and that it loads
via System.ini suggests it's a throwback to old versions of Windows.

WScript.exe and CScript.exe are interpreter engines for WSH (Windows
Scripting Host), i.e. stand-alone script files that can have a wide
range of extensions, e.g. .wsh, .js, .vbs etc. These became famous
when LoveLetter used them as a malware attack file, and are the
easiest destructive malware to write.

Management of these is similar to MSHTA.EXE, except that in XP I use
an alternate approach to suppressing WSH that doesn't pick fights with
SFP or cause lapses when IE upgrades/updates re-assert the files...

Save As: WSHOff.reg

----------------------- ---- --- -- - - - -

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"ActiveDebugging"="1"
"Enabled"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"
"EnableRemoteLaunch"="N"
"EnableRemoteConnect"="N"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"ActiveDebugging"="1"
"UseWINSAFER"="1"
"Enabled"="0"
"IgnoreUserSettings"="0"

----------------------- ---- --- -- - - - -

The undo; Save As WSHOn.reg

----------------------- ---- --- -- - - - -

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"ActiveDebugging"="1"
"Enabled"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"
"EnableRemoteLaunch"="Y"
"EnableRemoteConnect"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"ActiveDebugging"="1"
"UseWINSAFER"="1"
"Enabled"="1"
"IgnoreUserSettings"="0"

----------------------- ---- --- -- - - - -

It's required if you want to run stand-alone script files, or use
software that needs these. Some locally-written software may rely on
them to do things, and in-house IT admin may do too, but I'd expect
any decent shrink-wrap software to do things "properly"

Yep; they are the standard stand-alone script file extensions. I
suspect WSH passes the script to the relevant script interpreter, as
the system is extensible; Visual Basic Script and JavaScript are
supported natively but other interpreters can support other script
languages such as Perl etc.

Shell32.dll is an internal part of Explorer / IE, and gets
re-versioned quite often by patches, etc.

WebCheck.dll ("Browser Web Check") is AFAIK used to look for channel
info, as part of IE4-era "push" technology. Prolly updates "web
folders" too. It's not stuff I use.

upnpui.dll sounds like part of Universal Plug aNd Play, which is
unrelated to the normal hardware Plug aNd Play. It's used to roam the
network for stuff the system can use, and I'd prefer to kill it off.
The first big safety scandal in WinME was exploitable holes in uPnP;
unless you rely on it as part of your broadband setup etc. I'd disable
the uPnP service (but leave the regular PnP alone!).

Well spotted, thanks!

Prolly support for legacy Windows versions. WOW = Windows On Windows,
which is basically shelling apps written for older Windows versions so
they think they are "at home".

Dunno

Dunno; my guess is same as yours.

Define "locations". Two different directory paths? No; only the one
in Windows base dir is "really" Explorer. Two different regsitry
references? Maybe, maybe not. Fake Explorer.exe of various kinds
(different dir paths, lookalike names such as Expiorer.exe with an
upper-case "i" etc. are common malware tricks).

I have it loaded from C:\windows\system.ini [boot] shell

Normal

and from
HKLM\\software\microsoft\windowsnt\currentversion\winlogon\
shell

Normal

16. msconfig

Msconfig from run shows

system.ini loads

"; for 16-bit app support"
"[drivers]"
"[mci]"
"[dirver32]"
"[386enh]"

win.ini loads

"; for 16-bit app support"
"[fonts]"
"[extensions]"
"[mci extensions]"
"[files]"
"[mial]"
"[mci extensions.bak]"

which box is safe to uncheck for general use?

Those look OK. Check the detail within the [+]

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.