XP-Pro SP2 cannot run command.com

[Joe H]

I have a customer who has xp-pro sp2 (32 bit) fully updated (same as my
main machine) and when she runs command.com she gets the message
"Windows cannot find command.com. Please bla..bla.bla" The same with
any other dos program. In the system32 folder, dir finds command.com
and config.nt but not autoexec.nt. I had her restore those three files
from a program that repairs the 16-bit sub-system error of a year or so
back. All it does is extract those three files from a self extracting
winzip file.

After restoring those files, the error is identical -- "windows cannot
find ...".

I've verified that no software restriction policies are set and had her
turn off her anti-spyware program and no change. She's using mcafee av
which I personally don't like but have never heard of it causing such a
restriction.

Any idea of what else to check would be greatly appreciated. I had
forgotten about the Malicious Program Removal tool until I noticed a
mention of it in this group. Should I have her run that?

--

 

[Thee Chicago Wolf]

I have a customer who has xp-pro sp2 (32 bit) fully updated (same as my

main machine) and when she runs command.com she gets the message
"Windows cannot find command.com. Please bla..bla.bla" The same with
any other dos program. In the system32 folder, dir finds command.com
and config.nt but not autoexec.nt. I had her restore those three files
from a program that repairs the 16-bit sub-system error of a year or so
back. All it does is extract those three files from a self extracting
winzip file.

After restoring those files, the error is identical -- "windows cannot
find ...".

I've verified that no software restriction policies are set and had her
turn off her anti-spyware program and no change. She's using mcafee av
which I personally don't like but have never heard of it causing such a
restriction.

Any idea of what else to check would be greatly appreciated. I had
forgotten about the Malicious Program Removal tool until I noticed a
mention of it in this group. Should I have her run that?

Well, if those files exist in the proper folders and you can see them
there, something else must be amuck. What about setting up a patch
statement to them instead?

Start > Programs > Control Panel > System > Advanced tab > Environment
Variables button, under system variables, click the New button, for
"variable name" call it COMMAND, for "variable value" point it to
C:\Windows\System32, click OK, Click OK again, click ok once more to
close System Properties. Let me know if it worked.

- Thee Chicago Wolf

 

[Thee Chicago Wolf]

I have a customer who has xp-pro sp2 (32 bit) fully updated (same as my

main machine) and when she runs command.com she gets the message
"Windows cannot find command.com. Please bla..bla.bla" The same with
any other dos program. In the system32 folder, dir finds command.com
and config.nt but not autoexec.nt. I had her restore those three files
from a program that repairs the 16-bit sub-system error of a year or so
back. All it does is extract those three files from a self extracting
winzip file.

After restoring those files, the error is identical -- "windows cannot
find ...".

I've verified that no software restriction policies are set and had her
turn off her anti-spyware program and no change. She's using mcafee av
which I personally don't like but have never heard of it causing such a
restriction.

Any idea of what else to check would be greatly appreciated. I had
forgotten about the Malicious Program Removal tool until I noticed a
mention of it in this group. Should I have her run that?

I meant a PATH statement not PATCH statement.

- Thee Chicago Wolf

 

[Joe H]

I meant a PATH statement not PATCH statement.

- Thee Chicago Wolf

I didn't mention that the command.com failed even when I was already in
a cmd.exe window in the system32 folder. So no path should have been
involved in running the command. Windows has always looked first in the
current directory for an executable and if found it runs it. In this
case it is saying it can't find the file even though it is visible to
dir from cmd.exe and windows explorer.

I think this must be something like the 16-bit subsystem error in that
some malware program is intercepting the command prompt or has damaged
some other component that is required. I've never seen this behaviour
before. The fact that autoexec.nt was missing tells me that some active
agent must be involved. In the past that missing file would have
generated a 16-bit subsystem error instead of Windows cannot find this
file. I wonder if something replaced the ntvdm.dll file or installed a
system hook that is generating this message.

I've put in a call to the customer to try this so I'll post again when
I find out though I don't have any confidence it will help. I was
hoping someone might know of some essential registry locations to check
or some other files or system settings that might be causing this. But
mostly what can be done other than reformatting and reinstalling
windows to fix it?



--

 

[Pegasus \(MVP\)]

I didn't mention that the command.com failed even when I was already in
a cmd.exe window in the system32 folder. So no path should have been
involved in running the command. Windows has always looked first in the
current directory for an executable and if found it runs it. In this
case it is saying it can't find the file even though it is visible to
dir from cmd.exe and windows explorer.

I think this must be something like the 16-bit subsystem error in that
some malware program is intercepting the command prompt or has damaged
some other component that is required. I've never seen this behaviour
before. The fact that autoexec.nt was missing tells me that some active
agent must be involved. In the past that missing file would have
generated a 16-bit subsystem error instead of Windows cannot find this
file. I wonder if something replaced the ntvdm.dll file or installed a
system hook that is generating this message.

I've put in a call to the customer to try this so I'll post again when
I find out though I don't have any confidence it will help. I was
hoping someone might know of some essential registry locations to check
or some other files or system settings that might be causing this. But
mostly what can be done other than reformatting and reinstalling
windows to fix it?

A couple of questions:
- Why do you want to run command.com? It is a legacy command
processor that should not be used.
- What happens when you type this command from a
Command Prompt:
%SystemRoot%\system32\command.com

 

[Thee Chicago Wolf]

I didn't mention that the command.com failed even when I was already in

a cmd.exe window in the system32 folder. So no path should have been
involved in running the command. Windows has always looked first in the
current directory for an executable and if found it runs it. In this
case it is saying it can't find the file even though it is visible to
dir from cmd.exe and windows explorer.

I think this must be something like the 16-bit subsystem error in that
some malware program is intercepting the command prompt or has damaged
some other component that is required. I've never seen this behaviour
before. The fact that autoexec.nt was missing tells me that some active
agent must be involved. In the past that missing file would have
generated a 16-bit subsystem error instead of Windows cannot find this
file. I wonder if something replaced the ntvdm.dll file or installed a
system hook that is generating this message.

I've put in a call to the customer to try this so I'll post again when
I find out though I don't have any confidence it will help. I was
hoping someone might know of some essential registry locations to check
or some other files or system settings that might be causing this. But
mostly what can be done other than reformatting and reinstalling
windows to fix it?

Joe,

I kind of figured XP would have already had it pathed but back in the
DOS days, this kind of thing, even if pathed, would happen once in a
blue moon. I used filemon to see what happens when running command.com
from a DOS window and it does indeed use the ntvdm process.

One KB article you may want to check out and get the hotfix for is:
http://support.microsoft.com/kb/890067 There have been other fixes to
the ntvdm system since XP SP2 and this KB hotfix so this is the most
current ntvdm I know of that it within the realm of what you customer
is experiencing.

You can get it free without having to call MS support by clicking the
link http://go.microsoft.com/?linkid=6294451 in the KB article,
filling in the form, and waiting for an e-mail from Microsoft to the
hotfix. Turnaround time is usually 2-6 hours. Give it a shot and let
me know how it turns out.

- Thee Chicago Wolf

 

[Joe H]

A couple of questions:
- Why do you want to run command.com? It is a legacy command
processor that should not be used.
- What happens when you type this command from a
Command Prompt:
%SystemRoot%\system32\command.com

Command.com is simply evidence that the system is compromised some way.
I personally always use cmd.exe but that is not the issue. The original
problem was trying to run a specific (yes legacy) dos program which is
apparently being blocked the same way as command.com is being blocked.
When attempting to start it from it's own folder, windows says the same
thing "windows cannot locate the file xyz.com". Legacy or not it is
supposed to (and does) run on all 32-bit versions of windows including
all flavors of vista unless it is being blocked by something or blocked
by a local policy setting. I don't know how else it could be blocked.

Like I said in my previous post, I have a call in to the customer to
try the system variable option and have not yet heard back from her
yet. When I hear I will try the %systemroot%\system32\command.com as
well from the run box and also from a cmd.exe box.

--

 

[Joe H]

A couple of questions:
- Why do you want to run command.com? It is a legacy command
processor that should not be used.
- What happens when you type this command from a
Command Prompt:
%SystemRoot%\system32\command.com

Command.com is simply evidence that the system is compromised some way.
I personally always use cmd.exe but that is not the issue. The original
problem was trying to run a specific (yes legacy) dos program which is
apparently being blocked the same way as command.com is being blocked.
When attempting to start it from it's own folder, windows says the same
thing "windows cannot locate the file xyz.com". Legacy or not it is
supposed to (and does) run on all 32-bit versions of windows including
all flavors of vista unless it is being blocked by something or blocked
by a local policy setting. I don't know how else it could be blocked.

Like I said in my previous post, I have a call in to the customer to
try the system variable option and have not yet heard back from her
yet. When I hear I will try the %systemroot%\system32\command.com as
well from the run box and also from a cmd.exe box.

--

 

[Joe H]

Joe,

I kind of figured XP would have already had it pathed but back in the
DOS days, this kind of thing, even if pathed, would happen once in a
blue moon. I used filemon to see what happens when running command.com
from a DOS window and it does indeed use the ntvdm process.

One KB article you may want to check out and get the hotfix for is:
http://support.microsoft.com/kb/890067 There have been other fixes to
the ntvdm system since XP SP2 and this KB hotfix so this is the most
current ntvdm I know of that it within the realm of what you customer
is experiencing.

You can get it free without having to call MS support by clicking the
link http://go.microsoft.com/?linkid=6294451 in the KB article,
filling in the form, and waiting for an e-mail from Microsoft to the
hotfix. Turnaround time is usually 2-6 hours. Give it a shot and let
me know how it turns out.

- Thee Chicago Wolf

Thanks. I really do appreciate the reply but the hotfix you reference
says that it corrects a problem where an additional space is added
between the command and the parameters. However, command.com has no
parameters in the case I was trying to use, neither does the dos
command we were trying to use so I don't see how that will have
anything to do with this issue. The hotfix really doesn't mention
xp-pro sp2 either. I assume that really wouldn't matter in this case. I
asked for the hotfix but I hesitate to ask the customer to install it
since Microsoft is specific in saying that it ONLY addresses this issue.

When I get back up with the customer I will get the size and date of
the ntvdm.exe.

Big surprise. I just compared the file on one of my xp-home computers
with that on my xp-pro and the files are identical--even though the
xp-pro machine is at least 3 years newer! The article above shows a
date of 2005 but mine are both 2004 and slightly smaller than the 2005
dated file. Both computers have been fully updated and both running
auto updates. Both are definitely sp2. Both are 419,840 bytes. The hot
fix show a 2005 version with 420,864 bytes and another 2005 version
with 397,312 bytes. What a confusing deal!


Sorry about the double post above. My newsreader hung and obviously
sent it twice.

--

 

[Thee Chicago Wolf]

I kind of figured XP would have already had it pathed but back in the

Thanks. I really do appreciate the reply but the hotfix you reference
says that it corrects a problem where an additional space is added
between the command and the parameters. However, command.com has no
parameters in the case I was trying to use, neither does the dos
command we were trying to use so I don't see how that will have
anything to do with this issue. The hotfix really doesn't mention
xp-pro sp2 either. I assume that really wouldn't matter in this case. I
asked for the hotfix but I hesitate to ask the customer to install it
since Microsoft is specific in saying that it ONLY addresses this issue.

When I get back up with the customer I will get the size and date of
the ntvdm.exe.

Big surprise. I just compared the file on one of my xp-home computers
with that on my xp-pro and the files are identical--even though the
xp-pro machine is at least 3 years newer! The article above shows a
date of 2005 but mine are both 2004 and slightly smaller than the 2005
dated file. Both computers have been fully updated and both running
auto updates. Both are definitely sp2. Both are 419,840 bytes. The hot
fix show a 2005 version with 420,864 bytes and another 2005 version
with 397,312 bytes. What a confusing deal!

Sorry about the double post above. My newsreader hung and obviously
sent it twice.

As I mentioned in my post, the ntvdm module from the original in XP
SP2 (build 2180) as compared to the one in the KB article (build 2715)
has had MORE changes done to them than what is mentioned in the KB
article even though it is not 100% exactly what your customer may be
experiencing. I know that specific "space" issue is not what your
customer is experiencing, I was just letting you know that hotfix is
what is current in terms of that module so it is the best option as
changes made to it between build 2180 and 2715 are usually cumulative.

The reason you are seeing the same file on YOUR computer is because
the file from the KB article is a hotfix. This means you will NEVER
get it from Windows Update. You have to request it from Microsoft as I
stated in my original post.

I know the file size differences seem confusing and this is because
that article is OLD OLD OLD and before microsoft standardized they web
pages and made it clear which file was applying to which installed
service pack. I can confirm the ntvdm.exe listed under the section
"Windows XP with SP1 or with SP2" is from KB890067 is 420,864KB on my
machine. The other file showing 397,312KB is most likely for those
still using SP1.

Here are some KB articles detailing changes made to the NTVDM module
between the original 2180 build in SP2 and build 2715 from KB890067
(who knows what's changed between build 2181 and 2549!! Ha!):

1. http://support.microsoft.com/kb/892520 (build 2598)
2. http://support.microsoft.com/kb/896896 (build 2650)

Perhaps you've already seen this but have a look at:
http://support.microsoft.com/kb/314106

Windows XP SP3 will be out in late March so if you customer can get by
until then, just hold off. Or.......

- Thee Chicago Wolf