system32/cmd.exe

Topic

New Reply

I have a problem with this popping up suddenly without warning or anything, then it will go back to wherever it came from. This has been happening for the last few months and I cannot figure out why in order to fix it. I am not entering anything at machine level when this happens.

Reply | Quote

Replies

It is probably a background scheduled task running a script.
Mark the time and check even viewer, Task scheduler..

Reply | Quote

What you are seeing is the result of a process firing (from a scheduled task or registry Run key?) and, as a result, triggering cmd.exe… so why not use a tool that monitors processes?

Sysinternals/TechNet‘s small, free, portable Process Monitor (ProcMon) can be set to filter for cmd.exe firing and should show what triggered it.

1. Download and unzip ProcMon. (I save/unzip it to a C:\Support folder I’ve created to store portable utilities/tools.)

2. Create a new shortcut to procmon.exe and amend the shortcut’s properties so it uses Run as administrator (a) and uses a /NoConnect switch (b), as per the following screenshot:

(The latter is so ProcMon doesn’t start capturing events automatically when it’s run.)

3. Start ProcMon from the shortcut and accept the EULA. You only need to do this the first time you use it.

4. When the main ProcMon window appears, press CTRL+L to bring up the Filter dialog.

5. Change the top line (a) to match the screenshot below, then click on the Add button (b) then click on the OK button (c) to dismiss the dialog.

That’s your filter set which will watch for any event that triggers the command processor cmd.exe, i.e. any flashing CMD window you see.

6. Click the Filter menu and make sure Drop Filtered Events is enabled:

The reason for this that ProcMon captures ALL events by default to your device’s swapfile… and if you are capturing events for a while (e.g. looking for events which may only happen once every hour or two) then it’s easy to exhaust the swapfile.

7. Now that ProcMon has been configured, press CTRL+E to start capturing events (or click on the icon 3rd in from the left in the toolbar).

You can now minimise ProcMon whilst you continue using your device. If you spot a CMD window appearing then look at ProcMon to see if the event has been captured and shows the process which triggered it (in the second default column – Process Name). Once the event has been captured you can press CTRL+E again to stop capturing.

Hope this helps…

[IMPORTANT: I’m very aware that the latest version of ProcMon has “issues” (and uses different-looking toolbar icons… see Microsoft’s ProcMon support forum for more info.) but I think (hope?) the basic functionality of ProcMon hasn’t been compromised by any MS bod diddling about with such a long-standing and well-respected utility. However, after testing of the latest version – and disappointment – I have reverted back to an earlier version (v3.50) of ProcMon.]

2 users thanked author for this post.

A1ex, DriftyDonN

Reply | Quote

Where can I get that older version 3.50 of Process Monitor

Reply | Quote

SuzyQ777 wrote:

Where can I get that older version 3.50 of Process Monitor

The only legitimate site I could find to download v3.50 is:

http://www.3dfxzone.it/programs/?objid=17070

I’ve just download the zip from there, unpacked it and checked the Procmon.exe file with VirusTotal:

(Note that VirusTotal doesn’t like that I haven’t updated Firefox.   )

I advise you to do the same.

Hope this helps…

1 user thanked author for this post.

SuzyQ777

Reply | Quote

Thanks Rick, for the links and instructions on the use of Process Monitor.  I have the same problem as JohnQ2 on my husbands laptop.  Will give this a try.  Really appreciate all the help you folks provide.

Reply | Quote

Another issue has now emerged with the latest version of Process Monitor (ProMon) – v3.83 – so, for the time being, I suggest you avoid it.

This, unfortunately, means you will need to search for earlier versions of ProcMon. After checking posts in the Microsoft Community Q&A for ProcMon, it looks like there were issues with several previous versions – 3.82, 3.81 and 3.80 – as well so, for the moment, I’m sticking with 3.50. It may be old now by comparison but I use it freqently and have yet to find an issue with it. I provided a download link for 3.50 in my last post.

Important: I’ve been doing a quick check for availability of earlier versions of ProcMon. An online search will show dozens of sites purporting to have ProcMon available for download. Unfortunately a great number of these sites really want you to download their copy of ProcMon using their own ‘Download Manager’… which is often just a vehicle for add-ons that you really, really do not want. So please be careful.

Note also that sites like Chocolatey and PortableApps offer download links to earlier versions of ProcMon… but, when used, actually download the latest version instead.

 

Reply | Quote

For what it’s worth, the license agreement for Sysinternals software does not allow for redistribution.

Reply | Quote

EricB wrote:

For what it’s worth, the license agreement for Sysinternals software does not allow for redistribution.

It’s a good point… but therein lies a problem. The Sysinternals/TechNet website for Process Monitor offers no changelog, no ability to download previous versions nor any method to submit bug reports either via the website or from within the utility.

All Sysinternals tools are offered ‘as is’ with no official Microsoft support. (Licensing FAQ)

This explains why posts reporting issues on the Microsoft Community Q&A for ProcMon show no replies.

Reply | Quote

I haven’t been 100% diligent by I try to keep old versions of process monitor, process explorer, etc. as I download the newest versions.  So although I have a personal fallback, my hands are tied as far as sharing older versions is concerned.  Its unfortunate that Microsoft does not maintain an authorized and available archive of superseded versions to afford fallback options when bugs manifest in the currently offered version.

Reply | Quote