Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > RootkitRevealer Usage
  New Posts New Posts RSS Feed - Software - Error dumping hive
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Software - Error dumping hive

 Post Reply Post Reply Page  12>
Author
Message
Zoider View Drop Down
Newbie
Newbie


Joined: 24 January 2006
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote Zoider Quote  Post ReplyReply Direct Link To This Post Topic: Software - Error dumping hive
    Posted: 24 January 2006 at 7:20pm

Hi,

I have a system that's been flakey lately, rebooting whenever it feels like it and going into CHKDSK on boot. I can use REGEDIT to view the regisitry. When I run RootkitRevealer on this system I'm getting:

SOFTWARE   0 bytes Error dumping hive: The system cannot find the file specified.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb  1/24/2006 3:30 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.

It's a Win XP Pro with SP2, I made a new directory C:\TEST, removed inherited rights and explicitly set the rights for my admin account. I used FILEMON as mentioned in another post on this topic and here's the log:

1 6:01:39 PM FIN.exe:796 OPEN C:\WINDOWS\system32\CYYPZ  NOT FOUND Options: Open  Access: All 
2 6:01:39 PM FIN.exe:796 OPEN C:\WINDOWS\system32\CYYPZ  NOT FOUND Options: Open  Access: All 
7 6:01:53 PM FIN.exe:796 READ  C:\WINDOWS\system32\CYYPZ END OF FILE Offset: 0 Length: 256 
8 6:01:53 PM FIN.exe:796 READ  C:\WINDOWS\system32\CYYPZ END OF FILE Offset: 0 Length: 512 
10 6:01:53 PM FIN.exe:796 READ  C:\WINDOWS\system32\CYYPZ END OF FILE Offset: 0 Length: 2 
12 6:01:53 PM FIN.exe:796 READ  C:\WINDOWS\system32\CYYPZ END OF FILE Offset: 0 Length: 512 
15 6:01:53 PM FIN.exe:796 READ  C:\WINDOWS\system32\CYYPZ END OF FILE Offset: 0 Length: 512 
16 6:01:53 PM FIN.exe:796 READ  C:\WINDOWS\system32\CYYPZ END OF FILE Offset: 0 Length: 64 
18 6:01:53 PM FIN.exe:796 READ  C:\WINDOWS\system32\CYYPZ END OF FILE Offset: 0 Length: 512 
26 6:01:53 PM FIN.exe:796 OPEN C:\WINDOWS\system32\IIZ&n bsp;NOT FOUND Options: Open  Access: All 
27 6:01:53 PM FIN.exe:796 OPEN C:\WINDOWS\system32\IIZ&n bsp;NOT FOUND Options: Open  Access: All 
1241 6:01:59 PM FIN.exe:796 OPEN C:\WINDOWS\system32\SRJCQ RSR NOT FOUND Options: Open  Access: All 
1242 6:01:59 PM FIN.exe:796 OPEN C:\DOCUME~1\John\LOCALS~1 \Temp\cmd.exe NOT FOUND Options: Open  Access: All 
1289 6:01:59 PM FIN.exe:796 OPEN C:\WINDOWS\AppPatch\syste st.sdb NOT FOUND Options: Open  Access: All 
1290 6:01:59 PM FIN.exe:796 OPEN C:\WINDOWS\AppPatch\syste st.sdb NOT FOUND Options: Open  Access: All 
1291 6:01:59 PM FIN.exe:796 OPEN C:\WINDOWS\AppPatch\syste st.sdb NOT FOUND Options: Open  Access: All 
1292 6:01:59 PM FIN.exe:796 OPEN C:\WINDOWS\AppPatch\syste st.sdb NOT FOUND Options: Open  Access: All 
1372 6:01:59 PM FIN.exe:796 OPEN C:\WINDOWS\system32\cmd.e xe.Manifest NOT FOUND Options: Open  Access: All 
1373 6:01:59 PM FIN.exe:796 OPEN C:\WINDOWS\system32\cmd.e xe.Manifest NOT FOUND Options: Open  Access: All 
1374 6:01:59 PM FIN.exe:796 OPEN C:\WINDOWS\system32\cmd.e xe.Manifest NOT FOUND Options: Open  Access: All 
1375 6:01:59 PM FIN.exe:796 OPEN C:\WINDOWS\system32\cmd.e xe.Manifest NOT FOUND Options: Open  Access: All 
1377 6:02:01 PM FIN.exe:796 OPEN C:\WINDOWS\system32\SRJCQ RSR SHARING VIOLATION Options: Open  Access: All 
1378 6:02:01 PM FIN.exe:796 OPEN C:\WINDOWS\system32\SRJCQ RSR SHARING VIOLATION Options: Open  Access: All 
1379 6:02:01 PM FIN.exe:796 OPEN C:\WINDOWS\system32\SRJCQ RSR SHARING VIOLATION Options: Open  Access: All 
1380 6:02:01 PM FIN.exe:796 OPEN C:\WINDOWS\system32\SRJCQ RSR SHARING VIOLATION Options: Open  Access: All 

Any help would be greatly appreciated. I'm assuming that it's possible that given the systems repeated use of CHKDSK that the hard drive is failing.

Thanks

Back to Top
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Status: Offline
Points: 3876
Post Options Post Options   Thanks (0) Thanks(0)   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Posted: 25 January 2006 at 4:45am
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb is the easy bit - it's Windows Update making a check and deleting a temp file during the RKR scan.

The Filemon trace from the "SOFTWARE   0 bytes Error dumping hive" error is interesting. For the most part what you are seeing are the random-named temp files RKR uses in c:\windows\system32 being accessed. The NOT FOUND messages are normal as the files are new. The "SHARING VIOLATION" on C:\WINDOWS\system32\SRJCQRSR however may well tie up with the "SOFTWARE   0 bytes Error dumping hive" error.

I'll bring it to Sysinternals' attention.

[edit] The repeated use of CHKDSK is because the system stopped with a dirty disk and is quite possibly a by-product of a hardware problem elsewhere. [/edit]


Edited by namrehto
Gil
Back to Top
Mark View Drop Down
Admin Group
Admin Group


Joined: 04 June 2005
Location: United States
Status: Offline
Points: 550
Post Options Post Options   Thanks (0) Thanks(0)   Quote Mark Quote  Post ReplyReply Direct Link To This Post Posted: 25 January 2006 at 8:21am
Do you have antivirus or other file system filter drivers running on the system?
Back to Top
Zoider View Drop Down
Newbie
Newbie


Joined: 24 January 2006
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote Zoider Quote  Post ReplyReply Direct Link To This Post Posted: 25 January 2006 at 10:33am

Norton Anti-Virus is installed on that system but the real-time protection is not enabled.

I'm not aware of any other file system filter drivers on that machine.

Back to Top
Zoider View Drop Down
Newbie
Newbie


Joined: 24 January 2006
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote Zoider Quote  Post ReplyReply Direct Link To This Post Posted: 26 January 2006 at 12:26pm

I had another machine that I ran the APROPOS fix and EWIDO on. It cleaned up real nice. When I run either of those programs on the problem machine, when it does a registry scan it reboots during the scan. It does this in both normal mode and safe mode.

Any thoughts?

Back to Top
amonstertrucker View Drop Down
Newbie
Newbie


Joined: 28 January 2006
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote amonstertrucker Quote  Post ReplyReply Direct Link To This Post Posted: 28 January 2006 at 12:45pm
I'm getting the same thing. Except RKR only shows the one line:

SOFTWARE    0 bytes Error dumping hive: The system cannot find the file specified.

After scanning, it shows no problems or issues. What file is RKR looking for anyway? My computer has been acting strangely lately, even after closing all apps, except my firewall. It seems awfully slow. I've run spyware programs and antivirus programs and everything appears clean. So I ran RKR, and this is the first time I got this kind of message. Any help on this would be appreciated.

Abit AN8 Ultra
AMD Athalon 64 3700+
1G RAM
Nvidia 6800 GT 256MB
Windows XP sp2


Libertarian Volunteers
Folding@home
Group 11402
Back to Top
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Status: Offline
Points: 3876
Post Options Post Options   Thanks (0) Thanks(0)   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Posted: 28 January 2006 at 12:51pm
It's an error dumping the software hive of the registry. There seems no consistent reason, but you should check that you have unrestricted write permission to both the directory containing the RootkitRevealer.exe and to C:\windows\system32, and that no over-zealous antivirus real-time protection could be getting in the way. Presumably you're running 32-bit WinXP.

As for your machine running slowly that could be something quite different. It may help to run Process Explorer and see if any tasks are consuming large amounts of CPU.
Gil
Back to Top
amonstertrucker View Drop Down
Newbie
Newbie


Joined: 28 January 2006
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote amonstertrucker Quote  Post ReplyReply Direct Link To This Post Posted: 28 January 2006 at 1:38pm
I'm logged in as the system admin, and it doesn't look like it's a access situation. Maybe I should mention that I have SuSE Linux 10.0 64bit version on another partition on the HD, but I wouldn't think that would be a problem??? I should also correct my previous statement, the machine isn't really running slow, it just seems that after logging in, it takes an unusually long time before my zonealarm firewall starts. I currently have no real-time antivirus programs running and you are correct that I'm running 32-bit WinXP. I haven't run RKR in about a month or so, but when I did it worked fine back then. 
Libertarian Volunteers
Folding@home
Group 11402
Back to Top
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Status: Offline
Points: 3876
Post Options Post Options   Thanks (0) Thanks(0)   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Posted: 28 January 2006 at 4:16pm
You could try doing what Zoider did and run a Filemon trace during the registry scan stage. You'd need to uncheck the Log Successes box to avoid getting too much data. End the capture when RKR moves on to Enumerating the C: drive.
Gil
Back to Top
Bryce View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 June 2005
Status: Offline
Points: 196
Post Options Post Options   Thanks (0) Thanks(0)   Quote Bryce Quote  Post ReplyReply Direct Link To This Post Posted: 02 February 2006 at 11:33am
I wouldn't mind seeing a Regmon trace as well to ensure RegSaveKey was successful.


Edited by Bryce
Back to Top
 Post Reply Post Reply Page  12>
  Share Topic   

Forum Jump Forum Permissions View Drop Down