Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > RootkitRevealer Usage
  New Posts New Posts RSS Feed: installation error
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

installation error
 Post Reply Post Reply
Author
Message Reverse Sort Order
  Share Topic Share Topic  Topic Search Topic Search  Topic Options Topic Options
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Topic: installation error
    Posted: 15 October 2009 at 3:33am
Hi Mario,

Please see this post covering RKR on both x64 and Vista systems. 
Daily affirmation:
net helpmsg 4006
Back to Top
mario62 View Drop Down
Newbie
Newbie


Joined: 19 July 2007
Location: Austria
Online Status: Offline
Posts: 4 		Post Options Post Options   Quote mario62 Quote  Post ReplyReply Direct Link To This Post Posted: 06 October 2009 at 9:10am
hello,

i have the same problem here. Unable to install RKR Service.

OS=VISTA Home, with all SP+Fixes installed.
I run as Admin.

regarding psexec:

-> "the command psexec is not know ... " (i see the message on a german OS : Der Befehl "psexec" ist entweder falsch geschrieben ..."

i run SOPHOS antivirus (but so do i on my 2nd computer with WinXP and there is no problem with RKR).

Note: When i start RKR i got i question regarding execution rights (have you started this application ...).

I allso had PCTools Spyware doctor running. Now i terminated this tool.
now RKR starts, BUT:!! On a different screen! i got "interactive service dialog cannot be displayed ...." and the OS switches to another screen.

Here i started RKR scan.

and now my Vista turns off screen complete. (no signal!).

after 1 minute i see the Vista logon screen, showing me, the administrator is still running.
ok, reloggon to admin.

showing me a dialog "dedection of interactive service dialogs: the message from a program cannot be displayed at windows desktop : show message".

switching  see RKR still running.

crazy.

mario semo.
best regards,
mario semo
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 18 August 2009 at 5:29pm
EventID 4226: TCP/IP has reached the security limit.
The event is logged as a response to activity that is triggering a feature introduced in Windows XP SP2.  More info here.

Consider running RKR as SYSTEM - psexec -sid c:\path\to\rootkitrevealer.exe  - any change?
Daily affirmation:
net helpmsg 4006
Back to Top
jackflash View Drop Down
Newbie
Newbie


Joined: 18 August 2009
Online Status: Offline
Posts: 2 		Post Options Post Options   Quote jackflash Quote  Post ReplyReply Direct Link To This Post Posted: 18 August 2009 at 4:40pm

Hi thanks for your attention,

Running with administrator rights.

No local anti virus/mal software actively or otherwise running on this machine, I use online scan
services periodically. OneCare and F-Sec.
 
For what it is worth, I have recently attempted use of F-Sec's Backlight tool and have run into same problem, unable to initiate scanning. I mention this only in that these are both aimed at rootkits. F-Sec has been unable to provide any insight about thier product however.

I have used both of these tools successfully in the past on this machine.
 
Guess - Could the "Server" service not running pose this problem?
I have it dissabled, as it seems to prevent sharring of any kind.
While I enable and dissable it as needed, ie. when I wish to run MBSA Scans,
enabling it when installing RKR has not offered a solution.

I am concerned that I may have a bug of some
kind based on recent and regular event log warnings,
EventID 4226: TCP/IP has reached the security limit.

 
 
 
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Online Status: Offline
Posts: 17492 		Post Options Post Options   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 18 August 2009 at 1:52am
Hi jackflash,

It seems that some software may be preventing RKR from installing its service.  Else, it is not being launching with the permissions required.  Do you have any security / AV software installed that may be interfering?  Perhaps, check its log files for details about what it may be doing.
Daily affirmation:
net helpmsg 4006
Back to Top
jackflash View Drop Down
Newbie
Newbie


Joined: 18 August 2009
Online Status: Offline
Posts: 2 		Post Options Post Options   Quote jackflash Quote  Post ReplyReply Direct Link To This Post Posted: 18 August 2009 at 12:57am
"Access Denied"
 
Event Log Information
 
Event Type: Information
Event Source: HHCTRL
Event Category: None
Event ID: 1904
Date:  8/17/2009
Time:  6:12:18 PM
User:  N/A
Computer: Running WinXP Pro sp3
 
Description:
The description for Event ID ( 1904 ) in Source ( HHCTRL ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; The following information is part of the event: http://search.microsoft.com/results.aspx?qsc0=0&q=technet+sysinternals+Forum+forum+topics+rootkit+revealer&mkt=en-US&FORM=QBME1&l=1, http://go.microsoft.com/fwlink?LinkID=45840.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date:  8/17/2009
Time:  6:35:27 PM
User:  N/A
Computer: 

Description:
The QXTHBOHSJY service failed to start due to the following error:
Access is denied.
The YFZACOZK service failed to start due to the following error:
Access is denied.
The DXTRXCI service failed to start due to the following error:
Access is denied.
The GKFZPJ service failed to start due to the following error:
Access is denied.
The RYAHQ service failed to start due to the following error:
Access is denied.
The GWUUACHOTWYC service failed to start due to the following error:
Access is denied.
The THVVHA service failed to start due to the following error:
Access is denied.
The RHUQOJ service failed to start due to the following error:
Access is denied.

 

 
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down