Finding a Disappearing Application in Windows?

siuengr asks: "I have a computer that has a window that pops up every few minutes, but disappears before I can figure out what it is. I have run every virus program and spybot cleaner I have, but they do not find any problems. How can I figure what is causing this window to pop-up all the time, when it doesn't stick around long enough to see anything about it? Is there any software that tracks what applications have ran over a period of time, even if they are not currently running?"

Task Manager

[Lazbien]

Open up the Task Manager and be patient. Watch the processes.

Re:Task Manager

[ForumTroll]

It's trivial to replace the task manager with one that only shows certain processes, and this technique is used regularly by malware. If the security of your system has been breached the task manager isn't a reliable source of information.

Re:Task Manager

[MLease]

Good point. Maybe download Process Explorer [sysinternals.com] instead.

-Mike

The next step...

[hackwrench]

After doing that and then downloading Process explorer to make sure it isn't replaced is to look in your startup with either MSconfig or startup control panel.
http://www.sysinternals.com/Utilities/ProcessExplo rer.html [sysinternals.com]
http://www.mlin.net/StartupCPL.shtml [mlin.net]

Re:Task Manager

[OmnipotentEntity]

It could be that the process isn't actually a process, but a dll loaded into a process.

You'll need to get Process Explorer as explained in the above posts. Then when you find the nasty, you'll want to kill the process housing it, and then type regsvr32 /u thenameofthe.dll into a cmd window. Then you'll want to move or remove the file.

Get Spyberus

[Alien54]

Available at robotgenius.net

Spyberus is free of charge. Check out the tutorial [robotgenius.net]

There is probably a dll that is tied into explorer or something to repopulate when you clean.

Also, use Spybot Search and Destroy in safe mode with all of the updates, but use all of the immunize functions first. It can spot some zombie process that "look" normal, but which sure as heck aren't. and then kill them.

Do a maximum amount of cleaning in safe mode.

Check out Spywarewarrior.com [spywarewarrior.com] for a comperhensive list of bogus cleaners that are really infectors. For an example, see this illustration [jahewi.nl].

I make a decent living doing nothing but cleaning things like this up. I can't give you a ten page How-to, but the links will put you on the right trail.

Re:

[Alien54]

I think some of us would like the 10 page how-to. Some of us might be willing to PAY for the how-to. Why reinvent the wheel?

It tends to get outdated quickly, plus Spywarewarrior has forums that come with extra handholding free.

Plus they have the equivalent of the 10 page How-To here:

spywarewarrior.com/sww-help.htm [spywarewarrior.com].

Like I said, the links I provided are enough to get you pointed in the right direction.

Re:

[drinkypoo]

Anonymously doesn't mean anonymously. Slashdot knows who made what posts, or at the very least, who has contributed to a discussion. (I haven't studied slashcode, so I do not pretend to know precisely what is going on.) Try it sometime, post anon to a discussion when you have mod points, then come back and try to moderate in that discussion.

Re:

[DieNadel]

I agree with you. I've been testing this new discussion system for a while, but they just added this moderation "feature" lately.

I'd rather have something like the combo with a [MODERATE] button next to it (so that I don't have to go all the way down).

Re:

[stry_cat]

@#$$@# That's where all my mod points went!! I had 4points and like I always do, I play with the dropdowns quite a bit before I find ones I want to moderate. No telling what kind of horrible moderation I did last week. #!@#$#@ Sorry about that folks.

Same here.

[Cybert4]

Same thing! Be interesting to see if anyone tracks this down. My solution was to buy a new computer (old one severely needed an upgrade anyway). I looked through my processes and didn't see anything. Tried windows live antivirus too. Happens every few minutes here. Try killing your processes or using msconfig to kill startup stuff. There's several sites that list known windows processes.

Nuking windows and/or wiping drives or partitions will of course work as well.

Re:

[Simon80]

buy a new computer? It really irks me when people cite this as a solution. You most definitely did NOT fix the problem, you are just avoiding it. At the very least, you can install another OS. This isn't a hard process, you just have to download an image, burn it to a CD, boot off the CD, and follow simple instructions.

Re:Same here.

[joto]

buy a new computer? It really irks me when people cite this as a solution.

It is a solution!

Just because it's not the techiest, or generally lowest-cost, or whatever, doesn't disqualify it from being a solution. It solved his problem. Therefore, by definition it is a solution.

Re:

[iamhassi]

"It is a solution!"

not really, it's just avoiding the problem, the problem really hasn't been solved so it's not really a solution, it's more a work-around to achieve a end result. The problem still exists, just not on the computer he's using.

It's like "hey, my brakes squeal, how do I solve this?" And instead of really solving the squealing brakes by replacing them you just buy a new car. Do the brakes still squeal? Yes, but since you're not driving it anymore you no longer care.

Re:Same here.

[joto]

It's like "hey, my brakes squeal, how do I solve this?" And instead of really solving the squealing brakes by replacing them you just buy a new car. Do the brakes still squeal? Yes, but since you're not driving it anymore you no longer care.

Yes. It is like that. But it is still a solution !

Just because you find it a bit silly to replace a whole computer because of spyware, or replace a whole car because of squeaky brakes, doesn't disqualify it as a solution. No matter how silly you find it, it's still a solution to the problem of the user experiencing spyware on his computer, or squeaky brakes on his car.

In the case of the computer, as a techie, I would actually recommend this to non-techies. A new dell costs about the same as you could expect to pay if you would pay someone to fix the problem. In addition you get a new and better computer. If you were to pay someone to fix it, you would still solve the problem, and still part with your money, but you would not have a new and spiffy computer. If you invested the time into learning enough about computers to fix it yourself, by the time you were finished fixing the probem, if you'd been working overtime instead, you could have bought at least 50 dells.

As for the car, the same logic applies. If it's an old car, which you know sooner or later will need a major (costly) overhaul, you can just as well ditch it when a problem shows up, such as squeaky brakes. You don't need to fix it yourself, or pay someone to do it, when you are going to need a new car soon enough anyway.

Re:

[TubeSteak]

Just because you find it a bit silly to replace a whole computer because of spyware, or replace a whole car because of squeaky brakes, doesn't disqualify it as a solution.

The more layers of bureacracy you have to deal with, the more valid that solution becomes.

Anyone who's dealt with military efficiency (or even standard Gov't bureaucracy) could tell you that throwing away a $2,000 item is cheaper than trying to get it fixed.

Buying a new computer may not be a valid solution for this particular /. Submitter,

Re:

[lostboy2]

Not that it matters, but I think you're both right, only you're more right. Whether or not buying a new computer is "a solution" depends on how you define the problem.

If the problem is stated as "fix this computer", then buying a new one is not a solution. If the problem is "eliminate the offending application", then buying a new computer is a solution, although possibly just a temporary one. Since the parent post mentioned the need/desire to upgrade anyway, I'm inclined to go with the latter definition.

Re:

[gurps_npc]

Joto, you are making assumptions about what the word Solution, and what the real PROBLEM is.

Specifically, you are thinking the problem is "the owner is annoyed". If that is the real problem, then putting a bullet in their brain will also solve it. Your answer demonstrates practicality, not intelligence.

Stop thinking about it as a real life thing annoying you and pretend this is a question on a test given to you by your teacher at a car mechanic school/computer mechanic school.

We both know you would FAI

Re:

[mustafap]

This is just fucking stupid.

We are all moving into a throw-away society. Attitudes like that are the reason for so much crap being dumped into the oceans.

Christ, will people wake up.

Re:

[itwerx]

I guess that depends what you decide the problem is. Is the problem that there's a window that pops up, or is it that said window irritates the user. Buying a new computer will fix the latter, as it relieves the irritation.

Whether you label it as the problem or not, the irritation is still just a symptom.

Re:

[tambo]

It is a solution!

It is a solution that involves no learning on the part of the computer owner. This practically guarantees that the same problem will arise again on the new system. End result: ignorance-driven obsolescence.

Computers are complex - and are only becoming more so. Burnable optical discs and flash drives are better than floppy disks for many reasons, but they're also harder to use than stupidly simple 5.25"ers. Wireless networking is preferable to wired networking, but configuration can be

Re:

[Schraegstrichpunkt]

It depends on how you define the problem. If the problem is "this computer has malware", then buying a new computer is not a solution. If the problem is "the computer I use most of the time has malware", then it is.

Re:

[1u3hr]

It depends on how you define the problem. If the problem is "this computer has malware", then buying a new computer is not a solution. If the problem is "the computer I use most of the time has malware", then it is.

It's nether of those; if you look at the top of the page, the problem is:

How can I figure what is causing this window to pop-up all the time?

And the reason we're discussing it at all is the idea that something interesting or sneaky is going on, and can the Great Minds of Slashdot find out

Re:

[dargaud]

It is a solution!

Well... not necessarily... Get a new computer and start reinstalling all the stuff you were using on the old one... until the prog you got on IRC to do whatever reinstalls the same spyware and you are screwed back to square one.

Re:

[JorDan Clock]

When the cost of repairs excede the value of the car, sure. The poster pointed out the computer was in need of upgrades, so this is indeed a very good solution. He no longer has that specific problem and has a speedier computer. Let's just hope he takes better precautions with the new one and that extra speed doesn't just run the same malware faster.

While this kind of solution isn't very good if you repeatedly run into the same problem, it's perfectly reasonable in the context. Why bother fixing it when yo

Re:

[LordKronos]

The poster pointed out the computer was in need of upgrades, so this is indeed a very good solution. He no longer has that specific problem and has a speedier computer.

But was the speed of the COMPUTER really a problem before? I've seeb enough reports on how user's computers get so full of spyware that it slows the machine down over time. Then they feel their computer is too slow so they buy a new one, even though the old hardware was plenty fast enough.

Re:

[ErikZ]

"On top of that, how do I know if I am approaching MTBF on my hard drive when I don't know how many hours I've been running it over the past 6 years? "

You don't. It's a complete crapshoot, at best you'll get some warning that the hard drive is failing.

Re:

[Squozen]

It's reasonable if the next computer runs Linux or OS X, I guess.

At some point though...

[charleste]

..."totaled" will be one of those repairs. Case in point, my 1980 pickup truck. When it came down to having to scrape off the transmission pan gasket (did you know they weren't designed to last 25 years?), it became "totaled". I for one did not want to spend 8 hours on my back underneath it flicking who-knows-what toxic things into my nostrils and pores, and my reliable shop gave me a bid of 4 hours (@US$40/hr)... Take into account that it has no heater (and I live in the Great White North), and the fuse

Re:

[kabz]

Lots of people actually do buy a new computer. My inlaws have a stack of perfectly decent but probably jacked-up software-wise PCs, including quite a cool looking Sony Vaio 'Monolith' tower.

To "people like us" (tm) the software is fixable, and hardware may be fixable.

To regular Joe User it is just a failing computer, and they have not much more chance of fixing whatever it is, than performing open heart surgery on the Pentium III or whatever powers their piece of junk.

Re:

[xtracto]

Just as a comment, I once stupidly made my machine hijacked my crapware (can you believe I actually ran the "crack.exe" file that comes with the astalavista cracks =oS) and had to spend almost 4 hours cleaning my computer.

I used lots of anti cracpware programs that certainly cleaned a lot of things but my machine kept getting infected.

After some time I dont know why I searched in the "Screen properties" (dont remember the exact name as I am in Linux now), where you right click the desktop and then properti

Let us not get ahead of ourselves.

[sporkme]

Use CamStudio (GPL) [camstudio.org], or some other desktop video recorder. Record your desktop until the event has occurred a few times, then advance to a frame in the video file that contains the dialogue box/application window. Leave the task manager (ctrl-alt-delete) running off to the side. Let the event occur once with the applications tab displayed and once with the processes tab. Make sure you can see the whole process list.

Check the event viewer (control panel->administration) for erratic messages. Try disabling processes one by one to see if one of them is the cause. What Anti-stuff are you running? Anti-stuff is only as good as the definition database. Furthermore, many malicious processes can hide their existence from the OS, and an application tracking software is almost certainly going to get this info from the OS. Make sure your video drivers are up-to-date. If you suspect that the app communicates over the netowrk, install a software firewall and set it to anal mode.

Run a benchmarking utility or simultaneously run several resource hungry applications to slow the machine down, and maybe the window will hang around for a while.

If you cant catch it there, just format and reinstall Windows--the standard fix for anything Microsoft. Cue the mac/linux comments!

Re:

[Marxist Hacker 42]

I agree- but easier than trying to find the screen real-estate to see the entire task list, click on the "CPU" column until "Sytstem Idle Process" is at the top- this will essentially sort the list by the most active programs of the second, and then the screen recording software will capture all the currently running processes.

Re:

[berzerke]

Unless there is a rootkit, in which case, it will never show anything. I've encountered rootkits on Windows recently, 2 in August alone. I suspect we will be seeing more and more of them.

Re:

[Lisandro]

If you cant catch it there, just format and reinstall Windows--the standard fix for anything Microsoft. Cue the mac/linux comments!

You're being funny, but i had to fix a Windows system at work after years of both working with and using at home Linux desktops, and the experience was horrid. Horrid. I had to use three different spyware programs + Avast antivirus, spent a few hours, and i'm pretty positive they left crud behind.

I have a Windows partition i use when i'm really forc

Re:

[dohzer]

A camera is actually what I used to catch my Bios screen the other day when it was flashing up too quick to read, and then reseting. Because the problem was occuring before the OS could load there was no way I could actually use a program to check it.

Re:

[sporkme]

I cannot and AFAIK never have produced anything but task manager DIRECTLY via ctrl-alt-del. I cannot produce a different result with ctrl-shift-esc. In what scenarios would the ctrl-shift-esc shortcut make a difference? I have never had to use ctrl-shift-esc but I knew it had the same result. Windows 98? couldn't tell ya this late in the game.

Some Anti-virus Progs

[Zardus]

A friend of mine had issues with Kapersky anti-virus doing this every few minutes. Do you have that installed?

Tiny Firewall

[Microlith]

Tiny Firewall provides a security module that requires the user authorize every unknown application be manually allowed to run.

While I have yet to see any unknown process start on my machine, none (not even ones started by trusted processes) are allowed to proceed without first being given the OK by me. I'd give it a shot and see if TF 2006 can catch it for you.

Re:

[joto]

Somebody actually use tiny firewall? Wow, I tried it once, and after having clicked yes about 2579 times the last 5 minutes... it didn't get used any more!

Re:

[Sparr0]

Why are you running 2579 different applications? Sounds like poor design on some OTHER developers' parts.

Re:Tiny Firewall

[netsharc]

I second this idea. Although I know it as Kerio Firewall (and it's nowhere to be found at kerio.kom, only at Sunbelt Software, what gives?), here's the download page [sunbelt-software.com].

I once helped a girl who suffered the same problem. A pop-up comes up every so often. I didn't see anything wrong at first, but then I noticed wscript.exe was running. It was running a VBS-script in a loop, and every few random minutes it would launch an Internet Explorer window with an ad, which would just as quickly disappear. I search the disks for all VBS files, found the suspect file, and searched the registry for any mention of that filename.

Another way malware might hide is when they install themselves as a service.

Re:

[Sycraft-fu]

What gives is Kerio sold it's firewall to Sunbelt Software (Counterspy is what they are best known for). Reasons were not disclosed. If I was to guess I'd say they weren't making enough money on it and were worried the improved Vista firewall would cut that back further.

Process Explorer

[greerga]

Prcess Explorer [sysinternals.com] Options..Different Highlight Duration

Re:

[Chelloveck]

Yup. Process Explorer [sysinternals.com], Filemon [sysinternals.com], and Regmon [sysinternals.com] should be in everyone's toolboxes. And it might not be a bad idea to download everything from SysInternals [sysinternals.com] as it was recently acquired by Microsoft and may not exist much longer. From the announcement on their blog:

As for Sysinternals, the site will remain for the time being while Microsoft determines the best way to integrate it into its own community efforts, and the tools will continue to be free to download.

Disapearing Windows

[Anonymous Coward]

It might be a better solution

Process Explorer

[x2A]

Google for it. It shows recently terminated processes in red (or whatever) for a few seconds after it's terminated (all configurable)

Re:

[RobertKozak]

Process Explorer [sysinternals.com]

Approach the problem logically...

[baadger]

Assumptions:
1. For a dialog to be coming up it has to be iniatated by a process.
2. Mystery process most likely isn't part of Windows

Action:
1. Disable all startup programs with msconfig
2. Reboot
3. If problem is gone re-enable startup processes one at a time.
      If the problem is back/still there go to step 5
4. Goto step 2
5. Visit Slashdot. Scroll past this comment and proceed to next proposed solution, one which, hopefully, won't waste your time like this one just did.

Re:

[x2A]

You lie! If this was really slashdot, 6. would be "profit!!!"

Re:

[dasunt]

A binary search would be better. Split the search space (the set of startup programs) in half. Enable or disable one half. If the problem appears, adjust your search space to that half. If the problem does not appear, adjust your search space to the other half. Repeat.

Re:

[jb.hl.com]

Have a look through twitter's post history. You'll die of laughter, pretty much all his posts are like this.

Re:

[jb.hl.com]

He clearly was, considering the number of times he's said Microsoft "rapes peoples wallets". Must be a touchy subject.

24 hour respnse time

[twitter]

Did you guys have some kind of technical problem? Like IP blocks? I almost missed you losers and your modbomb.

Re:

[jb.hl.com]

Modbomb. Yes. Of course, twitter. Everyone's out to get you.

In case you haven't realised, if you didn't spout shit all the time, you wouldn't get modded down and "stalked".

Maybe the app isn't actually closing

[PygmySurfer]

Maybe the process continues to run, it's merely popping up some kind of window from time-to-time. I'd look through task manager for any processes that don't seem right. Google for the process names if you find anything suspicious.

Or maybe it's just Messenger showing you when someone's logged on :P

Check Scheduled Tasks

[justanyone]

If nothing obvious is running as a process, this might be popping up from a scheduled task.

Occassionally we ran these at my old job and it would pop up a window in front of whatever you were doing, very briefly. The task was a batch file that kicked off something else.

HP?

[Anonymous Coward]

If you have an HP printer/scanner it might be their updater program.

Sysinternals.com

[szyzyg]

Look on sysinternals.com - the best bet would be Filemon - then you can track which files are being opened.

Re:

[AndroidCat]

Mark Russinovich (sysinternals.com) has a whole bunch of darned useful tools for watching access to TCP/IP, the registry, filesystem, processes etc. I mainly use TCP/IP View, but the others have come in handy. Highly recommended!

Process Explorer

[rizzle]

Download Process Explorer [sysinternals.com]. It's like task manager on steroids. One of the things you can do is put "delays" on the list of running processes when the list changes, like with the addition/removal of a process/window.

Go to Options > Difference Highlight Duration, and set it like 15 seconds or whatever. New processes will show up in bright green for 15 secs, and killed processes will show up as red for 15 secs.

It's probably your addblocker

[lobsterGun]

your adblocker (or something like it) is proabaly closing a popup window as soon as it appears.

Do you use TweakUI?

[WalterGR]

Your exact scenario happened to me a few weeks ago.

Do you use the TweakUI program that comes with Powertoys for Windows XP? If so, do you have X-Mouse turned on? Check Mouse -> X-Mouse and see if "Activation follows mouse (X-Mouse)" is turned on.

Some poorly written Windows apps will pop up dialogs that then disappear if they lose mouse focus. If you have X-Mouse turned on, they will pop up a dialog - and if your mouse is anywhere else on the screen, they'll think they've lost focus and close the dialog.

All I had to do was disable X-Mouse until the app popped the dialog again, then I could deal with it. Unfortunately I don't remember what the poorly written program happened to be...

HP Software?

[Clazzy]

We have an HP PSC 2355 printer and we installed the software that came with it. Anyhow, every half an hour or so, a program would randomly appear in the taskbar and disappear very quickly afterwards, usually minimising any full-screen applications. In the end, we had to disable it in msconfig. I honestly can't remember what the entry was in msconfig, but I could find it somewhere if it's actually the problem. Of course, it probably begins with "hp" anyway.

Re:

[Karma Farmer]

The most interesting thing in this thread is that more than 10% of the posts are about badly written HP printer software.

That is one seriously messed up company.

Re:HP Software?

[biglig2]

Tell me about it, I installed a new HP multi-fuction printer/scanner/fax on Tuesday. As soon as I connected it to the phone line, it called up the phone company, pretended to be me, got my phone records, and faxed them to HP corporate headquarters.

Re:

[lukas84]

Never, ever buy consumer printers / scanners / etc. They're all complete and utter crap.

I had to configure one of these for my mother, and they're unusuable.

The semiprofessional equipment they offer is, however, rather good.

We've got a new HP LaserJet color 4700 DTN, just a few weeks ago. Thats a semiprofessional 30 ppm color laser printers with 3 500 Sheet feeders.

Works like a charm. The printer driver is a normal windows driver, no software, no nothing. Just install the 2 mbyte printer driver, and everyth

Spy++

[storem]

Spy++ (comes with Visual Studio and probably other packages) should be able to list the window, even after it disappears and trace it to the owning process. Used it many times to find information about "rogue" dialogs.

Re:

[enharmonix]

Somebody please mod parent up! It needs to be +5 Informative.

First thing I thought of was the Borland version (Winsight), and this is exactly how you figure this kind of nonsense out. These apps actually enumerate all current window handles and will give you owning pids, parent/child windows, message queues, etc. If you don't already have a Borland IDE license, Borland now offers free (beer) and trial versions of their products, just dl a windows version and it ought to come with this tool.

If not, I also

What....

[Yusaku Godai]

Since when did Slashdot become Experts Exchange?

Re:What....

[east coast]

Since when did Slashdot become Experts Exchange?

At least we don't need to login to see the solution. That site is annoying.

Re:

[Yusaku Godai]

Yeah, I started thinking that right after I posted.
That is a good thing.

Re:What....

[SurturZ]

Accepted Answer!

Re:

[StikyPad]

Yeah, parent is probably Old School like the Old School. They don't require people to login anymore, but they used to a few years ago. I'm not sure when they changed it.

Process Lasso

[nomax]

Try Process Lasso, it has a process log feature. Very handy.

http://www.bitsum.com/ [bitsum.com]

--nomax

Re:

[grcumb]

Try Process Lasso

I have to get out of here. I just read 'Try Princess Lasso', and I started thinking, 'What, like Wonder Woman? Hey, now there's my kind of diagnostic!'

Not enough details

[jafiwam]

But...

Get "HighjackThis" which will give you a list of all the stuff starting in a log file.

From there, you can start to figure out what each one is. It takes HOURS, but you'll know a lot when you are done.

Also, get "Tlist.exe" and "kill.exe" from the Windows SDK or PowerTools.

Then compose a batch file to use the command line switches in TList to fire periodically. Eventually the two apps will be running the at the same time. (Pipe all the results to a text file you can look at.)

Or, call a pro who can dig

Re:

[jafiwam]

(Ok, bad form to reply to myself.)

Also, learn to use "netstat" as well. Pop up windows with ads might reveal themselves by the TCP/IP connections they make.

You might be looking at it...

[HiredMan]

You might be looking at it and not see it.

When to a security demo and watched the security guys run a Metasploit process that actually injected the remote .dll into a currently running .dll on the target machine while showing process viewer.
So while sys_msg.exe or whatever minimal process changed in the process viewer slightly the name remained the same and there was no way to tell that the process was suddenly pwned from a remote host and was (presumably) doing horrible and unwanted things to your computer. All from a dropdown menu, point and click interface too.

I went back to my office and hugged my Mac, tell you what.

=tkk

Macs aren't safe

[Myria]

Macs aren't safe from injecting code into an existing process. Trojans can do the exact same thing on Mac OS X as on Windows. See the vm_write() Mach API call.

Same applies to Linux's ptrace().

Melissa

Re:

[99BottlesOfBeerInMyF]

Macs aren't safe from injecting code into an existing process. Trojans can do the exact same thing on Mac OS X as on Windows. See the vm_write() Mach API call.

Yeah, but this is software availability we're talking about. Via metasploit you can do such a thing from a drop-down menu without writing a line of code. I've seen no such, easily available, malware development tools for the Mac. That isn't to say someone could not create one, just that right now that is not the situation.

Re:

[jrockway]

Metasploit has Mac exploits. And if they don't anymore, they're certainly easy to write.

This is why I hug my OpenBSD machine. It may be my family's only line of defense!

May be normal?

[jafac]

I've noticed that some web sites will pop-up a browser window and hide it. For what reason, I have no idea. Poor coding practice?

On the Mac side, you can make it appear by using Expose. It's just a tiny, blank browser window with no control bar or buttons or anything, shuffled conveniently off the screen. Until Expose makes it my bitch.

On the Windows side, I'm sure there's got to be ways of popping IE windows, and making them not appear in the task bar. I just haven't seen it on the Windows side, becaus

What OS?

[teridon]

You fail to state what OS you are running.

If you are running Windows XP Professional (I think Windows 2000 Pro also has it), you can simply turn on process tracking in Group Policy. Every process that starts will now be logged in the security log. View it with the Event Viewer (Start.. Run.. type "eventvwr.msc")

Instructions for how to enable process tracking [ask-leo.com] (for exactly the same problem!)

I don't think the same can be done for Windows XP Home... but I've been wrong before ;-)

Very Simple

[MerlynEmrys67]

If it is a window - use APISpy to track windows API calls - look for a call to CreateWindow() and track where it is coming from.

iTunes and Shared Music?

[herrlich_98]

I hate to just chime with my own two cents and wild guess but I've had the same experience and tracked it down to iTunes opening a song from Shared Music. It a small wide rectangular window saying "Opening URL..." or something. I have seen it up for longer when there are network problems. You can reproduce it by clicking on Next Song several times quickly just as quickly as it can load songs.

Slo-Mo

[Mignon]

Press the "turbo" switch and run your PC at 8mhz instead of 12. The window will stay on screen longer, giving you enough time to see what it says.

Hilarious!

[HarvardAce]

Press the "turbo" switch and run your PC at 8mhz instead of 12. The window will stay on screen longer, giving you enough time to see what it says.

I vote that this should be the comment of the week.

Re:

[clintp]

Maybe not so far off the mark: try running a session connected to the machine via VNC or Terminal Services. Especially over dialup or otherwise constricted network. The slow redraw might give you time to figure out what it is.

Re:

[HarvardAce]

if it shows up at all....and talk about an indirect solution, you might as well just screencap your entire desktop then...

Re:

[dave562]

Also useful for quickly passing those pesky "auto-pilot" animation sequences in Wing Commander. Just make sure to take turbo off before you have to fight those pesky Ferrangi.

harddrive

[kisrael]

what about figuring what's causing my laptop hard drive to go constantly? the memory settings look ok...

Re:

[Alien54]

what about figuring what's causing my laptop hard drive to go constantly? the memory settings look ok...

In general, this is cause by too many processes running for the amount of ram you are running. Things like AOL have all kinds of secondary processes. A typical lean system will be running 25 to 35 processes. Some systems ship now running 70 plus processes out of the box. Also, some people run things like Norton Internet Security, or the McAfee Security Center all in paranoid mode. These can also slow a

Write a monitoring script

[Money for Nothin']

Write a script (VBS, Perl, whatever) to monitor your process list. Have it poll the process list every quarter of a second or something, and keep a running list of processes that are found. On the first iteration, write the list to one file. On succeeding iterations, compare the list of the i-th iteration to the list of known processes -- if a new process appears that wasn't in a previous iteration, spit it out to another file...

Root-Kit?

[UltimApe]

Why hasn't anyone mentioned root-kits?

My gf's computer had a root-kit on it. I go to a tech school, and nearly everyone knowledgeable here (even IT guys) went over the damn thing to see what was wrong. It kept doing pop-ups, like it had some type of ad-ware, but it didn't appear to have anything abnormal running. It didn't matter if it was IE or firefox, the ad would pop up on pretty regular intervals. Every possible thing was checked, from using standard tools like spy-bot-s&d, any number of free and bought virus scanners... Some people (including me) even poured over the registry by hand to find out if anything was running. absolutely nothing.

It turned out to be a ROOT-KIT (2 actually, they hid each other. One user-mode, and one kernel-mode). The rogue programs actually were able to make windows "not see" the file. On boot, windows would see it just enough to turn it on, but after it was running it prevented anything from actually finding it, injecting code between the hard-disk access and low-level windows stuff. not windows-explorer, not regedit, not task-manager, not even 3rd party apps like win-task, or even defraggers.

http://www.sysinternals.com/Utilities/RootkitRevea ler.html [sysinternals.com] - RootkitRevealer 1.7 by Sysinternals showed a directory in "C:/windows", and one in "C:/program files", that if you went to look normally, didn't show up. I quickly booted up Knoppix and verified that there was some crap in there, but a search on the Internet showed nothing. Booted windows into safe mode, and since safemode doesn't run things other than windows crap, I was able to delete the two folders, and even a registry entry that showed up about it.

If you can't find anything, maybe its because it won't let you find it!

Re:

[dargaud]

nearly everyone knowledgeable here (even IT guys) went over the damn thing to see what was wrong

Why is it that people waste time looking ? A rootkit can manipulate the user interface of the US anywhich way it wants. Plug the disk out, put it as a slave into another (clean or linux) machine, and scan from there. It's the simplest and fastest way to solve this kind of issue.

Several Sysinternal tools

[S3D]

There are some very effective free tools from Sysinternal.com : 1. Process Explorer - it's showing not only the list of process, but also their paths on the disk http://www.sysinternals.com/Utilities/ProcessExpl o rer.html [sysinternals.com] 2. Autorun : showing all processes and services launched automatically on start, and allowing to disable them. Very usewful for temporary disabling DRM crap like cdac11ba.exe, temporary disabling google web accelerator on start etc. http://www.sysinternals.com/Utilities/Autoruns.htm l [sysinternals.com] 3. R

Hit the Print Screen Key

[Captain Chad]

I don't know how long it stays up, but if it's more than a half-second, you may want to just hit the print screen key as fast as you can. It will save a bitmap copy of the screen to the clipboard, which you can then analyze at your leisure.

Re:

[Kaenneth]

I was stunned when I helped someone install an HP printer recently; the disk that came with it wanted to install over 800 megabytes of stuff.

If it was essential....

[EmbeddedJanitor]

Would you be doing it on Windows?