A process is attempting to startup Outlook on my computer and
I can't figure out which one it is. I have Outlook disabled so
that this causes an error message to popup and I am
using Process Explorer which lists all the processes but I
still don't know which process is the culprit or even if
the process is still listed when the popup error occurs.

Is there some way of creating event log entries for all
accesses of Outlook so that I can definitively determine
which process it is?

Hi,

Perhaps an application is launching the mailto: or initiating a MAPI call.
(invokes the default email client, not Outlook explicitly). In any case, try
running these malware cleaners:

1. Ad-Aware
http://www.lavasoftusa.com

2. SpyBot S&D
http://www.safer-networking.org

3. CWShredder
http://www.intermute.com/spysubtract/cwshredder_download.html

Update 1 & 2 before running a scan.


--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org


> wrote in message
oups.com...
>A process is attempting to startup Outlook on my computer and
> I can't figure out which one it is. I have Outlook disabled so
> that this causes an error message to popup and I am
> using Process Explorer which lists all the processes but I
> still don't know which process is the culprit or even if
> the process is still listed when the popup error occurs.
>
> Is there some way of creating event log entries for all
> accesses of Outlook so that I can definitively determine
> which process it is?
>

Ramesh, MS-MVP wrote:
> Hi,
>
> Perhaps an application is launching the mailto: or initiating a MAPI call.
> (invokes the default email client, not Outlook explicitly). In any case, try

Thanks. I ran Spybot and it found 94 problems which I removed
except for 3 items that appear to be Microsoft related.
I also checked out

Start > Control Panel > Internet Options > Programs tab > Email

and it has Pegasus Mail listed which is correct.

Regarding the possibility of mailto, CDO or MAPI, I tried creating
a one line HTML file:

<a href="mailto:blahblah">mail</a>

where blahblah is my email address and clicking on the link it shows
does try to bring up Pegasus mail thus its not a mailto.

Do you know how I can test out a MAPI attempt and a CDO attempt
to see if they try to start Outlook or Pegasus? If I can determine
that both these routes attempt to start Pegasus I guess I can
assume its attempting to access Outlook. Is that right?
The trouble I have is that its not easy to tell if I have fixed
it since it only comes up a few minutes after each reboot thus
it would be good if I could eliminate all possibilities that its
not like CDO and MAPI. If I can eliminate these possibilities
then I am hoping that there will be some way of logging all
Outlook accesses so that when I get the popup I can look back
in the log.

> running these malware cleaners:
>
> 1. Ad-Aware
> http://www.lavasoftusa.com
>
> 2. SpyBot S&D
> http://www.safer-networking.org
>
> 3. CWShredder
> http://www.intermute.com/spysubtract/cwshredder_download.html
>
> Update 1 & 2 before running a scan.
>
>
> --
> Ramesh, Microsoft MVP
> Windows XP Shell/User
> http://windowsxp.mvps.org
>
>
> > wrote in message
> oups.com...
> >A process is attempting to startup Outlook on my computer and
> > I can't figure out which one it is. I have Outlook disabled so
> > that this causes an error message to popup and I am
> > using Process Explorer which lists all the processes but I
> > still don't know which process is the culprit or even if
> > the process is still listed when the popup error occurs.
> >
> > Is there some way of creating event log entries for all
> > accesses of Outlook so that I can definitively determine
> > which process it is?
> >

>> Do you know how I can test out a MAPI attempt

The Send To > Mail Recipient does a MAPI call. You can try it and see.

Further, if you're using Task Manager, arrange the "Process" column so that
the processes display with proper hierarchy, rather than listing all
processes parallely. (For hierarchial view, you need to click the "Process"
column header twice). When the Outlook.exe is triggered, open Process
Explorer, and look for the parent process.

Alternately if you know scripting, you may write a Process Monitoring script
using WMI that monitors the create event for outlook.exe and displays the
Parent Process Id. You may use "Win32_Process" for that. For sample process
monitoring scripts, see the "Scripting Guy" colums at Microsoft.com

--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org


> wrote in message
ups.com...
> Ramesh, MS-MVP wrote:
>> Hi,
>>
>> Perhaps an application is launching the mailto: or initiating a MAPI
>> call.
>> (invokes the default email client, not Outlook explicitly). In any case,
>> try
>
> Thanks. I ran Spybot and it found 94 problems which I removed
> except for 3 items that appear to be Microsoft related.
> I also checked out
>
> Start > Control Panel > Internet Options > Programs tab > Email
>
> and it has Pegasus Mail listed which is correct.
>
> Regarding the possibility of mailto, CDO or MAPI, I tried creating
> a one line HTML file:
>
> <a href="mailto:blahblah">mail</a>
>
> where blahblah is my email address and clicking on the link it shows
> does try to bring up Pegasus mail thus its not a mailto.
>
> Do you know how I can test out a MAPI attempt and a CDO attempt
> to see if they try to start Outlook or Pegasus? If I can determine
> that both these routes attempt to start Pegasus I guess I can
> assume its attempting to access Outlook. Is that right?
> The trouble I have is that its not easy to tell if I have fixed
> it since it only comes up a few minutes after each reboot thus
> it would be good if I could eliminate all possibilities that its
> not like CDO and MAPI. If I can eliminate these possibilities
> then I am hoping that there will be some way of logging all
> Outlook accesses so that when I get the popup I can look back
> in the log.
>
>> running these malware cleaners:
>>
>> 1. Ad-Aware
>> http://www.lavasoftusa.com
>>
>> 2. SpyBot S&D
>> http://www.safer-networking.org
>>
>> 3. CWShredder
>> http://www.intermute.com/spysubtract/cwshredder_download.html
>>
>> Update 1 & 2 before running a scan.
>>
>>
>> --
>> Ramesh, Microsoft MVP
>> Windows XP Shell/User
>> http://windowsxp.mvps.org
>>
>>
>> > wrote in message
>> oups.com...
>> >A process is attempting to startup Outlook on my computer and
>> > I can't figure out which one it is. I have Outlook disabled so
>> > that this causes an error message to popup and I am
>> > using Process Explorer which lists all the processes but I
>> > still don't know which process is the culprit or even if
>> > the process is still listed when the popup error occurs.
>> >
>> > Is there some way of creating event log entries for all
>> > accesses of Outlook so that I can definitively determine
>> > which process it is?
>> >
>

Correction:

>> Further, if you're using Task Manager

Should be

Further, if you're using *Process Explorer*


--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org


"Ramesh, MS-MVP" > wrote in message
...
>>> Do you know how I can test out a MAPI attempt
>
> The Send To > Mail Recipient does a MAPI call. You can try it and see.
>
> Further, if you're using Task Manager, arrange the "Process" column so
> that the processes display with proper hierarchy, rather than listing all
> processes parallely. (For hierarchial view, you need to click the
> "Process" column header twice). When the Outlook.exe is triggered, open
> Process Explorer, and look for the parent process.
>
> Alternately if you know scripting, you may write a Process Monitoring
> script using WMI that monitors the create event for outlook.exe and
> displays the Parent Process Id. You may use "Win32_Process" for that. For
> sample process monitoring scripts, see the "Scripting Guy" colums at
> Microsoft.com
>
> --
> Ramesh, Microsoft MVP
> Windows XP Shell/User
> http://windowsxp.mvps.org
>
>
> > wrote in message
> ups.com...
>> Ramesh, MS-MVP wrote:
>>> Hi,
>>>
>>> Perhaps an application is launching the mailto: or initiating a MAPI
>>> call.
>>> (invokes the default email client, not Outlook explicitly). In any case,
>>> try
>>
>> Thanks. I ran Spybot and it found 94 problems which I removed
>> except for 3 items that appear to be Microsoft related.
>> I also checked out
>>
>> Start > Control Panel > Internet Options > Programs tab > Email
>>
>> and it has Pegasus Mail listed which is correct.
>>
>> Regarding the possibility of mailto, CDO or MAPI, I tried creating
>> a one line HTML file:
>>
>> <a href="mailto:blahblah">mail</a>
>>
>> where blahblah is my email address and clicking on the link it shows
>> does try to bring up Pegasus mail thus its not a mailto.
>>
>> Do you know how I can test out a MAPI attempt and a CDO attempt
>> to see if they try to start Outlook or Pegasus? If I can determine
>> that both these routes attempt to start Pegasus I guess I can
>> assume its attempting to access Outlook. Is that right?
>> The trouble I have is that its not easy to tell if I have fixed
>> it since it only comes up a few minutes after each reboot thus
>> it would be good if I could eliminate all possibilities that its
>> not like CDO and MAPI. If I can eliminate these possibilities
>> then I am hoping that there will be some way of logging all
>> Outlook accesses so that when I get the popup I can look back
>> in the log.
>>
>>> running these malware cleaners:
>>>
>>> 1. Ad-Aware
>>> http://www.lavasoftusa.com
>>>
>>> 2. SpyBot S&D
>>> http://www.safer-networking.org
>>>
>>> 3. CWShredder
>>> http://www.intermute.com/spysubtract/cwshredder_download.html
>>>
>>> Update 1 & 2 before running a scan.
>>>
>>>
>>> --
>>> Ramesh, Microsoft MVP
>>> Windows XP Shell/User
>>> http://windowsxp.mvps.org
>>>
>>>
>>> > wrote in message
>>> oups.com...
>>> >A process is attempting to startup Outlook on my computer and
>>> > I can't figure out which one it is. I have Outlook disabled so
>>> > that this causes an error message to popup and I am
>>> > using Process Explorer which lists all the processes but I
>>> > still don't know which process is the culprit or even if
>>> > the process is still listed when the popup error occurs.
>>> >
>>> > Is there some way of creating event log entries for all
>>> > accesses of Outlook so that I can definitively determine
>>> > which process it is?
>>> >
>>
>

> The Send To > Mail Recipient does a MAPI call. You can try it and see.

I tried it and it gives a similar popup so it may be a MAPI call.

>Alternately if you know scripting,

Yes, I have written VBScript/Jscript and have called COM objects
and used Scriptomatic.

> you may write a Process Monitoring script
> using WMI that monitors the create event for outlook.exe and
> displays the Parent Process Id. You may use "Win32_Process"
> for that. For sample process monitoring scripts, see the
> "Scripting Guy" colums at Microsoft.com

What I was doing was: when I saw the popup I would just use
psloglist.exe from sysinternals.com to list out events but could
not find the event. I am not sure
1. how I identify the proper event or
2. is there something I have to do to cause the event
to be entered into the log before it happens?

Not sure if I am looking in the right place but the Scripting Guy
column I found

http://www.microsoft.com/technet/scriptcenter/resources/qanda/aug05/hey0816.mspx
has this example:

strComputer = "."

Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _
strComputer & "\root\cimv2")

Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
("Select * from __InstanceCreationEvent Where " _
& "TargetInstance ISA 'Win32_NTLogEvent' " _
& "and TargetInstance.EventCode = '0' ")

Do
Set objLatestEvent = colMonitoredEvents.NextEvent
Wscript.Echo objLatestEvent.TargetInstance.User
Wscript.Echo objLatestEvent.TargetInstance.TimeWritten
Wscript.Echo objLatestEvent.TargetInstance.Message
Wscript.Echo
Loop

but as far as I can understand all that does is display
information that was already in the event log. Is that right?
If that's so then psloglist.exe from sysinternals.com could also
find it via:

psloglist | findstr whatever

but:

1. is there is something I need to do to get the
Outlook/CDO/MAPI event to be entered into the event
log in the first place?

2. if I search the log, i.e.
psloglist | findstr whatever
then what do I used for whatever?

Thanks.

That script is for manipulating the Event Log. Have you tried Process
Explorer as I said?

For the WMI script:

A script is on the way, but I've not tested it *extensively*, but will do it
shortly in all my systems.

Note: It's a basic script (BETA) with no error-handling or anything. Since
it deals with Processes, close all your work and try. It monitors
"Notepad.exe" by default, modify it as you wish. Download it from here:

http://windowsxp.mvps.org/temp/monproc.vbs

Polling interval is set to every 5 seconds (i.e., checks for new process
every 5 seconds)
--------------------------------------------------------------------
To end the script, open Task Manager and end wscript.exe process.
--------------------------------------------------------------------

--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org


> wrote in message
ups.com...
>> The Send To > Mail Recipient does a MAPI call. You can try it and see.
>
> I tried it and it gives a similar popup so it may be a MAPI call.
>
>>Alternately if you know scripting,
>
> Yes, I have written VBScript/Jscript and have called COM objects
> and used Scriptomatic.
>
>> you may write a Process Monitoring script
>> using WMI that monitors the create event for outlook.exe and
>> displays the Parent Process Id. You may use "Win32_Process"
>> for that. For sample process monitoring scripts, see the
>> "Scripting Guy" colums at Microsoft.com
>
> What I was doing was: when I saw the popup I would just use
> psloglist.exe from sysinternals.com to list out events but could
> not find the event. I am not sure
> 1. how I identify the proper event or
> 2. is there something I have to do to cause the event
> to be entered into the log before it happens?
>
> Not sure if I am looking in the right place but the Scripting Guy
> column I found
>
> http://www.microsoft.com/technet/scriptcenter/resources/qanda/aug05/hey0816.mspx
> has this example:
>
> strComputer = "."
>
> Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _
> strComputer & "\root\cimv2")
>
> Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
> ("Select * from __InstanceCreationEvent Where " _
> & "TargetInstance ISA 'Win32_NTLogEvent' " _
> & "and TargetInstance.EventCode = '0' ")
>
> Do
> Set objLatestEvent = colMonitoredEvents.NextEvent
> Wscript.Echo objLatestEvent.TargetInstance.User
> Wscript.Echo objLatestEvent.TargetInstance.TimeWritten
> Wscript.Echo objLatestEvent.TargetInstance.Message
> Wscript.Echo
> Loop
>
> but as far as I can understand all that does is display
> information that was already in the event log. Is that right?
> If that's so then psloglist.exe from sysinternals.com could also
> find it via:
>
> psloglist | findstr whatever
>
> but:
>
> 1. is there is something I need to do to get the
> Outlook/CDO/MAPI event to be entered into the event
> log in the first place?
>
> 2. if I search the log, i.e.
> psloglist | findstr whatever
> then what do I used for whatever?
>
> Thanks.
>

Thanks for the script. Since I don't know what I am looking
for I guess I have to log _all_ process creation attempts
and also log all method calls that use CDO and MAPI or maybe
just CDO and MAPI calls. I found the eventcreate command
that can be issued from the Windows console and I guess I
could run that from the script to enter any events I find
into the event log since I gather that they are not in the
log unless I put them there. Is that right?

Googling around Microsoft's site I found

__methodinvocationevent

here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/__methodinvocationevent.asp

which I am assuming is the right call to trap CDO/MAPI calls
but at the top it says that its not implemented. Is there
no way of trapping CDO and MAPI calls? (I am using Windows
XP, by the way.) Am I on the right track?

Again, try Process Explorer. If it works, that would be the easiest!

>> Since I don't know what I am looking for I guess I have to log _all_
>> process creation attempts.

You need to monitor the "create" event from outlook.exe. My script does it
for notepad.exe, you just need to change that to outlook's executable.

>>http://msdn.microsoft.com/library/en-us/wmisdk/wmi/__methodinvocationevent.asp

Will look into that.

--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org


> wrote in message
ups.com...
> Thanks for the script. Since I don't know what I am looking
> for I guess I have to log _all_ process creation attempts
> and also log all method calls that use CDO and MAPI or maybe
> just CDO and MAPI calls. I found the eventcreate command
> that can be issued from the Windows console and I guess I
> could run that from the script to enter any events I find
> into the event log since I gather that they are not in the
> log unless I put them there. Is that right?
>
> Googling around Microsoft's site I found
>
> __methodinvocationevent
>
> here:
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/__methodinvocationevent.asp
>
> which I am assuming is the right call to trap CDO/MAPI calls
> but at the top it says that its not implemented. Is there
> no way of trapping CDO and MAPI calls? (I am using Windows
> XP, by the way.) Am I on the right track?
>

> Again, try Process Explorer. If it works, that would be the easiest!

As I mentioned that was the first thing I tried. I use
Process Explorer a lot and am reasonably familiar with it
and if that had allowed me to find this one I would have
never had to post in the first place.

>> Since I don't know what I am looking for I guess I have to log _all_
>> process creation attempts.

> You need to monitor the "create" event from outlook.exe. My script does it
> for notepad.exe, you just need to change that to outlook's executable.

Are you sure about that? We just finished discussing that
it might be MAPI or CDO and if that's the case isn't it pointless
to be looking for outlook? Furthermore, I think I would have
seen it in Process Explorer if that were the problem since I
think I would have recognized outlook.

Note that it takes a while to get just one test of this since I
have to reboot and wait for a while until it happens so its not
feasible to try a bunch of things. I need to do something that
definitively identifies the culprit.

>>http://msdn.microsoft.com/library/en-us/wmisdk/wmi/__methodinvocation...

> Will look into that.

Thanks.

>> isn't it pointless to be looking for outlook?

If you're seeing the compose window, then yes, it's pointless to use that
script. But your original reply said that "process is attempting to startup
Outlook". Therefore I thought that some application is calling "outlook.exe"
explicitly.

What an interesting problem! I'll see if this is trackable. In the
mean-time, you may try the conventional methods (selective startup using
MSConfig, etc) to see if you can isolate the problem.

--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org


> wrote in message
oups.com...
>> Again, try Process Explorer. If it works, that would be the easiest!
>
> As I mentioned that was the first thing I tried. I use
> Process Explorer a lot and am reasonably familiar with it
> and if that had allowed me to find this one I would have
> never had to post in the first place.
>
>>> Since I don't know what I am looking for I guess I have to log _all_
>>> process creation attempts.
>
>> You need to monitor the "create" event from outlook.exe. My script does
>> it
>> for notepad.exe, you just need to change that to outlook's executable.
>
> Are you sure about that? We just finished discussing that
> it might be MAPI or CDO and if that's the case isn't it pointless
> to be looking for outlook? Furthermore, I think I would have
> seen it in Process Explorer if that were the problem since I
> think I would have recognized outlook.
>
> Note that it takes a while to get just one test of this since I
> have to reboot and wait for a while until it happens so its not
> feasible to try a bunch of things. I need to do something that
> definitively identifies the culprit.
>
>>>http://msdn.microsoft.com/library/en-us/wmisdk/wmi/__methodinvocation...
>
>> Will look into that.
>
> Thanks.
>

> >> isn't it pointless to be looking for outlook?

> If you're seeing the compose window, then yes, it's pointless to use that
> script. But your original reply said that "process is attempting to startup
> Outlook". Therefore I thought that some application is calling "outlook.exe"
> explicitly.

Well, that was what I thought but you pointed out that it could
be a CDO or MAPI call and as I mentioned when I tried your
suggestion of using SendTo it did produce a similar looking
popup so it could very well be one of those. By the way,
what is the compose window?

> What an interesting problem! I'll see if this is trackable. In the
> mean-time, you may try the conventional methods (selective startup using
> MSConfig, etc) to see if you can isolate the problem.

As mentioned, the problem is that I must reboot and then it
takes some time before the message comes up so each trial takes
so long that I could never get anything else done. Otherwise, I
would have, indeed, tried that already.

Another interesting observation:

It looks like the Win.ini's [MAPI] section is being read my the MAPI caller.
So, try monitoring Win.ini file accesses using Filemon from
Sysinternals.com. I tried the Send To Mail Recipient, and so explorer reads
the win.ini.

Filemon reports:
===========

------------------
11:39:10 PM explorer.exe:1288 OPEN C:\WINDOWS\win.ini SUCCESS Options: Open
Access: All
------------------

I'm now monitoring the msoe.dll (OE's MAPI implementation)
------------------
11:42:35 PM explorer.exe:1288 CLOSE C:\Program Files\Outlook
Express\msoe.dll SUCCESS
------------------

For Microsoft Outlook, you monitor the MAPI32.dll file. See if that method
helps in locating the foreign application.

--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org


"Ramesh, MS-MVP" > wrote in message
...
>>> isn't it pointless to be looking for outlook?
>
> If you're seeing the compose window, then yes, it's pointless to use that
> script. But your original reply said that "process is attempting to
> startup Outlook". Therefore I thought that some application is calling
> "outlook.exe" explicitly.
>
> What an interesting problem! I'll see if this is trackable. In the
> mean-time, you may try the conventional methods (selective startup using
> MSConfig, etc) to see if you can isolate the problem.
>
> --
> Ramesh, Microsoft MVP
> Windows XP Shell/User
> http://windowsxp.mvps.org
>
>
> > wrote in message
> oups.com...
>>> Again, try Process Explorer. If it works, that would be the easiest!
>>
>> As I mentioned that was the first thing I tried. I use
>> Process Explorer a lot and am reasonably familiar with it
>> and if that had allowed me to find this one I would have
>> never had to post in the first place.
>>
>>>> Since I don't know what I am looking for I guess I have to log _all_
>>>> process creation attempts.
>>
>>> You need to monitor the "create" event from outlook.exe. My script does
>>> it
>>> for notepad.exe, you just need to change that to outlook's executable.
>>
>> Are you sure about that? We just finished discussing that
>> it might be MAPI or CDO and if that's the case isn't it pointless
>> to be looking for outlook? Furthermore, I think I would have
>> seen it in Process Explorer if that were the problem since I
>> think I would have recognized outlook.
>>
>> Note that it takes a while to get just one test of this since I
>> have to reboot and wait for a while until it happens so its not
>> feasible to try a bunch of things. I need to do something that
>> definitively identifies the culprit.
>>
>>>>http://msdn.microsoft.com/library/en-us/wmisdk/wmi/__methodinvocation...
>>
>>> Will look into that.
>>
>> Thanks.
>>
>

Thanks! I'll try it.

Using filemon I discovered that the culprit was ccapp.exe,
which is a Norton Antivirus program.

Thanks for the help.

Excellent! You're welcome.

--
Ramesh, Microsoft MVP
Windows XP Shell/User
http://windowsxp.mvps.org


> wrote in message
oups.com...
>
> Using filemon I discovered that the culprit was ccapp.exe,
> which is a Norton Antivirus program.
>
> Thanks for the help.
>