Thread: Windows Defender - Warning Event ID 3004 -spoolsv.exe
View Single Post
  #7  
Old January 2nd 10, 04:12 PM posted to microsoft.public.windowsxp.security_admin
DES
external usenet poster
  
Posts: 9
Default Windows Defender - Warning Event ID 3004 -spoolsv.exe
More info:
After some research in the registry: This location of the registry is what
is identified in the system event warning with the ID 3004.

firewallokfile:HKLM\System\CurrentControlSet\Servi ces\SharedAccess\Parameters\FirewallPolicy\Standar dProfile\AuthorizedApplications\List\\C:\WINDOWS\s ystem32\spoolsv.exe

The file is continiously added and mysteriously removed from this location
in the registry? each time it shows as an eveint ID... Yet I have bever been
asked by the Windows Firewall to allow or block or in defender? It shows as
permitted to run in the SE.

I also tried to manually add the file to the registry ok list just to see
what effect and it just gets deleted from the list. What the heck try
anything at this point? Event file just keeps growing with the same Event
warning from Defender... Almost seems like Firewall and Defender can't decide
what, if any action to take creating the loop...

--
Des


"MowGreen" wrote:

Here's MS' explanation of the Event ID:

Event ID 3004 — Real-Time Protection Detection
http://technet.microsoft.com/en-us/l...09(WS.10).aspx

Have you viewed the details provided in Software Explorer ?
SE is available in XP in the Control Panel.
Set it to Currently Running Programs.
On my XP box, SE shows the file as Permitted but it's *not* listed as a
Network Connected Program, which is why I am suspicious about the file
on your system, Des.
Suggest you use Software Explorer to see the Process ID of spoolsv.exe
Then open a Command Prompt, type in the following and then press Enter

netstat -a -o

The Active Connections will be listed. Look in the far right column to
locate the Process ID of spoolsv.exe and then see which Foreign Address
it's connected to, if any.
Then please post back with what the Foreign Address is.

EX: My newsgroup reader's Process ID is 2560 and it's current Foreign
Address is msnews.microsoft.com:nntp


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked"



Des wrote:

I verified the original file dates for spoolsv.exe in the system32 folder and
also the changed file date. They both match every other OS system file date
for XP mce. Defender is only issuing the warning in the event log, not
identifying it as any type virus or malware. The file is not listed in either
allow or quarantine and I am sure I have never been asked noe have I cleared
the Defender history file.

Everything works fine, Event log just records the defender warning every
minute or so... I'm thinking it has to do with permissions, maybe?
.
Ads