A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Windows 10 » Windows 10 Help Forum
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Shutdown longer than usual



 
 
Thread Tools Rate Thread Display Modes
  #16  
Old November 23rd 19, 04:50 AM posted to alt.comp.os.windows-10
No_Name
external usenet poster
 
Posts: 62
Default Shutdown longer than usual

Did you try renaming the extension to something like "AsusUpdateCkeck.ex_"?
I've done that with other "features" with no ill effects, but they were
usually on startup.
Ads
  #17  
Old November 23rd 19, 05:29 AM posted to alt.comp.os.windows-10
Rene Lamontagne
external usenet poster
 
Posts: 2,549
Default Shutdown longer than usual

On 2019-11-22 8:45 p.m., Rene Lamontagne wrote:
On 2019-11-22 7:29 p.m., Paul wrote:
Rene Lamontagne wrote:
On 2019-11-21 9:25 p.m., Paul wrote:
Rene Lamontagne wrote:


Tried following through with Procmon but did not come up with
anything specific But did notice a lot of Malwarebytes, Macrium
reflect and AMD Radeon entries , so just for kicks I uninstalled
all 3 of them and have my shutdown time to 17 seconds, Reinstalled
them and it now is staying the same at a solid 17 seconds after
about 5 or 6 reboots and shutdowns, so guess I will leave well
enough alone.
I don't know what caused the 26 to 28 second shutdowns but I won't
lose too much sleep over itÂ* (maybe 10 seconds a night).Â* :-)

Rene

The analysis part is the hard part, so
you've had a good result so far. At least
the problem is now leaning in the right
direction :-)

Maybe something had self-updated and got
itself in a mess.

If there were PendMoves being handled at shutdown,
at least you'd see the juggling balls. Some other
sort of shutdown problem, maybe the balls would
be done by then.

Â*Â*Â* Paul

My stubbornness prevailed again, I just had to keep nipping at it's
heels and found the following Site.

https://support.microsoft.com/en-us/...status-message


Â*which let me put the shutdown session in a verbose mode then watch
it tell me exactly what was happening.
Great stuff, in my case it is "AsusUpdatecheck.exe" which is hogging
about 13 or 15 seconds of my shutdown time, When I disable it my
shutdown falls back to about 5 seconds, This file resides in System32.

Now the problem I face is that no matter how I stop it, run manually
or disable it in services it comes back to life on a restart, Is
there a way to disable it permanently, I've uninstalled all the Asus
stuff I can find but Windows must keep a copy of it's own somewhere.
What do I need? A wooden stake or a Silver bullet. :-)

Rene


A Run key in the registry ?

Â*Â*Â* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run


Nope, only fan control


Something Autoruns lists ?


Yep entries there, deleted all I can find.


Something in Scheduled Tasks ?


Nope, no scheduled tasks.


Is there are Startup Items folder of some sort ?


Startup folder is clean, all items disabled for now.


*******

https://attack.mitre.org/techniques/T1060/

Â*Â*Â* "By default, the multistring BootExecute
Â*Â*Â*Â* value of the registry key

Â*Â*Â*Â*Â*Â*Â* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Session
Manager

Â*Â*Â*Â* is set to

Â*Â*Â*Â*Â*Â*Â* autocheck autochk *


I left as is, Above my payscale.


Â*Â*Â*Â* This value causes Windows, at startup, to check the file-system
Â*Â*Â*Â* integrity of the hard disks if the system has been shut down
Â*Â*Â*Â* abnormally. Adversaries can add other programs or processes
Â*Â*Â*Â* to this registry value which will automatically launch at boot.
Â*Â*Â* "

At one time, that was a favored attack vector. Asus
wouldn't use that, because it's a place people would
be checking right away. It's like "Hello World" to
put something in there.

Â*Â*Â* Paul


After that it still comes back.

Thanks Rene


Did some more searching and found this.

https://rog.asus.com/forum/showthrea...s-after-reboot

It seems to be embedded in *some* UEFI bios and can be removed from
there, something about Armoury crate or some such.
no sign of it in this Asus B450F ROG Strix MB.
Will check my Son's Z390 MB in the next couple days.

Rene




  #19  
Old November 23rd 19, 07:26 AM posted to alt.comp.os.windows-10
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default Shutdown longer than usual

Rene Lamontagne wrote:

It seems to be embedded in *some* UEFI bios and can be removed from
there, something about Armoury crate or some such.
no sign of it in this Asus B450F ROG Strix MB.
Will check my Son's Z390 MB in the next couple days.

Rene


Ah, some Whack-A-Mole fun.

Hope you brought the big mallet with you.

https://www.techpowerup.com/248827/a...s-installation

"...UEFI BIOS, we managed to find a fairly nondescript option
"Download and Install ARMOURY CRATE app", ... not easy to find,
being located in the "Tool" section of the BIOS setup."

"The ASUS UEFI firmware exposes an ACPI table to Windows 10,
called "WPBT" or "Windows Platform Binary Table". WPBT is used
in the pre-built OEM industry, and is referred to as

"the Vendor's Rootkit."

Put simply, it is a script that makes Windows copy data from the
BIOS to the System32 folder on the machine and execute it during
Windows startup - every single time the system is booted. According
to the Microsoft WPBT reference, which describes this feature as
useful for "anti-theft software", this binary is a
"native, user-mode application that is executed by the
Windows Session Manager during operating system initialization.",
which means "before all other programs, with administrative privileges".

This gives pretty much full control over everything, including
protected folders and the registry."

*******

If you run out of options, you could try investigating
a SRP for the named Asus executable(s). If there
is more than one service, then you could try to stop them
that way. "Software Restriction Policy" is supposed to
be able to prevent an executable from being run by the
loader. Maybe a Windows 7 user would use this.

http://mechbgon.com/srp/

Apparently Microsoft is removing SRP, so AppLocker is a
second option.

https://www.tenforums.com/tutorials/...dows-10-a.html

It just doesn't seem to be possible to make a good GUI
for these things. (Selecting "Security Principle" and such.)

Someone wrote a tool for configuring Windows 10 Home,
but the interface on it is just as unwelcoming as
a MSFT one :-)

Paul
  #20  
Old November 23rd 19, 04:01 PM posted to alt.comp.os.windows-10
Rene Lamontagne
external usenet poster
 
Posts: 2,549
Default Shutdown longer than usual

On 2019-11-23 12:26 a.m., Paul wrote:
Rene Lamontagne wrote:

It seems to be embedded in *some* UEFI bios and can be removed from
there, something about Armoury crate or some such.
no sign of it in this Asus B450F ROG Strix MB.
Will check my Son's Z390 MB in the next couple days.

Rene


Ah, some Whack-A-Mole fun.

Hope you brought the big mallet with you.

https://www.techpowerup.com/248827/a...s-installation


Â*Â* "...UEFI BIOS, we managed to find a fairly nondescript option
Â*Â*Â* "Download and Install ARMOURY CRATE app", ... not easy to find,
Â*Â*Â* being located in the "Tool" section of the BIOS setup."

Â*Â* "The ASUS UEFI firmware exposes an ACPI table to Windows 10,
Â*Â*Â* called "WPBT" or "Windows Platform Binary Table". WPBT is used
Â*Â*Â* in the pre-built OEM industry, and is referred to as

Â*Â*Â*Â*Â*Â* "the Vendor's Rootkit."

Â*Â*Â* Put simply, it is a script that makes Windows copy data from the
Â*Â*Â* BIOS to the System32 folder on the machine and execute it during
Â*Â*Â* Windows startup - every single time the system is booted. According
Â*Â*Â* to the Microsoft WPBT reference, which describes this feature as
Â*Â*Â* useful for "anti-theft software", this binary is a
Â*Â*Â* "native, user-mode application that is executed by the
Â*Â*Â* Windows Session Manager during operating system initialization.",
Â*Â*Â* which means "before all other programs, with administrative
privileges".

Â*Â*Â* This gives pretty much full control over everything, including
Â*Â*Â* protected folders and the registry."

*******

If you run out of options, you could try investigating
aÂ* SRP for the named Asus executable(s). If there
is more than one service, then you could try to stop them
that way. "Software Restriction Policy" is supposed to
be able to prevent an executable from being run by the
loader. Maybe a Windows 7 user would use this.

http://mechbgon.com/srp/

Apparently Microsoft is removing SRP, so AppLocker is a
second option.

https://www.tenforums.com/tutorials/...dows-10-a.html


It just doesn't seem to be possible to make a good GUI
for these things. (Selecting "Security Principle" and such.)

Someone wrote a tool for configuring Windows 10 Home,
but the interface on it is just as unwelcoming as
a MSFT one :-)

Â*Â* Paul


Got the SOB finally, As I mentioned ther was nothing in the UFEI bios
about Armoury crate anywhere.
But late last night I decided to go over the bios again with a fine
tooth comb (and a BIG mallet) and guess what I found?

In the UEFI advanced section, Under *Tools* was an item called
*Asus Grid Install Service* which was enabled, So not knowing what it
was for I decided to uninstall it and see what happens.

booted back into Windows and everything was working normally, so
decided to call it a day and hit shutdown!!!

Well, to my surprise it shutdown in very few seconds! So this morning I
Cold booted again 4 or 5 times and I am now back to a repeatable 5
second shutdown, and no sign of Asusupdatecheck in the verbose mode.

So I removed Verbose Mode and all is now OK. Jeez, What a pain in the
ass for Asus to leave that misnamed item in the enabled mode as default.

Thanks again Paul for all the help and pointers.

Rene




  #21  
Old November 23rd 19, 04:18 PM posted to alt.comp.os.windows-10
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default Shutdown longer than usual

Rene Lamontagne wrote:
On 2019-11-23 12:26 a.m., Paul wrote:
Rene Lamontagne wrote:

It seems to be embedded in *some* UEFI bios and can be removed from
there, something about Armoury crate or some such.
no sign of it in this Asus B450F ROG Strix MB.
Will check my Son's Z390 MB in the next couple days.

Rene


Ah, some Whack-A-Mole fun.

Hope you brought the big mallet with you.

https://www.techpowerup.com/248827/a...s-installation


"...UEFI BIOS, we managed to find a fairly nondescript option
"Download and Install ARMOURY CRATE app", ... not easy to find,
being located in the "Tool" section of the BIOS setup."

"The ASUS UEFI firmware exposes an ACPI table to Windows 10,
called "WPBT" or "Windows Platform Binary Table". WPBT is used
in the pre-built OEM industry, and is referred to as

"the Vendor's Rootkit."

Put simply, it is a script that makes Windows copy data from the
BIOS to the System32 folder on the machine and execute it during
Windows startup - every single time the system is booted. According
to the Microsoft WPBT reference, which describes this feature as
useful for "anti-theft software", this binary is a
"native, user-mode application that is executed by the
Windows Session Manager during operating system initialization.",
which means "before all other programs, with administrative
privileges".

This gives pretty much full control over everything, including
protected folders and the registry."

*******

If you run out of options, you could try investigating
a SRP for the named Asus executable(s). If there
is more than one service, then you could try to stop them
that way. "Software Restriction Policy" is supposed to
be able to prevent an executable from being run by the
loader. Maybe a Windows 7 user would use this.

http://mechbgon.com/srp/

Apparently Microsoft is removing SRP, so AppLocker is a
second option.

https://www.tenforums.com/tutorials/...dows-10-a.html


It just doesn't seem to be possible to make a good GUI
for these things. (Selecting "Security Principle" and such.)

Someone wrote a tool for configuring Windows 10 Home,
but the interface on it is just as unwelcoming as
a MSFT one :-)

Paul


Got the SOB finally, As I mentioned ther was nothing in the UFEI bios
about Armoury crate anywhere.
But late last night I decided to go over the bios again with a fine
tooth comb (and a BIG mallet) and guess what I found?

In the UEFI advanced section, Under *Tools* was an item called
*Asus Grid Install Service* which was enabled, So not knowing what it
was for I decided to uninstall it and see what happens.

booted back into Windows and everything was working normally, so
decided to call it a day and hit shutdown!!!

Well, to my surprise it shutdown in very few seconds! So this morning I
Cold booted again 4 or 5 times and I am now back to a repeatable 5
second shutdown, and no sign of Asusupdatecheck in the verbose mode.

So I removed Verbose Mode and all is now OK. Jeez, What a pain in the
ass for Asus to leave that misnamed item in the enabled mode as default.

Thanks again Paul for all the help and pointers.

Rene


I guess Asus "hoped to entertain", and they succeeded.

"There is a puzzle in every box"

You'd think Asus would have learned some lessons
from the router episode. Of letting "features" compromise
what they ship.

https://www.ftc.gov/news-events/pres...d-services-put

Paul
  #22  
Old November 24th 19, 08:31 PM posted to alt.comp.os.windows-10
Rene Lamontagne
external usenet poster
 
Posts: 2,549
Default Shutdown longer than usual

On 2019-11-23 9:18 a.m., Paul wrote:
Rene Lamontagne wrote:
On 2019-11-23 12:26 a.m., Paul wrote:
Rene Lamontagne wrote:

It seems to be embedded in *some* UEFI bios and can be removed from
there, something about Armoury crate or some such.
no sign of it in this Asus B450F ROG Strix MB.
Will check my Son's Z390 MB in the next couple days.

Rene

Ah, some Whack-A-Mole fun.

Hope you brought the big mallet with you.

https://www.techpowerup.com/248827/a...s-installation


Â*Â*Â* "...UEFI BIOS, we managed to find a fairly nondescript option
Â*Â*Â*Â* "Download and Install ARMOURY CRATE app", ... not easy to find,
Â*Â*Â*Â* being located in the "Tool" section of the BIOS setup."

Â*Â*Â* "The ASUS UEFI firmware exposes an ACPI table to Windows 10,
Â*Â*Â*Â* called "WPBT" or "Windows Platform Binary Table". WPBT is used
Â*Â*Â*Â* in the pre-built OEM industry, and is referred to as

Â*Â*Â*Â*Â*Â*Â* "the Vendor's Rootkit."

Â*Â*Â*Â* Put simply, it is a script that makes Windows copy data from the
Â*Â*Â*Â* BIOS to the System32 folder on the machine and execute it during
Â*Â*Â*Â* Windows startup - every single time the system is booted. According
Â*Â*Â*Â* to the Microsoft WPBT reference, which describes this feature as
Â*Â*Â*Â* useful for "anti-theft software", this binary is a
Â*Â*Â*Â* "native, user-mode application that is executed by the
Â*Â*Â*Â* Windows Session Manager during operating system initialization.",
Â*Â*Â*Â* which means "before all other programs, with administrative
privileges".

Â*Â*Â*Â* This gives pretty much full control over everything, including
Â*Â*Â*Â* protected folders and the registry."

*******

If you run out of options, you could try investigating
aÂ* SRP for the named Asus executable(s). If there
is more than one service, then you could try to stop them
that way. "Software Restriction Policy" is supposed to
be able to prevent an executable from being run by the
loader. Maybe a Windows 7 user would use this.

http://mechbgon.com/srp/

Apparently Microsoft is removing SRP, so AppLocker is a
second option.

https://www.tenforums.com/tutorials/...dows-10-a.html


It just doesn't seem to be possible to make a good GUI
for these things. (Selecting "Security Principle" and such.)

Someone wrote a tool for configuring Windows 10 Home,
but the interface on it is just as unwelcoming as
a MSFT one :-)

Â*Â*Â* Paul


Got the SOB finally, As I mentioned ther was nothing in the UFEI bios
about Armoury crate anywhere.
But late last night I decided to go over the bios again with a fine
tooth comb (and a BIG mallet) and guess what I found?

In the UEFI advanced section, Under *Tools* was an item called
*Asus Grid Install Service* which was enabled, So not knowing what it
was for I decided to uninstall it and see what happens.

Â*booted back into Windows and everything was working normally, so
decided to call it a day and hit shutdown!!!

Well, to my surprise it shutdown in very few seconds! So this morning
I Cold booted again 4 or 5 times and I am now back to a repeatable 5
second shutdown, and no sign of Asusupdatecheck in the verbose mode.

So I removed Verbose Mode and all is now OK.Â* Jeez, What a pain in the
ass for Asus to leave that misnamed item in the enabled mode as default.

Thanks again Paul for all the help and pointers.

Rene


I guess Asus "hoped to entertain", and they succeeded.

"There is a puzzle in every box"

You'd think Asus would have learned some lessons
from the router episode. Of letting "features" compromise
what they ship.

https://www.ftc.gov/news-events/pres...d-services-put


Â*Â* Paul


As promised I was able to check my son's PC and find his was taking
about 22 seconds for shutdown.

So I checked the UEFI bios on his Asus Z390 Prime motherboard and Under
tools there was no Mention Of Armoury Crate or Asus grid install, But
there was an "Asus Q Installer" which was enabled, So I disabled it and
Rebooted and removed the AsusSetupcheck.exe file in System 32 then a
Cold boot and now it does a shutdown in about 7 seconds.
So another Asus problem solved.

Rene


 




Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off






All times are GMT +1. The time now is 01:41 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.