If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Rate Thread | Display Modes |
#16
|
|||
|
|||
Shutdown longer than usual
Did you try renaming the extension to something like "AsusUpdateCkeck.ex_"?
I've done that with other "features" with no ill effects, but they were usually on startup. |
Ads |
#17
|
|||
|
|||
Shutdown longer than usual
On 2019-11-22 8:45 p.m., Rene Lamontagne wrote:
On 2019-11-22 7:29 p.m., Paul wrote: Rene Lamontagne wrote: On 2019-11-21 9:25 p.m., Paul wrote: Rene Lamontagne wrote: Tried following through with Procmon but did not come up with anything specific But did notice a lot of Malwarebytes, Macrium reflect and AMD Radeon entries , so just for kicks I uninstalled all 3 of them and have my shutdown time to 17 seconds, Reinstalled them and it now is staying the same at a solid 17 seconds after about 5 or 6 reboots and shutdowns, so guess I will leave well enough alone. I don't know what caused the 26 to 28 second shutdowns but I won't lose too much sleep over itÂ* (maybe 10 seconds a night).Â* :-) Rene The analysis part is the hard part, so you've had a good result so far. At least the problem is now leaning in the right direction :-) Maybe something had self-updated and got itself in a mess. If there were PendMoves being handled at shutdown, at least you'd see the juggling balls. Some other sort of shutdown problem, maybe the balls would be done by then. Â*Â*Â* Paul My stubbornness prevailed again, I just had to keep nipping at it's heels and found the following Site. https://support.microsoft.com/en-us/...status-message Â*which let me put the shutdown session in a verbose mode then watch it tell me exactly what was happening. Great stuff, in my case it is "AsusUpdatecheck.exe" which is hogging about 13 or 15 seconds of my shutdown time, When I disable it my shutdown falls back to about 5 seconds, This file resides in System32. Now the problem I face is that no matter how I stop it, run manually or disable it in services it comes back to life on a restart, Is there a way to disable it permanently, I've uninstalled all the Asus stuff I can find but Windows must keep a copy of it's own somewhere. What do I need? A wooden stake or a Silver bullet. :-) Rene A Run key in the registry ? Â*Â*Â* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run Nope, only fan control Something Autoruns lists ? Yep entries there, deleted all I can find. Something in Scheduled Tasks ? Nope, no scheduled tasks. Is there are Startup Items folder of some sort ? Startup folder is clean, all items disabled for now. ******* https://attack.mitre.org/techniques/T1060/ Â*Â*Â* "By default, the multistring BootExecute Â*Â*Â*Â* value of the registry key Â*Â*Â*Â*Â*Â*Â* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Session Manager Â*Â*Â*Â* is set to Â*Â*Â*Â*Â*Â*Â* autocheck autochk * I left as is, Above my payscale. Â*Â*Â*Â* This value causes Windows, at startup, to check the file-system Â*Â*Â*Â* integrity of the hard disks if the system has been shut down Â*Â*Â*Â* abnormally. Adversaries can add other programs or processes Â*Â*Â*Â* to this registry value which will automatically launch at boot. Â*Â*Â* " At one time, that was a favored attack vector. Asus wouldn't use that, because it's a place people would be checking right away. It's like "Hello World" to put something in there. Â*Â*Â* Paul After that it still comes back. Thanks Rene Did some more searching and found this. https://rog.asus.com/forum/showthrea...s-after-reboot It seems to be embedded in *some* UEFI bios and can be removed from there, something about Armoury crate or some such. no sign of it in this Asus B450F ROG Strix MB. Will check my Son's Z390 MB in the next couple days. Rene |
#18
|
|||
|
|||
Shutdown longer than usual
|
#19
|
|||
|
|||
Shutdown longer than usual
Rene Lamontagne wrote:
It seems to be embedded in *some* UEFI bios and can be removed from there, something about Armoury crate or some such. no sign of it in this Asus B450F ROG Strix MB. Will check my Son's Z390 MB in the next couple days. Rene Ah, some Whack-A-Mole fun. Hope you brought the big mallet with you. https://www.techpowerup.com/248827/a...s-installation "...UEFI BIOS, we managed to find a fairly nondescript option "Download and Install ARMOURY CRATE app", ... not easy to find, being located in the "Tool" section of the BIOS setup." "The ASUS UEFI firmware exposes an ACPI table to Windows 10, called "WPBT" or "Windows Platform Binary Table". WPBT is used in the pre-built OEM industry, and is referred to as "the Vendor's Rootkit." Put simply, it is a script that makes Windows copy data from the BIOS to the System32 folder on the machine and execute it during Windows startup - every single time the system is booted. According to the Microsoft WPBT reference, which describes this feature as useful for "anti-theft software", this binary is a "native, user-mode application that is executed by the Windows Session Manager during operating system initialization.", which means "before all other programs, with administrative privileges". This gives pretty much full control over everything, including protected folders and the registry." ******* If you run out of options, you could try investigating a SRP for the named Asus executable(s). If there is more than one service, then you could try to stop them that way. "Software Restriction Policy" is supposed to be able to prevent an executable from being run by the loader. Maybe a Windows 7 user would use this. http://mechbgon.com/srp/ Apparently Microsoft is removing SRP, so AppLocker is a second option. https://www.tenforums.com/tutorials/...dows-10-a.html It just doesn't seem to be possible to make a good GUI for these things. (Selecting "Security Principle" and such.) Someone wrote a tool for configuring Windows 10 Home, but the interface on it is just as unwelcoming as a MSFT one :-) Paul |
#20
|
|||
|
|||
Shutdown longer than usual
On 2019-11-23 12:26 a.m., Paul wrote:
Rene Lamontagne wrote: It seems to be embedded in *some* UEFI bios and can be removed from there, something about Armoury crate or some such. no sign of it in this Asus B450F ROG Strix MB. Will check my Son's Z390 MB in the next couple days. Rene Ah, some Whack-A-Mole fun. Hope you brought the big mallet with you. https://www.techpowerup.com/248827/a...s-installation Â*Â* "...UEFI BIOS, we managed to find a fairly nondescript option Â*Â*Â* "Download and Install ARMOURY CRATE app", ... not easy to find, Â*Â*Â* being located in the "Tool" section of the BIOS setup." Â*Â* "The ASUS UEFI firmware exposes an ACPI table to Windows 10, Â*Â*Â* called "WPBT" or "Windows Platform Binary Table". WPBT is used Â*Â*Â* in the pre-built OEM industry, and is referred to as Â*Â*Â*Â*Â*Â* "the Vendor's Rootkit." Â*Â*Â* Put simply, it is a script that makes Windows copy data from the Â*Â*Â* BIOS to the System32 folder on the machine and execute it during Â*Â*Â* Windows startup - every single time the system is booted. According Â*Â*Â* to the Microsoft WPBT reference, which describes this feature as Â*Â*Â* useful for "anti-theft software", this binary is a Â*Â*Â* "native, user-mode application that is executed by the Â*Â*Â* Windows Session Manager during operating system initialization.", Â*Â*Â* which means "before all other programs, with administrative privileges". Â*Â*Â* This gives pretty much full control over everything, including Â*Â*Â* protected folders and the registry." ******* If you run out of options, you could try investigating aÂ* SRP for the named Asus executable(s). If there is more than one service, then you could try to stop them that way. "Software Restriction Policy" is supposed to be able to prevent an executable from being run by the loader. Maybe a Windows 7 user would use this. http://mechbgon.com/srp/ Apparently Microsoft is removing SRP, so AppLocker is a second option. https://www.tenforums.com/tutorials/...dows-10-a.html It just doesn't seem to be possible to make a good GUI for these things. (Selecting "Security Principle" and such.) Someone wrote a tool for configuring Windows 10 Home, but the interface on it is just as unwelcoming as a MSFT one :-) Â*Â* Paul Got the SOB finally, As I mentioned ther was nothing in the UFEI bios about Armoury crate anywhere. But late last night I decided to go over the bios again with a fine tooth comb (and a BIG mallet) and guess what I found? In the UEFI advanced section, Under *Tools* was an item called *Asus Grid Install Service* which was enabled, So not knowing what it was for I decided to uninstall it and see what happens. booted back into Windows and everything was working normally, so decided to call it a day and hit shutdown!!! Well, to my surprise it shutdown in very few seconds! So this morning I Cold booted again 4 or 5 times and I am now back to a repeatable 5 second shutdown, and no sign of Asusupdatecheck in the verbose mode. So I removed Verbose Mode and all is now OK. Jeez, What a pain in the ass for Asus to leave that misnamed item in the enabled mode as default. Thanks again Paul for all the help and pointers. Rene |
#21
|
|||
|
|||
Shutdown longer than usual
Rene Lamontagne wrote:
On 2019-11-23 12:26 a.m., Paul wrote: Rene Lamontagne wrote: It seems to be embedded in *some* UEFI bios and can be removed from there, something about Armoury crate or some such. no sign of it in this Asus B450F ROG Strix MB. Will check my Son's Z390 MB in the next couple days. Rene Ah, some Whack-A-Mole fun. Hope you brought the big mallet with you. https://www.techpowerup.com/248827/a...s-installation "...UEFI BIOS, we managed to find a fairly nondescript option "Download and Install ARMOURY CRATE app", ... not easy to find, being located in the "Tool" section of the BIOS setup." "The ASUS UEFI firmware exposes an ACPI table to Windows 10, called "WPBT" or "Windows Platform Binary Table". WPBT is used in the pre-built OEM industry, and is referred to as "the Vendor's Rootkit." Put simply, it is a script that makes Windows copy data from the BIOS to the System32 folder on the machine and execute it during Windows startup - every single time the system is booted. According to the Microsoft WPBT reference, which describes this feature as useful for "anti-theft software", this binary is a "native, user-mode application that is executed by the Windows Session Manager during operating system initialization.", which means "before all other programs, with administrative privileges". This gives pretty much full control over everything, including protected folders and the registry." ******* If you run out of options, you could try investigating a SRP for the named Asus executable(s). If there is more than one service, then you could try to stop them that way. "Software Restriction Policy" is supposed to be able to prevent an executable from being run by the loader. Maybe a Windows 7 user would use this. http://mechbgon.com/srp/ Apparently Microsoft is removing SRP, so AppLocker is a second option. https://www.tenforums.com/tutorials/...dows-10-a.html It just doesn't seem to be possible to make a good GUI for these things. (Selecting "Security Principle" and such.) Someone wrote a tool for configuring Windows 10 Home, but the interface on it is just as unwelcoming as a MSFT one :-) Paul Got the SOB finally, As I mentioned ther was nothing in the UFEI bios about Armoury crate anywhere. But late last night I decided to go over the bios again with a fine tooth comb (and a BIG mallet) and guess what I found? In the UEFI advanced section, Under *Tools* was an item called *Asus Grid Install Service* which was enabled, So not knowing what it was for I decided to uninstall it and see what happens. booted back into Windows and everything was working normally, so decided to call it a day and hit shutdown!!! Well, to my surprise it shutdown in very few seconds! So this morning I Cold booted again 4 or 5 times and I am now back to a repeatable 5 second shutdown, and no sign of Asusupdatecheck in the verbose mode. So I removed Verbose Mode and all is now OK. Jeez, What a pain in the ass for Asus to leave that misnamed item in the enabled mode as default. Thanks again Paul for all the help and pointers. Rene I guess Asus "hoped to entertain", and they succeeded. "There is a puzzle in every box" You'd think Asus would have learned some lessons from the router episode. Of letting "features" compromise what they ship. https://www.ftc.gov/news-events/pres...d-services-put Paul |
#22
|
|||
|
|||
Shutdown longer than usual
On 2019-11-23 9:18 a.m., Paul wrote:
Rene Lamontagne wrote: On 2019-11-23 12:26 a.m., Paul wrote: Rene Lamontagne wrote: It seems to be embedded in *some* UEFI bios and can be removed from there, something about Armoury crate or some such. no sign of it in this Asus B450F ROG Strix MB. Will check my Son's Z390 MB in the next couple days. Rene Ah, some Whack-A-Mole fun. Hope you brought the big mallet with you. https://www.techpowerup.com/248827/a...s-installation Â*Â*Â* "...UEFI BIOS, we managed to find a fairly nondescript option Â*Â*Â*Â* "Download and Install ARMOURY CRATE app", ... not easy to find, Â*Â*Â*Â* being located in the "Tool" section of the BIOS setup." Â*Â*Â* "The ASUS UEFI firmware exposes an ACPI table to Windows 10, Â*Â*Â*Â* called "WPBT" or "Windows Platform Binary Table". WPBT is used Â*Â*Â*Â* in the pre-built OEM industry, and is referred to as Â*Â*Â*Â*Â*Â*Â* "the Vendor's Rootkit." Â*Â*Â*Â* Put simply, it is a script that makes Windows copy data from the Â*Â*Â*Â* BIOS to the System32 folder on the machine and execute it during Â*Â*Â*Â* Windows startup - every single time the system is booted. According Â*Â*Â*Â* to the Microsoft WPBT reference, which describes this feature as Â*Â*Â*Â* useful for "anti-theft software", this binary is a Â*Â*Â*Â* "native, user-mode application that is executed by the Â*Â*Â*Â* Windows Session Manager during operating system initialization.", Â*Â*Â*Â* which means "before all other programs, with administrative privileges". Â*Â*Â*Â* This gives pretty much full control over everything, including Â*Â*Â*Â* protected folders and the registry." ******* If you run out of options, you could try investigating aÂ* SRP for the named Asus executable(s). If there is more than one service, then you could try to stop them that way. "Software Restriction Policy" is supposed to be able to prevent an executable from being run by the loader. Maybe a Windows 7 user would use this. http://mechbgon.com/srp/ Apparently Microsoft is removing SRP, so AppLocker is a second option. https://www.tenforums.com/tutorials/...dows-10-a.html It just doesn't seem to be possible to make a good GUI for these things. (Selecting "Security Principle" and such.) Someone wrote a tool for configuring Windows 10 Home, but the interface on it is just as unwelcoming as a MSFT one :-) Â*Â*Â* Paul Got the SOB finally, As I mentioned ther was nothing in the UFEI bios about Armoury crate anywhere. But late last night I decided to go over the bios again with a fine tooth comb (and a BIG mallet) and guess what I found? In the UEFI advanced section, Under *Tools* was an item called *Asus Grid Install Service* which was enabled, So not knowing what it was for I decided to uninstall it and see what happens. Â*booted back into Windows and everything was working normally, so decided to call it a day and hit shutdown!!! Well, to my surprise it shutdown in very few seconds! So this morning I Cold booted again 4 or 5 times and I am now back to a repeatable 5 second shutdown, and no sign of Asusupdatecheck in the verbose mode. So I removed Verbose Mode and all is now OK.Â* Jeez, What a pain in the ass for Asus to leave that misnamed item in the enabled mode as default. Thanks again Paul for all the help and pointers. Rene I guess Asus "hoped to entertain", and they succeeded. "There is a puzzle in every box" You'd think Asus would have learned some lessons from the router episode. Of letting "features" compromise what they ship. https://www.ftc.gov/news-events/pres...d-services-put Â*Â* Paul As promised I was able to check my son's PC and find his was taking about 22 seconds for shutdown. So I checked the UEFI bios on his Asus Z390 Prime motherboard and Under tools there was no Mention Of Armoury Crate or Asus grid install, But there was an "Asus Q Installer" which was enabled, So I disabled it and Rebooted and removed the AsusSetupcheck.exe file in System 32 then a Cold boot and now it does a shutdown in about 7 seconds. So another Asus problem solved. Rene |
|
Thread Tools | |
Display Modes | Rate This Thread |
|
|