A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Security and Administration with Windows XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Windows Defender - Warning Event ID 3004 -spoolsv.exe



 
 
Thread Tools Display Modes
  #1  
Old December 30th 09, 08:56 PM posted to microsoft.public.windowsxp.security_admin
DES
external usenet poster
 
Posts: 9
Default Windows Defender - Warning Event ID 3004 -spoolsv.exe

Defender is posting - Event - 3004 error code approx. every minute. I have
tried adding spoolsv.exe to the:
firewall ignore list -no change
defender ignore list - no change.

The file shows in defender as a permitted file? It is an original XP
operating system file but still shows unclassified? Is there somewhere that I
need to change the permissions for this file to kill this continious warning?

EVENT ID:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {56E59D0B-5DBC-49D1-9919-F835BC59C4EB}
User: A1640N\HP_Administrator
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found:
firewallokfile:HKLM\System\CurrentControlSet\Servi ces\SharedAccess\Parameters\FirewallPolicy\Standar dProfile\AuthorizedApplications\List\\C:\WINDOWS\s ystem32\spoolsv.exe
Alert Type: Unclassified software
Detection Type:

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
--
Any help here would be greatly appreciated...
Des
Ads
  #2  
Old December 30th 09, 10:40 PM posted to microsoft.public.windowsxp.security_admin
MowGreen
external usenet poster
 
Posts: 534
Default Windows Defender - Warning Event ID 3004 -spoolsv.exe

Des,

How did you determine that spoolsv.exe is still a legitimate file ?
I fail to see any reason it should be trying to circumvent the native XP
firewall as it
http://www.liutilities.com/products/...brary/spoolsv/

transfers the data in a buffer. If the printer needs the data, it will retrieve it from the
buffer. While the spoolsv.exe file is storing the data in the buffer, the user can carry out
other operations. The spoolsv.exe process is also responsible for queuing printing tasks.
Through this function, the user does not need to wait for each printing task to be completed
one after the other.


Also, read the " Other instances of SPOOLSV.EXE: " section.
I'd have the file scanned here and hope the scanner can detect whether
it's legit or not: http://www.virustotal.com/

MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked"



Des wrote:

Defender is posting - Event - 3004 error code approx. every minute. I have
tried adding spoolsv.exe to the:
firewall ignore list -no change
defender ignore list - no change.

The file shows in defender as a permitted file? It is an original XP
operating system file but still shows unclassified? Is there somewhere that I
need to change the permissions for this file to kill this continious warning?

EVENT ID:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {56E59D0B-5DBC-49D1-9919-F835BC59C4EB}
User: A1640N\HP_Administrator
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found:
firewallokfile:HKLM\System\CurrentControlSet\Servi ces\SharedAccess\Parameters\FirewallPolicy\Standar dProfile\AuthorizedApplications\List\\C:\WINDOWS\s ystem32\spoolsv.exe
Alert Type: Unclassified software
Detection Type:

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

  #3  
Old December 30th 09, 11:59 PM posted to microsoft.public.windowsxp.security_admin
DES
external usenet poster
 
Posts: 9
Default Windows Defender - Warning Event ID 3004 -spoolsv.exe

I verified the original file dates for spoolsv.exe in the system32 folder and
also the changed file date. They both match every other OS system file date
for XP mce. Defender is only issuing the warning in the event log, not
identifying it as any type virus or malware. The file is not listed in either
allow or quarantine and I am sure I have never been asked noe have I cleared
the Defender history file.

Everything works fine, Event log just records the defender warning every
minute or so... I'm thinking it has to do with permissions, maybe?
--
Des


"MowGreen" wrote:

Des,

How did you determine that spoolsv.exe is still a legitimate file ?
I fail to see any reason it should be trying to circumvent the native XP
firewall as it
http://www.liutilities.com/products/...brary/spoolsv/

transfers the data in a buffer. If the printer needs the data, it will retrieve it from the
buffer. While the spoolsv.exe file is storing the data in the buffer, the user can carry out
other operations. The spoolsv.exe process is also responsible for queuing printing tasks.
Through this function, the user does not need to wait for each printing task to be completed
one after the other.


Also, read the " Other instances of SPOOLSV.EXE: " section.
I'd have the file scanned here and hope the scanner can detect whether
it's legit or not: http://www.virustotal.com/

MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked"



Des wrote:

Defender is posting - Event - 3004 error code approx. every minute. I have
tried adding spoolsv.exe to the:
firewall ignore list -no change
defender ignore list - no change.

The file shows in defender as a permitted file? It is an original XP
operating system file but still shows unclassified? Is there somewhere that I
need to change the permissions for this file to kill this continious warning?

EVENT ID:
Windows Defender Real-Time Protection agent has detected changes. Microsoft
recommends you analyze the software that made these changes for potential
risks. You can use information about how these programs operate to choose
whether to allow them to run or remove them from your computer. Allow
changes only if you trust the program or the software publisher. Windows
Defender can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID: {56E59D0B-5DBC-49D1-9919-F835BC59C4EB}
User: A1640N\HP_Administrator
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found:
firewallokfile:HKLM\System\CurrentControlSet\Servi ces\SharedAccess\Parameters\FirewallPolicy\Standar dProfile\AuthorizedApplications\List\\C:\WINDOWS\s ystem32\spoolsv.exe
Alert Type: Unclassified software
Detection Type:

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

.

  #4  
Old December 31st 09, 01:18 AM posted to microsoft.public.windowsxp.security_admin
David H. Lipman
external usenet poster
 
Posts: 4,185
Default Windows Defender - Warning Event ID 3004 -spoolsv.exe

From: "Des"

| I verified the original file dates for spoolsv.exe in the system32 folder and
| also the changed file date. They both match every other OS system file date
| for XP mce. Defender is only issuing the warning in the event log, not
| identifying it as any type virus or malware. The file is not listed in either
| allow or quarantine and I am sure I have never been asked noe have I cleared
| the Defender history file.

| Everything works fine, Event log just records the defender warning every
| minute or so... I'm thinking it has to do with permissions, maybe?
| --
| Des



The Spooler Service can become compromised and act "differently" by such malware as the
TDSS (TDL3) RootKit.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


  #5  
Old December 31st 09, 08:11 PM posted to microsoft.public.windowsxp.security_admin
MowGreen
external usenet poster
 
Posts: 534
Default Windows Defender - Warning Event ID 3004 -spoolsv.exe

Here's MS' explanation of the Event ID:

Event ID 3004 — Real-Time Protection Detection
http://technet.microsoft.com/en-us/l...09(WS.10).aspx

Have you viewed the details provided in Software Explorer ?
SE is available in XP in the Control Panel.
Set it to Currently Running Programs.
On my XP box, SE shows the file as Permitted but it's *not* listed as a
Network Connected Program, which is why I am suspicious about the file
on your system, Des.
Suggest you use Software Explorer to see the Process ID of spoolsv.exe
Then open a Command Prompt, type in the following and then press Enter

netstat -a -o

The Active Connections will be listed. Look in the far right column to
locate the Process ID of spoolsv.exe and then see which Foreign Address
it's connected to, if any.
Then please post back with what the Foreign Address is.

EX: My newsgroup reader's Process ID is 2560 and it's current Foreign
Address is msnews.microsoft.com:nntp


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked"



Des wrote:

I verified the original file dates for spoolsv.exe in the system32 folder and
also the changed file date. They both match every other OS system file date
for XP mce. Defender is only issuing the warning in the event log, not
identifying it as any type virus or malware. The file is not listed in either
allow or quarantine and I am sure I have never been asked noe have I cleared
the Defender history file.

Everything works fine, Event log just records the defender warning every
minute or so... I'm thinking it has to do with permissions, maybe?

  #6  
Old January 2nd 10, 04:00 PM posted to microsoft.public.windowsxp.security_admin
DES
external usenet poster
 
Posts: 9
Default Windows Defender - Warning Event ID 3004 -spoolsv.exe

Mow,
Thanks in advance for your help... Here's where I am currently,

Yes , I have been watching SE processes but I appriciate your suggestion.
Ran netstat with switches at the command line and results show no foriegn
connections, just local address (of this computer on router) popping in and
out. Foriegn address shows as (*:*) spoolsv is listed under the network group
i suspect due to my network printer, I have a wireless HP6000(e609n) printer
connected via wireless through a Linksys router on a home network.

I ran spyware/malware repair/checkers beyond Defender and all show clean
system other than a few ad server cookies tied to yahoo home page. I recently
upgraded to SP3 just to see if that would clear up the issue, no change. I
have turned off spoolsv in services, removed both spoolsv.exe & spoolss.dll
from system32 dir and let reinstall at boot from the I386 diectory, no
change. Before reinstalling I verified dates and files in I386 cab folder.
--
Des


"MowGreen" wrote:

Here's MS' explanation of the Event ID:

Event ID 3004 — Real-Time Protection Detection
http://technet.microsoft.com/en-us/l...09(WS.10).aspx

Have you viewed the details provided in Software Explorer ?
SE is available in XP in the Control Panel.
Set it to Currently Running Programs.
On my XP box, SE shows the file as Permitted but it's *not* listed as a
Network Connected Program, which is why I am suspicious about the file
on your system, Des.
Suggest you use Software Explorer to see the Process ID of spoolsv.exe
Then open a Command Prompt, type in the following and then press Enter

netstat -a -o

The Active Connections will be listed. Look in the far right column to
locate the Process ID of spoolsv.exe and then see which Foreign Address
it's connected to, if any.
Then please post back with what the Foreign Address is.

EX: My newsgroup reader's Process ID is 2560 and it's current Foreign
Address is msnews.microsoft.com:nntp


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked"



Des wrote:

I verified the original file dates for spoolsv.exe in the system32 folder and
also the changed file date. They both match every other OS system file date
for XP mce. Defender is only issuing the warning in the event log, not
identifying it as any type virus or malware. The file is not listed in either
allow or quarantine and I am sure I have never been asked noe have I cleared
the Defender history file.

Everything works fine, Event log just records the defender warning every
minute or so... I'm thinking it has to do with permissions, maybe?

.

  #7  
Old January 2nd 10, 05:12 PM posted to microsoft.public.windowsxp.security_admin
DES
external usenet poster
 
Posts: 9
Default Windows Defender - Warning Event ID 3004 -spoolsv.exe

More info:
After some research in the registry: This location of the registry is what
is identified in the system event warning with the ID 3004.

firewallokfile:HKLM\System\CurrentControlSet\Servi ces\SharedAccess\Parameters\FirewallPolicy\Standar dProfile\AuthorizedApplications\List\\C:\WINDOWS\s ystem32\spoolsv.exe

The file is continiously added and mysteriously removed from this location
in the registry? each time it shows as an eveint ID... Yet I have bever been
asked by the Windows Firewall to allow or block or in defender? It shows as
permitted to run in the SE.

I also tried to manually add the file to the registry ok list just to see
what effect and it just gets deleted from the list. What the heck try
anything at this point? Event file just keeps growing with the same Event
warning from Defender... Almost seems like Firewall and Defender can't decide
what, if any action to take creating the loop...

--
Des


"MowGreen" wrote:

Here's MS' explanation of the Event ID:

Event ID 3004 — Real-Time Protection Detection
http://technet.microsoft.com/en-us/l...09(WS.10).aspx

Have you viewed the details provided in Software Explorer ?
SE is available in XP in the Control Panel.
Set it to Currently Running Programs.
On my XP box, SE shows the file as Permitted but it's *not* listed as a
Network Connected Program, which is why I am suspicious about the file
on your system, Des.
Suggest you use Software Explorer to see the Process ID of spoolsv.exe
Then open a Command Prompt, type in the following and then press Enter

netstat -a -o

The Active Connections will be listed. Look in the far right column to
locate the Process ID of spoolsv.exe and then see which Foreign Address
it's connected to, if any.
Then please post back with what the Foreign Address is.

EX: My newsgroup reader's Process ID is 2560 and it's current Foreign
Address is msnews.microsoft.com:nntp


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked"



Des wrote:

I verified the original file dates for spoolsv.exe in the system32 folder and
also the changed file date. They both match every other OS system file date
for XP mce. Defender is only issuing the warning in the event log, not
identifying it as any type virus or malware. The file is not listed in either
allow or quarantine and I am sure I have never been asked noe have I cleared
the Defender history file.

Everything works fine, Event log just records the defender warning every
minute or so... I'm thinking it has to do with permissions, maybe?

.

  #8  
Old January 2nd 10, 06:52 PM posted to microsoft.public.windowsxp.security_admin
MowGreen
external usenet poster
 
Posts: 534
Default Windows Defender - Warning Event ID 3004 -spoolsv.exe

Des,

Suggest you contact MS for *no-charge* support in getting to the bottom
of this 'weird' issue:

https://support.microsoft.com/oas/de...rid=11952&st=1

MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked"



Des wrote:

More info:
After some research in the registry: This location of the registry is what
is identified in the system event warning with the ID 3004.

firewallokfile:HKLM\System\CurrentControlSet\Servi ces\SharedAccess\Parameters\FirewallPolicy\Standar dProfile\AuthorizedApplications\List\\C:\WINDOWS\s ystem32\spoolsv.exe

The file is continiously added and mysteriously removed from this location
in the registry? each time it shows as an eveint ID... Yet I have bever been
asked by the Windows Firewall to allow or block or in defender? It shows as
permitted to run in the SE.

I also tried to manually add the file to the registry ok list just to see
what effect and it just gets deleted from the list. What the heck try
anything at this point? Event file just keeps growing with the same Event
warning from Defender... Almost seems like Firewall and Defender can't decide
what, if any action to take creating the loop...

 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 11:28 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.