<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

HijackThis reports missing files on 64-bit Systems

Published on
32,339 Points
18,239 Views
21 Endorsements
Last Modified:
Awarded
Community Pick
As more computers now shipped with 64-bit version of Windows, more users are now using this Operating System.  So it's important to be aware how some 32-bit diagnostic tool works on these systems, so we know what to expect when analyzing the logs and avoid mishaps when removing infections.

Since 64-bit and 32-bit code don't mix, to keep the two separate, windows makes use of an emulator called WOW64 (Windows On Windows 64) which redirects all 32-bit requests to a special folder.
In order for the 32-bit programs to run in the 64-bit environment, they have to be running within that emulator and all calls get redirected to the SysWOW64 folder(where 32-bit support files are kept).
In fact, since 32-bit programs don't have access to 64-bit locations(unless it has built-in special processing) the report can be misleading and that's where we have to be careful when interpreting diagnostic logs as it can lead us into making wrong decisions.


Let's take, for example, the well-known diagnostic tool HijackThis.

HijackThis log shows missing files:

There is an issue when running Hijackthis on a 64-bit environment, it gives you a misleading report.
When you look at the services section, it displays that the files are missing, see below:

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)


Many pc users will be concerned when they see these entries with "file missing" flags in the log and think that something is wrong.
I've seen threads where Experts/Helpers had advised to have the entries fixed thinking that these are redundant services, while others had advised to replace the missing files.
The fact is, there is nothing wrong with these "file missing" entries, no need to be alarmed, and you don't need to do anything with those entries as these files are NOT missing.


So why does HijackThis flag these files as missing?

As I have mentioned earlier, 32-bit applications (HijackThis in this example) runs within the WOW64 emulator which redirects 32-bit requests to the SysWOW64 folder.  
Which means that when HijackThis needs to write to the system32 folder, the call is being redirected so it is actually reading or writing to the SysWOW64 folder, and HijackThis is totally unaware of the redirection.

Therefore, when HijackThis reads an information from the registry that only has a 64-bit value pointing to a file in the system32 folder it will be searching for that file in the Windows\SysWOW64 folder, and the file is not there so it will report that the file is missing.

That's why these services with files located in the system32 folder are flagged as "file missing" because HijackThis looks for these files in the wrong location.
The emulator makes the 32-bit program believe it is running on a 32-bit windows and accessing the system32 folder when in reality, it is running on a 64-bit windows and accessing the SysWOW64 folder.


How do we know (as Helpers) that a HijackThis log is from a 64-bit System?

The log header will not state whether it's from a 64bit or 32bit OS, but you can easily recognize it from the entries in the log.
64-bit and 32-bit applications have their own Program Files folders.

In the log's running processes you should see  C:\Program Files (x86) which is the folder for 32-bit programs.  
You might also see C:\WINDOWS\SysWOW64 which is the 32-bit's system32 folder, see below:

Running processes:
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\WINDOWS\SysWOW64\Rundll32.exe
C:\Program Files (x86)\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\DAP\DAP.EXE
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe


So think twice before you start disabling/fixing entries in 64-bit OS thinking that they're redundant as it could cause a legitimate 64-bit program to stop working.

I hope you find this article helpful.
21
Comment
9 Comments
LVL 38

Expert Comment

by:younghv
Good solid information and well-explained.
This will be very helpful when trying to explain those 'upper' number errors to other EE Members.

"Yes" vote above.
0
LVL 47

Author Comment

by:rpggamergirl
younghv,

Thanks for the "Yes" vote, :)

I'm also grateful to other readers who voted yes, thanks.
0
LVL 2

Expert Comment

by:Leandronn
Great
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

LVL 12

Expert Comment

by:jazzIIIlove
very informative.
0

Expert Comment

by:garfoote
One of the best, most well written articles I've seen in a long time.
0
LVL 27

Expert Comment

by:Jonvee
Read this article some months ago but returned here tonight after seeing your reference to it.   Its well written & useful, as usual.

You have my "yes" vote.
0
LVL 47

Author Comment

by:rpggamergirl
Thank you guys for your comments.
I'm glad to know that you find this article helpful.
Also thanks for voting 'Yes'.
0

Expert Comment

by:Jsmply
Very helpful and well written.  So many of these tools can get difficult to understand if you don't know what your looking for, this should help in HJT threads.  Thanks RPG!
0
LVL 1

Expert Comment

by:Blinkr
This clears up alot with HijackThis. Thanks for taking the time to post this.
0

Featured Post

Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

Join & Write a Comment

Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month