<

HijackThis reports missing files on 64-bit Systems

Published on
33,064 Points
18,964 Views
21 Endorsements
Last Modified:
Awarded
Community Pick
As more computers now shipped with 64-bit version of Windows, more users are now using this Operating System.  So it's important to be aware how some 32-bit diagnostic tool works on these systems, so we know what to expect when analyzing the logs and avoid mishaps when removing infections.

Since 64-bit and 32-bit code don't mix, to keep the two separate, windows makes use of an emulator called WOW64 (Windows On Windows 64) which redirects all 32-bit requests to a special folder.
In order for the 32-bit programs to run in the 64-bit environment, they have to be running within that emulator and all calls get redirected to the SysWOW64 folder(where 32-bit support files are kept).
In fact, since 32-bit programs don't have access to 64-bit locations(unless it has built-in special processing) the report can be misleading and that's where we have to be careful when interpreting diagnostic logs as it can lead us into making wrong decisions.


Let's take, for example, the well-known diagnostic tool HijackThis.

HijackThis log shows missing files:

There is an issue when running Hijackthis on a 64-bit environment, it gives you a misleading report.
When you look at the services section, it displays that the files are missing, see below:

O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)


Many pc users will be concerned when they see these entries with "file missing" flags in the log and think that something is wrong.
I've seen threads where Experts/Helpers had advised to have the entries fixed thinking that these are redundant services, while others had advised to replace the missing files.
The fact is, there is nothing wrong with these "file missing" entries, no need to be alarmed, and you don't need to do anything with those entries as these files are NOT missing.


So why does HijackThis flag these files as missing?

As I have mentioned earlier, 32-bit applications (HijackThis in this example) runs within the WOW64 emulator which redirects 32-bit requests to the SysWOW64 folder.  
Which means that when HijackThis needs to write to the system32 folder, the call is being redirected so it is actually reading or writing to the SysWOW64 folder, and HijackThis is totally unaware of the redirection.

Therefore, when HijackThis reads an information from the registry that only has a 64-bit value pointing to a file in the system32 folder it will be searching for that file in the Windows\SysWOW64 folder, and the file is not there so it will report that the file is missing.

That's why these services with files located in the system32 folder are flagged as "file missing" because HijackThis looks for these files in the wrong location.
The emulator makes the 32-bit program believe it is running on a 32-bit windows and accessing the system32 folder when in reality, it is running on a 64-bit windows and accessing the SysWOW64 folder.


How do we know (as Helpers) that a HijackThis log is from a 64-bit System?

The log header will not state whether it's from a 64bit or 32bit OS, but you can easily recognize it from the entries in the log.
64-bit and 32-bit applications have their own Program Files folders.

In the log's running processes you should see  C:\Program Files (x86) which is the folder for 32-bit programs.  
You might also see C:\WINDOWS\SysWOW64 which is the 32-bit's system32 folder, see below:

Running processes:
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\WINDOWS\SysWOW64\Rundll32.exe
C:\Program Files (x86)\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\DAP\DAP.EXE
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe


So think twice before you start disabling/fixing entries in 64-bit OS thinking that they're redundant as it could cause a legitimate 64-bit program to stop working.

I hope you find this article helpful.
21
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free