Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1626
  • Last Modified:

mcenspc.dll error occuring various times


At random times, I am getting an error that says The application or DLL C:\\WINDOWS\system32\mcenspc.dll is not a valid Windows image. Please check this against your installation diskette.

I have attached a screen shot.

This particular time it happened when I double click the clock in the bottom right corner to bring up the calendar. It seems to happen at just random times and occasionally on startup. It doesn't appear to adversely effect anything when I click ok but nonetheless would rather not get this error...


  • 7
  • 5
  • 4
2 Solutions
Hi ChainGreyIV,

Try running your Anti-Virus, Anti-Spyware and see if your infected with anything.
You'll might get this if the file mcenspc.dll is leftout while uninstalling some program or when attempted to elimitate spyware or malware through spyware scan.
ChainGreyIVAuthor Commented:

What anti-spyware do you reccomend? I'm on avast av and it has turned up nothing.

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Here's some free one's to check out.

            1. SUPERAntiSpyware
            2. Malwarebytes' Anti-Malware
            3. Sophos Anti-Rootkit
            4. AVG
            5. PC Tools AntiVirus Free Edition

Those are just a couple off the top of my head to try out.

Here's some that are pretty good also, but there not free.

          1. Spyware Doctor with AntiVirus
          2. Webroot Spy Sweeper
          3. Trend Micro                    (There is a trial edition you can try for I think around 14 days).
ChainGreyIVAuthor Commented:
I will try these and check back
ChainGreyIVAuthor Commented:
I've run the SUPERAntiSpyware. I'm now getting this error popping up on startup for google tool bar, note book hardware control among others....

Is there a way to just copy a fresh copy of whatever this file is over?
Do you have system restore enabled? If so, you can try a system restore and see if that fixes the problem. I would suggest you try doing a system restore in safe mode. If that doesn't work, if you have your Windows XP cd, you can try to do a repair, don't format your hard drive or don't do a fresh install, and let's see if that fixes the problem as well.
ChainGreyIVAuthor Commented:
Are there any repurcussions of doing a repair? Will I need to reinstall any updates or anything?
I would just to be safe then sorry would be to backup and important information (data) in case something does happen, nothing should, but just to be safe, as far as reinstalling any updates you shouldn't have to.
A quick search on google turns up a large number of pages in which the file C:\Windows\System32\mcenspc.dll appears to be virus related, and specifically Trojans.  Unfortunately there are an equal number of apparently unqualified people rendering advice to those people experiencing the error, and some of the advice ranges from plain dumb to dangerous.  Of course, I only believe about 10% of the stuff I read on other peoples' web pages, so I have checked a bit more.

The one common aspect in the majority of the reasonably well answered problem questions that have been resolved is the Registry key:


In many of the online discussions people suggest deleting the entire "SecurityProviders" key, but from what I see this key is a legitimate one created by Windows.  I Believe that what they SHOULD have been suggesting is the deletion of the "mcenspc.dll" file name from within the data value named "SecurityProviders" within the "SecurityProviders" key.

Click on the "More Information" tab of this page and you will see a more qualified "rating" on that filename:

If you open Regedit (Start Menu > Run > and type Regedit > click OK), and then expand the keys in the left pane by clicking the + signs, you can navigate down through the keys to that one mentioned above.  In the RIGHT-hand pane you will see the "SecurityProviders" value (white icon with burgundy "ab").  Double-Click on that and you will most likely see the following comma-separated file names in the "Value Data" field of the new popup dialog:

msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

Note, contrary to the wrong advice to delete the entire "SystemProviders" registry key or the REG_SZ value of the same name, the "mcenspc.dll" in that value is the rogue entry.  The other file names are genuine ones.  That is not to say for certain that the other files could not be infected, but the point is that the key and value is created by Windows with those file names, and malicious activity has ADDED the name "mcenspc.dll" to the list.

On an uninfected Windows XP SP3 system:


File Size: 84.0 KB (86,016 bytes)

"CompanyName", "Microsoft Corporation"
"FileDescription", "DPA Client for 32 bit platforms"
"InternalName", "MSAPSSPC"
"LegalCopyright", "Copyright © 1995-1996 Microsoft Corporation"
"OriginalFilename", "MSAPSSPC.DLL"
"ProductName", "Microsoft® Internet Services"
"FileVersion", "6.00.7755"
"ProductVersion", "6.00.7755"


File Size: 141 KB (144,384 bytes)

"CompanyName", "Microsoft Corporation"
"FileDescription", "TLS / SSL Security Provider"
"FileVersion", "5.1.2600.5512 (xpsp.080413-2113)"
"InternalName", "schannel.dll"
"LegalCopyright", "© Microsoft Corporation. All rights reserved."
"OriginalFilename", "schannel.dll"
"ProductName", "Microsoft® Windows® Operating System"
"ProductVersion", "5.1.2600.5512"


File Size: 67.0 KB (68,608 bytes)

"CompanyName", "Microsoft Corporation"
"FileDescription", "Digest SSPI Authentication Package"
"FileVersion", "6.00.2900.5512 (xpsp.080413-2105)"
"InternalName", "digest.dll"
"LegalCopyright", "© Microsoft Corporation. All rights reserved."
"OriginalFilename", "digest.dll"
"ProductName", "Microsoft® Windows® Operating System"
"ProductVersion", "6.00.2900.5512"


File Size: 284 KB (290,816 bytes)

"CompanyName", "Microsoft Corporation"
"FileDescription", "MSN Internet Access"
"FileVersion", "6.1.1825.0"
"InternalName", "MSNSSPC.DLL"
"LegalCopyright", "Copyright (C) Microsoft Corp. 1981-2001"
"OriginalFilename", "MSNSSPC.DLL"
"ProductName", "Microsoft(R) MSN(R)"
"ProductVersion", "6.1.1825.0"

You will note that each of the above legitimate files is found in two system folders.  The one in the "dllcache" folder is the backup used to restore the file if it is deleted or modified.  I suggest that you look in that folder to see if the rogue file "mcenspc.dll" exists there, and if so delete it.

If you cannot see that folder, then you need to do as follows:
In Windows Explorer: Tools > Folder Options > View tab.
Control Panel > Folder Options > View tab.

Check or uncheck the boxes (remembering what they were before doing this) so that you are seeing hidden and system files, the contents of system folders, and also protected system files.

Next I believe that you should ry to "Unregister" the rogue DLL file by typing the following command into the Start Menu's Run field:

regsvr32 /u c:\windows\system32\mcenspc.dll

If it comes up with a "DLL found but entry point not found" (or similar), then just accept that.  If that is the case, then the file is not the type that creates other registry entries through this process.

Now press Ctrl + Alt + Del to open Task Manager and look to see if "mcenspc.dll" is mentioned as a running process.  If so, then click on it and choose "End Task".   Another way to see what processes are loaded and running is to type MSINFO32 into the Start Menu's Run field, Wait for it to load fully, then expand it to the Software Environment > Loaded Modules section and wait for it to load.

Delete c:\windows\system32\mcenspc.dll

Now open Regedit, click on any key in the left pane, then press and hold the LEFT arrow key to collapse all keys and take it back up to the top level "My Computer".  Press the Right arrow once to open it out to only the master (hive) keys.

Edit > Find > and enter the file name mcenspc.dll
Set it to find Keys, Values, and Data, but UNCHECK the "Match whole string only".
Find Next.

For each EXACT match on the file name, evaluate whether it relates to an important setting.  When I say "important", what I mean is that the registry stores a lot of "MRU" settings, ie. Most Recently Used, and if you have searched for that file name in Internet Explorer or done a Windows search for it, these searches will be stored against a, b, c, etc values.

The idea here is to delete ONLY the values that are like the one mentioned earlier, ie. in the Key:
The instance of the file name in the Value named "SecurityProviders", NOT the Value or the Key that it is in.

If you have any doubts, then please ask first before doing.  The Registry is not a place to mess around in.

When that is done, I suggest that you run the following utility to display all processes that run when your system is launched:

Right-Click on the following link and choose "Save Target As" to save the file "Silent Runners.vbs":
Save it to the Root of your C: Drive where it is easiest to run.

Right-Click the downloaded file and choose "Open with Command Prompt", which should be an option.

Assuming it runs, you will see "Silent Runners has started.  Please be patient", which is what you should be because it will take a while.  It will eventually close and create a report in the same folder (ie. the root of the C: Drive) named:
Startup Programs (ComputerName) YYYY-MM-DD HH.MM.SS.txt

If you see any instances of "mcenspc.dll" in the results file, and if you can't interpret the results, then feel free to upload the *.txt file here for us to see.

If it doesn't run, then first of all try the following command from the Start Menu's Run field:

cscript "c:\silent runners.vbs"

If that doesn't work, then read the FAQ page:

If there are any instances of "mcenspc.dll" in the Silent Runners results file, then something MAY try to reload it at the next reboot.  I am hoping not but you should be aware that this is a possibility, and it's always better to power off and then restart after a few minutes than to do a warm reboot after removing an malware.

Now finally do a full system scan for any other malware.

The reason I have taken time to spell this out in detail is that all the *.dll files mentioned in the registry value that seems to be written to by this malware are concerned with encryption and passwords.  I don't think I have to spell out the potential of having a rogue process affiliated with those activities.

Check your bank statements for unusual activity if you do online banking!!
I have attached a "Registry File" named "Remove-mcenspc-DLL.txt".
Save it to any folder, then Right-Click and rename it by changing the .TXT extension to .REG.
Accept the warnings about changing file types.

This is a registry script that will overwrite the existing "SecurityProviders" REG_SZ value in the registry key:
so that it removes "mcenspc.dll" from the value but leaves the file names:
"msapsspc.dll, schannel.dll, digest.dll"

Right-Click on the *.REG file and choose "Merge".  Accept prompts about writing the data to the registry.

This is just to make it easier for you.  It would be a wise idea to first make sure that file names are listed in that value BEFORE merging the registry file.  You can do this quite easily by typing the following command into a new "Command" window:

reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders /v SecurityProviders

Open in new window

ChainGreyIVAuthor Commented:
i will give this a shot and get back with the results.

ChainGreyIVAuthor Commented:
Please see attached screen shot of result of the cmd prompt query.
msapsspc.dll, schannel.dll, digest.dll were there, the msnsspc.dll appeared as well. mcenspc.dll was not.

That's a bit disappointing.  I was really hoping that your scenario matched the root cause of the other similar questions and resolutions I found online.  At least we have eliminated that possibility.

OK, so something is trying to "call" mcenspc.dll.  It is still possible that there is some instance in the registry of this file name in keys other than the one we have eliminated.  Open Regedit and take it back up to the topmost "My Computer" level.  The easiest way is to click any key in the left pane then press and hold the Left arrow key to collapse all keys, then press the Right arrow key once.  Edit menu > Find.  Tick the Keys, Values, and Data options plus the "match whole string only", enter the full file name (mcenspc.dll ) and click "Find Next".

For each instance of that file name found, RIGHT-click on the Key (ie. Left pane) containing the found item, and choose "Copy Key Name".  Paste out into Notepad as the reference to later navigate back to the Key(s) to investigate.  Press F3 (Find Next option) to continue until it says not found.

Let us know if there are any instances of "mcenspc.dll" found in Regedit.

You mght also be able to replicate the error message.  This time open the Event Viewer and see if it provides details about what program or process called "mcenspc.dll".  To open Event Viewer, type the following into the Start Menu's Run field:

eventvwr.msc /s

If the error was trapped as an event, then it should show in the list under one of the category sections with a Red X at the time the error occurred.  Double-clicking on the actual event entry will display more detail that can be copied and pasted here.
ChainGreyIVAuthor Commented:
I am a little unsure what ended up fixing this as it has gone away. I ran a system restore, repair via XP disk as well as following Bill DL's suggestions and in combination appear to have eliminated the problem.

Thanks guys.
Thank you ChainGreyIV.  I am glad you resolved the issue, by whatever means.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 7
  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now