How do I recover from corrupt Windows 8.1 RT?
Second day of trying to start with fresh 8.1 installation on my Surface RT, all updates on, and still get reported failures from apps.diagcab tool. It is possible nothing is wrong but that the tool reports a failure due to a bug or being out of date with current RT software, or cache folder locations or design. The tool looks like this...
and is here.
http://download.microsoft.com/download/F/2/4/F24D0C03-4181-4E5B-A23B-5C3A6B5974E3/apps.diagcab
From this link.
http://answers.microsoft.com/en-us/ie/forum/ie11-iewindows8_1/ie11-metro-fails-to-launch-after-splash-screen/bed951a0-2e79-4420-a397-e7605575f05b
History:
For months I've noticed being hacked. Mostly seems like data monitoring rather than tremendous damage. It is something that feels like remote access in the middle of my doing something. Kinda like showing off. A couple weeks ago got hugely hacked at a client's house on their Comcast setup. I recorded a video of it on my phone and posted it on Google. Possibly available if need be. Another show off style of hack. Without me saying so the client saw the video and described it as "show-off" attack. At this client's house I tried to enter a CNNhln site, it took over my computer and played an audio file loop of ...
"You must fix your system. Call the number below. Your credit card info and data are at risk" (kinda like that)
While I was recording my Surface RT on my phone, the hack then took over the TV and put a still bitmap message across the screen about attending a swinger's convention, and on the basement TV a still video grab of a local newscaster from the 90's in mid-sentence. Then later while I was on the phone with Comcast they booted up the client's Apple I was not able to take over the menus fast enough so unplugged everything instead. After that, TVs were not functional and Comcast had to come out the next morning and restart all services. Everything is reported fine at client's house since then.
Finally decided to try and check into all this yesterday. Below is part of an email to my current contact at Microsoft. I said:
And I have attached them here as PDFs. I also have a few more, newly created screen grabs of the too long a filename to delete problem. While trying to manually delete the Store cache, I renamed the cache folder cacheold. Ran apps.diagcab again, got same errors, tried to delete the Cache folder that had just gotten created automatically, and had a similar deletion problem. Here is what one of them looks like.
MetroAppDiagOutput1.pdf
MetroAppDiagOutput2.pdf
and is here.
http://download.microsoft.com/download/F/2/4/F24D0C03-4181-4E5B-A23B-5C3A6B5974E3/apps.diagcab
From this link.
http://answers.microsoft.com/en-us/ie/forum/ie11-iewindows8_1/ie11-metro-fails-to-launch-after-splash-screen/bed951a0-2e79-4420-a397-e7605575f05b
History:
For months I've noticed being hacked. Mostly seems like data monitoring rather than tremendous damage. It is something that feels like remote access in the middle of my doing something. Kinda like showing off. A couple weeks ago got hugely hacked at a client's house on their Comcast setup. I recorded a video of it on my phone and posted it on Google. Possibly available if need be. Another show off style of hack. Without me saying so the client saw the video and described it as "show-off" attack. At this client's house I tried to enter a CNNhln site, it took over my computer and played an audio file loop of ...
"You must fix your system. Call the number below. Your credit card info and data are at risk" (kinda like that)
While I was recording my Surface RT on my phone, the hack then took over the TV and put a still bitmap message across the screen about attending a swinger's convention, and on the basement TV a still video grab of a local newscaster from the 90's in mid-sentence. Then later while I was on the phone with Comcast they booted up the client's Apple I was not able to take over the menus fast enough so unplugged everything instead. After that, TVs were not functional and Comcast had to come out the next morning and restart all services. Everything is reported fine at client's house since then.
Finally decided to try and check into all this yesterday. Below is part of an email to my current contact at Microsoft. I said:
Re: SFC
Thank you for following up. Yes, sfc can be good. Didn't find anything for me though. Not in months past, nor today after reset. That's the thing about how I feel hacked and ridden to see what I'm doing, rather than do too much damage and get discovered.
Re: Trouble deleting javascript filenames.
One thing I noticed since the last time (about a year ago?) I reset Windows, today I had difficulty deleting Windows.old file. You have to select it, change permissions so you can delete it, then delete it. So long ago, it smoothly deleted. Today while going through this procedure Windows notified me of about 8-10? files that could not be deleted because their filename was too long so Windows couldn't handle it. So Windows quit deleting and left me with these few javascript filenames (the filenames were a long line of code) down a subfolder or so under my AppData folder . I selected show them to me individually. If from real advertising, it was from Verizon and Huntington Bank ads. The Huntington Bank got me, because it would have to do with a question I tried to help answer about Huntington Bank website problems on a forum. I am a member of Experts-Exchange.com and tomorrow I'll try and find that question from long ago and see what was said. I can't forget the feeling those months ago. I felt led into a trap I remember because when I went to the Huntington Bank site it messed up my computer. I took all these screen grabs of the dialogue box of deleting the javascript filenames to show someone, then lost my head and reset windows without getting the screen grabs off there first. It's important to me so will try to replicate tomorrow while customizations are not done for my new install yet. If I had a low-level disk tool I would try and recover the screen grabs but I haven't come across one for RT yet. I don't remember how I got those files deleted so I could delete the upper parent Windows.old folder. There was something funny about it.
Re: Sample output from apps.diagcab.
Tonight, after my earlier reset of Windows, I finally had a chance to get back and try the apps diag tool to reply to you. I ran the apps diag tool twice and it still shows corruption every time. I think it may be a good tool. I will put some screen grabs of it in this email or attached prior to sending.
The two output files are .oxps and are each two pages I think. You should find them attached.
And I have attached them here as PDFs. I also have a few more, newly created screen grabs of the too long a filename to delete problem. While trying to manually delete the Store cache, I renamed the cache folder cacheold. Ran apps.diagcab again, got same errors, tried to delete the Cache folder that had just gotten created automatically, and had a similar deletion problem. Here is what one of them looks like.
MetroAppDiagOutput2.pdf
filename\path too long errors easy to fix start renaming the folders above it i.e.
right click select rename and press a letter then enter. I sympathize with you since I had this experience the other day on one of my machines.. disk cleanup tool didn't do it.. takeown /f c:\windows.old /r /d n then right click add the users name, give them full control .. some folders/files gave an error (can't access) and then shift delete and or from an administrative command prompt del windows.old /s /q and rd windows.old /s/q
you sure this is a windows rt device not a windows pro device?
right click select rename and press a letter then enter. I sympathize with you since I had this experience the other day on one of my machines.. disk cleanup tool didn't do it.. takeown /f c:\windows.old /r /d n then right click add the users name, give them full control .. some folders/files gave an error (can't access) and then shift delete and or from an administrative command prompt del windows.old /s /q and rd windows.old /s/q
you sure this is a windows rt device not a windows pro device?
Thanks. Yes on RT. In my email quote above I described my first reset of Windows months ago where deleting Windows.old was fairly smooth. Similar to what you describe. I owned it and simply checked the box at the bottom of the window for "Advanced Security Settings" to have permissions go on downward and be inherited by all child objects. Then delete Windows.old smoothly. All gone.
This Windows reset last Monday left a small tree of folders holding a few undeletable files in AppData ( I think a cache folder but not sure) with the too long a filename. As I viewed the filenames one at a time for deletion, it appeared the filenames seemed to be long lines of javascript. That's what brought back the bad memory of the Huntington Bank problem that messed up this same Surface RT. Somehow I got it deleted and should have recorded my steps, but didn't know it would be a recurring problem.
While messing around with Microsoft Store cache, which also happens to reside in AppData folder, The path I'm using:
C:\Users\ChristopherJay\Ap
I use Task Mgr to delete Store and Store broker to allow handling cache. I created Cacheold folder, launched Store, ran apps.diagcab and got the same error of corrupt Store cache. Then tried deleting Store cache and ended up with a bunch of undeletable files with too long a name again. This time as you can see, they don't look like java code. I tried simply dragging to desktop to shorten path. Had to quit before success. Back at it today for a little while.
This inability to delete may be connected to the corrupt Microsoft Store cache problem. If someone wants a permanent back door to the Surface RT, maybe they design the hack to use Microsoft Store access somehow. The way the RT has run for months, is like it emails someone to tell them I just booted up and am online.
Microsoft says to try different ISPs during reset, and different User account. Got behind, still have to do the reset windows to flash then RT procedure from MS. And chkdsk and sfc don't show anything wrong for months.
This Windows reset last Monday left a small tree of folders holding a few undeletable files in AppData ( I think a cache folder but not sure) with the too long a filename. As I viewed the filenames one at a time for deletion, it appeared the filenames seemed to be long lines of javascript. That's what brought back the bad memory of the Huntington Bank problem that messed up this same Surface RT. Somehow I got it deleted and should have recorded my steps, but didn't know it would be a recurring problem.
While messing around with Microsoft Store cache, which also happens to reside in AppData folder, The path I'm using:
C:\Users\ChristopherJay\Ap
I use Task Mgr to delete Store and Store broker to allow handling cache. I created Cacheold folder, launched Store, ran apps.diagcab and got the same error of corrupt Store cache. Then tried deleting Store cache and ended up with a bunch of undeletable files with too long a name again. This time as you can see, they don't look like java code. I tried simply dragging to desktop to shorten path. Had to quit before success. Back at it today for a little while.
This inability to delete may be connected to the corrupt Microsoft Store cache problem. If someone wants a permanent back door to the Surface RT, maybe they design the hack to use Microsoft Store access somehow. The way the RT has run for months, is like it emails someone to tell them I just booted up and am online.
Microsoft says to try different ISPs during reset, and different User account. Got behind, still have to do the reset windows to flash then RT procedure from MS. And chkdsk and sfc don't show anything wrong for months.
Update.
Booted from flash recovery drive, Advanced, Reset without deleting Recovery partition. First ever, and the last and only time, I ran apps.diagcab with no errors. In hindsight, I should have talked to the computer engineer earlier as I believe the hack resided on my recovery partition. So I should have immediately selected Reset and Delete Recovery partition. Tried boot from flash, Advanced, boot to command prompt, format C: all zeroes, took too long and aborted. Some commands like fdisk were unavailable at that prompt. Only diskpart. Microsoft (or hacker) tried to give me update on firmware, ended up having to take it, and system has not booted since. Now working with new contact at Microsoft to see if possible to get a new firmware into the system. That sequence above might be slightly off, but I gotta run. The point is I got firmware update and it is no longer bootable. Still working. I plan to give the points to David above for knowing he should prod me to fix this issue sooner rather than later.
Booted from flash recovery drive, Advanced, Reset without deleting Recovery partition. First ever, and the last and only time, I ran apps.diagcab with no errors. In hindsight, I should have talked to the computer engineer earlier as I believe the hack resided on my recovery partition. So I should have immediately selected Reset and Delete Recovery partition. Tried boot from flash, Advanced, boot to command prompt, format C: all zeroes, took too long and aborted. Some commands like fdisk were unavailable at that prompt. Only diskpart. Microsoft (or hacker) tried to give me update on firmware, ended up having to take it, and system has not booted since. Now working with new contact at Microsoft to see if possible to get a new firmware into the system. That sequence above might be slightly off, but I gotta run. The point is I got firmware update and it is no longer bootable. Still working. I plan to give the points to David above for knowing he should prod me to fix this issue sooner rather than later.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks. Yes I had my doubts about apps.diagcab running on RT. Don't know enough. Sorry didn't get back to you sooner. Too many problems logging on, while simultaneously trying to get old Dell laptop and Macbook up and running as spares. Hours.
As the system remains broken with no fix in sight, we could keep the post open if you like, or simply close knowing it is a difficult issue. Still working on it. My new contact asked for some details. I provided them and the link to this question also. They did answer some questions for me though. They are saying that even though you go through setup and it asked during a custom install if you want auto updates on or off, if you pick off, it is still always on and can't be turned off.
Having a little testing luck by using a new refurbed Surface RT just like the one that is down. Not much time with it due to holiday. Opened a local user account on refurb and ran apps.diagcab and it reported it was able to fix the corrupt file. My second time with no errors but this one was on the new refurb RT. That was about last Thursday when it arrived I think. I also could not log into my bank account from residential net with this new RT, but other sites sort of worked with an error being reported about Office cache not being compatible with IE's security features. Today had the same error reported and inability to log into banking from McDonald's. Got some screen grabs today though. They're attached.
When launching IE, it reports cache problem immediately before choosing a URL. Maybe because I'm signed in locally instead of my hotmail account that ties everything together for sign in. If I do nothing the notice banner disappears. If I click More Info, it opens a new IE window with the exact same message at the bottom with another "More Info" hyperlink.
Maybe the certificate issues are explainable to someone who understands certs, but I've never seen them in my years of logging into McDonald's. Shouldn't the URL window be filled?
Sorry about the filenames. Public Library did it for me.
--tsclient-usb1-screengrabs-CacheErrorOn
--tsclient-usb1-screengrabs-CacheErrorOn
--tsclient-usb1-screengrabs-CertDetailTo
--tsclient-usb1-screengrabs-CertInfoBott
--tsclient-usb1-screengrabs-CertInfoMid.
--tsclient-usb1-screengrabs-CertPath.PNG
--tsclient-usb1-screengrabs-SecurityAler
--tsclient-usb1-screengrabs-SecurityAler
As the system remains broken with no fix in sight, we could keep the post open if you like, or simply close knowing it is a difficult issue. Still working on it. My new contact asked for some details. I provided them and the link to this question also. They did answer some questions for me though. They are saying that even though you go through setup and it asked during a custom install if you want auto updates on or off, if you pick off, it is still always on and can't be turned off.
Having a little testing luck by using a new refurbed Surface RT just like the one that is down. Not much time with it due to holiday. Opened a local user account on refurb and ran apps.diagcab and it reported it was able to fix the corrupt file. My second time with no errors but this one was on the new refurb RT. That was about last Thursday when it arrived I think. I also could not log into my bank account from residential net with this new RT, but other sites sort of worked with an error being reported about Office cache not being compatible with IE's security features. Today had the same error reported and inability to log into banking from McDonald's. Got some screen grabs today though. They're attached.
When launching IE, it reports cache problem immediately before choosing a URL. Maybe because I'm signed in locally instead of my hotmail account that ties everything together for sign in. If I do nothing the notice banner disappears. If I click More Info, it opens a new IE window with the exact same message at the bottom with another "More Info" hyperlink.
Maybe the certificate issues are explainable to someone who understands certs, but I've never seen them in my years of logging into McDonald's. Shouldn't the URL window be filled?
Sorry about the filenames. Public Library did it for me.
--tsclient-usb1-screengrabs-CacheErrorOn
--tsclient-usb1-screengrabs-CacheErrorOn
--tsclient-usb1-screengrabs-CertDetailTo
--tsclient-usb1-screengrabs-CertInfoBott
--tsclient-usb1-screengrabs-CertInfoMid.
--tsclient-usb1-screengrabs-CertPath.PNG
--tsclient-usb1-screengrabs-SecurityAler
--tsclient-usb1-screengrabs-SecurityAler
Update.
A couple nights ago got about 43 updates from Microsoft. They provided more and different diagnostics in the Windows directory under a Diagnostics folder. I don't recall seeing the diagnostics folder before. Haven't had too much time to mess with it. There are three folders under diagnostics folder, which are Index, Scheduled, and System. This new sub-tree is
Index folder
bunch of xml files
Scheduled folder
Maintenance folder
a pkg file and a bunch of .ps1 files for different categories
System folder
...
IESecurity folder
...
Performance folder
Power folder
Printer folder
Search folder
USBCore folder
WindowsUpdate folder
That night ran IESecurity pkg under System folder first. No problems. Then ran WindowsUpdate folder's pkg file and had errors found and reported repaired. Very similar to the way apps.diagcab behaved. When running again the same errors are reported again and again reported as being fixed. So still not able to get rid of problem to secure the machine. Got more updates last night and today from Microsoft and just now ran the WindowsUpdate diag pkg again. The result from WindowsUpdate diag appears to be the same (I should have gotten a screen grab a couple nights ago) and is below.
If I get time, I am planning later this week to reset again and use diskpart with a higher skill-level than my first time. That was when my orginal RT went down and is still down and doesn't boot from flash anymore after taking new firmware update. Any advice beforehand anyone?
A couple nights ago got about 43 updates from Microsoft. They provided more and different diagnostics in the Windows directory under a Diagnostics folder. I don't recall seeing the diagnostics folder before. Haven't had too much time to mess with it. There are three folders under diagnostics folder, which are Index, Scheduled, and System. This new sub-tree is
Index folder
bunch of xml files
Scheduled folder
Maintenance folder
a pkg file and a bunch of .ps1 files for different categories
System folder
...
IESecurity folder
...
Performance folder
Power folder
Printer folder
Search folder
USBCore folder
WindowsUpdate folder
That night ran IESecurity pkg under System folder first. No problems. Then ran WindowsUpdate folder's pkg file and had errors found and reported repaired. Very similar to the way apps.diagcab behaved. When running again the same errors are reported again and again reported as being fixed. So still not able to get rid of problem to secure the machine. Got more updates last night and today from Microsoft and just now ran the WindowsUpdate diag pkg again. The result from WindowsUpdate diag appears to be the same (I should have gotten a screen grab a couple nights ago) and is below.
If I get time, I am planning later this week to reset again and use diskpart with a higher skill-level than my first time. That was when my orginal RT went down and is still down and doesn't boot from flash anymore after taking new firmware update. Any advice beforehand anyone?
I am going to have to find some way. Maybe I have to give up on the RT which has been such a success for me. Microsoft updates will keep the situation dynamic so testing results will also be dynamic and I'm closing the question. The closest thing to what my experience has been with this malware is described in this attached paper from McAfee about a worm which makes a system part of a botnet. It has specifics of some things to do, and to look for, to help protect a system and I plan to try some of these things too. Mine is different but so so similar. If I give up on the RT I could use so many other tools.
Thanks David.
rp-catch-me-if-you-can.pdf
Thanks David.
rp-catch-me-if-you-can.pdf
Hope the points are okay. Hard to do with ongoing problems. Let me know if you think it should be otherwise. Trying to avoid grade inflation you know. My problem is I clicked on "grading tips" that sort of defines an A, a B, and a C so there it was in black and white.
ASKER