dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4
share rss forum feed

BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3
reply to Nogard is me

Re: Weird Service in my windows 8.1 services.

They even encoded the path in hex, and that wasn't necessary.

C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe
 


Nogard is me
Premium
join:2004-01-08
Columbus, OH

is that the program causing this?


BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3

1 recommendation

Yes, that's the program being launched by the service.
»www.wisecleaner.com/wisecare365.html



Nogard is me
Premium
join:2004-01-08
Columbus, OH

How did you find this out?


BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3

All characters are a numerical value, but hex is base 16 instead of base 10. Convert that to ascii, and you get text. You can find the converters on the web which is what I did to make it easier.



Nogard is me
Premium
join:2004-01-08
Columbus, OH

ok I see. Thanks. Now if I uninstall wise
cleaner will it remove the services?


BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3

If it doesn't you have the location of the service in the registry, and you can do it yourself.

Otherwise programs like Autoruns can help, but don't get paranoid when using Autoruns, you can break things.
»technet.microsoft.com/en-us/sysi···902.aspx
--
I distrust those people who know so well what god wants them to do because I notice it always coincides with their own desires- Susan B. Anthony
Yesterday we obeyed kings, and bent our necks before emperors. But today we kneel only to the truth- Kahlil G.


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

4 edits
reply to BlitzenZeus

said by BlitzenZeus:

They even encoded the path in hex, and that wasn't necessary.

No they didn't.

What they did, as I suggested earlier, was supply an 8-bit string in a context that (like everything else in Windows proper, as opposed to stupid-app-compatibility-land) needed a 16-bit string.

So, they coded "C:\\Program Files\\..." when what they should have coded was L"C:\\Program Files\\...".

The value is not "in hex" in the registry or in the program that created it, it's just bits. regedit decided to dump it in hex when writing the export file, not quite sure why. Maybe it didn't look suitably stringy. EDITED Nope, turns out regedit always does that for the imagepath value. Probably because it's a REG_EXPAND_SZ rather than a REG_SZ.


Nogard is me
Premium
join:2004-01-08
Columbus, OH

is that bad or good? I have been racking my brain and scan my laptop all night and nothing was found.


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

2 edits

It's written by an incompetent programmer. It's not necessarily malicious.

Anyway, what the idiot programmer intended to call the service was

"WiseBootAssistant"

but he screwed it up by coding it in ASCII. And since this hasn't been an ASCII world since 1990, every 2 bytes (=2 ASCII characters) got treated as one 16-bit Unicode character, and the bit-paterns just happened to look like Chinese characters.

Since the rest of the driver is probably no better than its installer, perhaps it's time to uninstall.

Edit Googling around, it seems like crapware anyway.

»regrunreanimator.com/research/sp···e365.htm


BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3
reply to dave

Definitely interesting behavior of regedit then, and maybe to keep the integrity of the string if something else modifies the file.



Nogard is me
Premium
join:2004-01-08
Columbus, OH
reply to dave

Thanks, I uninstalled the program and remove the registry key now when I open up my services, the service is still there but just an error saying it can't be opened.


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to BlitzenZeus

I'm inclined to think that the export code (which was essentially born in Windows 95) hasn't quite kept up with the available datatypes, and so its fallback is to dump unknown types as byte strings in hex.

REG_MULTI_SZ seems to be handled the same way.


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
reply to Nogard is me

Reboot. By deleting the key directly, the service controller hasn't been told that the service no longer exists. It'll figure it out on restart (i.e., when it reads in the service database from the registry).



Nogard is me
Premium
join:2004-01-08
Columbus, OH

Thank you but the services is still there but it won't let me open the service.


BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3

You can delete the service entry in regedit, or autoruns. Just be careful either way to not delete anything else.


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to Nogard is me

So you navigated to HLKM/System/CurrentControlSet/Services in regedit, found the funny key name in the left pain, selected it and then either (a) right-click, delete, or (b) edit->delete from the menu.

Then you rebooted.

Right?

And the service is still visible ... where?



Nogard is me
Premium
join:2004-01-08
Columbus, OH

Yes I did and the service is still visible when i go to control panel/ services