bigcivilmelon
07-20-2004, 10:08 AM
Hi,
Has anyone else come across a problem where IS Express is attempting to access rogue files at the start of an installation? I noticed it on one of my installations and I've just built a clean 2k installation and seen it again while using the installers of products such as HexWorkshop and Numega DevPartner.
Here's what I'm doing on a completely blank win2k sp4 system with the latest critical updates applied:
1. Download and run Filemon.exe from www.sysinternals to monitor every file access on your system.
2. Use the filemon filter to remove unnecessary messages, eg from winlogon.exe, norton antivirus etc.
3. Run an installation produced by IS Express. eg Numega DevPartner for VC++ 6.6
4. When the dithered blue background appears with the dialog "Welcome to the ___ setup program....", switch back to Filemon and stop capturing.
5. Examine the filemon log. You will see setup.exe extracting files such as _ins5576.exe, zdata51.dll, etc. Further down in the log, you will see setup.exe spawn _ins5576.exe which then attempts to access files such as "rising sun.exe", clueJr.exe, pgagolf.exe, etc.
In the above case, I believe the developer at Numega who made their installer had been downloading some games, but why would this infect the installer?
Anyone else see this on their systems with various installers?
cheers,
Mark.
Has anyone else come across a problem where IS Express is attempting to access rogue files at the start of an installation? I noticed it on one of my installations and I've just built a clean 2k installation and seen it again while using the installers of products such as HexWorkshop and Numega DevPartner.
Here's what I'm doing on a completely blank win2k sp4 system with the latest critical updates applied:
1. Download and run Filemon.exe from www.sysinternals to monitor every file access on your system.
2. Use the filemon filter to remove unnecessary messages, eg from winlogon.exe, norton antivirus etc.
3. Run an installation produced by IS Express. eg Numega DevPartner for VC++ 6.6
4. When the dithered blue background appears with the dialog "Welcome to the ___ setup program....", switch back to Filemon and stop capturing.
5. Examine the filemon log. You will see setup.exe extracting files such as _ins5576.exe, zdata51.dll, etc. Further down in the log, you will see setup.exe spawn _ins5576.exe which then attempts to access files such as "rising sun.exe", clueJr.exe, pgagolf.exe, etc.
In the above case, I believe the developer at Numega who made their installer had been downloading some games, but why would this infect the installer?
Anyone else see this on their systems with various installers?
cheers,
Mark.