E
EDDIE-1961
Quick history: Windows 8 Pro - SFC finds ONE error. DISM and SFC cannot repair it. Cannot find the source of the error nor correct the file affected.
Since this is the 4th time in the past 12 months I have found some sort of PARASITE lurking internally, the tools presented by Microsoft cannot effectively stop or repair this.
FOUR times, four files. This is the 2nd time this file has been compromised
Info CSI 0000038b [SR] Repairing corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:78{39}]"api-ms-win-eventing-provider-l1-1-0.dll" from store
Info CSI 000006d2 [SR] Repairing corrupted file [ml:48{24},l:46{23}]"\??\C:\Windows\SysWOW64"\[l:78{39}]"api-ms-win-eventing-provider-l1-1-0.dll" from store
The other DLL file that was infected had to do with Atheros Wireless & Bluetooth - that never was resolved. I have since removed all references and occurrences of ATHEROS - I do not need or use WiFi or bluetooth on this machine. Logitech is the only wireless and it has its own transceiver.
The first time I found a problem - by some dumb luck - DISM and SFC was able to repair the problem. It showed up again about a week later ... this time thwarting every attempt to repair the issue. This issue affected Windows Explorer. Now comes the FUN PART.
Reinstalled the OS three times ... after a few weeks ... BAM!!! SFC complained and SFC and DISM could not fix the problem. OKAY, here we go AGAIN. Unreliable tools for an unreliable world.
REINSTALLED OS for the FOURTH TIME. Decided to track the machine installations for a few weeks. Reinstall apps - using SFC every other day to verify OS. Came back clean. Also implemented incremental backups as long as it came back clean. I have considered restoring from the last clean backup - that does not identify the TRUE offender.
All my apps and data reside on ISOLATED servers b/c it is a pain in the *** to keep digging out all the CD/DVD disks. My network is physically split - two network cards in each machine. My servers are physically disconnected from WAN, always on a isolated LAN. So no issues there. It is clean. I verified its OS and data, that was not fun but necessary.
After several days of testing, it was clear the APPS fileserver is not infected. The data is verified and still reliable.
I have verified 8 other machines - they are clean. SFC is content so no issues there.
My internet connection uses 3 firewalls, 2 stand alone appliances with antivirus PLUS Windows FW and AV. Just because I can.
Utilizing several different AV products to check for potential infections on my machine has yielded nothing. So, whatever this is, either it is so rare no one has found it or it is just that potential time bomb waiting to go off.
In either event, it DOES affect my machine. In the past, it affected windows explorer causing it to take forever to display drives and files. Now it is affecting the devices and printers window causing it to take forever to find devices. I also seem to have problems staying connected to 2 printers, both the same HP m477s. No connection problems with two HP 4000s, HP 6500, Oki, Zebra labels, or the High Speed Line printer.
DISM has found nothing wrong with the image. I have compared images from 2 different sources - against each other then against the PC - no discernible differences found. Thusly I should be able to rule out a corrupt image source.
After SIX times running SFC, rebooting after each completion, this PARASITE manages to evade "KNOWN" repair efforts and thwarts detection in potentially other infected DLL files.
Not knowing exactly what the "eventing provider" does or what other DLLs it interacts with makes it difficult to track down the offender.
Here is the actual repair note:
2019-05-22 10:49:39, Info CSI 0000070b [SR] Repairing corrupted file [ml:48{24},l:46{23}]"\??\C:\Windows\SysWOW64"\[l:78{39}]"api-ms-win-eventing-provider-l1-1-0.dll" from store
2019-05-22 10:49:39, Info CSI 0000070e [SR] Repairing corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:78{39}]"api-ms-win-eventing-provider-l1-1-0.dll" from store
I can reboot, re-run SFC in VERIFY ONLY and it will not be repaired.
BEST REASON *I* avoid Windows 8.1?
It refuses to run some older programs I spent allot of money for. I am not interested to replace good working software just because it refuses to run on Windows 8.1. Maybe other people have DEEP POCKETS. I work for a living. Do not suggest "COMPATIBILITY MODE" because it sucks, been there, done that - does NOT WORK for apps I do use.
I am old school ... DOS. I was coding before DOS on HP mini computers and the Intel 8080, who remembers those? Career burnout in 1990.
I have attempted to make a script file to run SFC and take the necessary actions - well, imagine that - NO %ERRORLEVEL% return, now THAT sucks. No information can be found about SFC or DISM returning any completion codes. Basically that rules out any BATCH FILES, does it not.
There is no information in regards to properly repairing this problem, short of another REINSTALLATION. If there is a VIRUS in some other DLL, it would be prudent to locate it and eliminate it.
I need to be able to trace "api-ms-win-eventing-provider" execution to determine which other DLL is corrupting this - it could be happening during a reboot, more than likely.
This elusive problem needs to be exposed and eliminated - permanently.
Anyone have similar issues?
Continue reading...
Since this is the 4th time in the past 12 months I have found some sort of PARASITE lurking internally, the tools presented by Microsoft cannot effectively stop or repair this.
FOUR times, four files. This is the 2nd time this file has been compromised
Info CSI 0000038b [SR] Repairing corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:78{39}]"api-ms-win-eventing-provider-l1-1-0.dll" from store
Info CSI 000006d2 [SR] Repairing corrupted file [ml:48{24},l:46{23}]"\??\C:\Windows\SysWOW64"\[l:78{39}]"api-ms-win-eventing-provider-l1-1-0.dll" from store
The other DLL file that was infected had to do with Atheros Wireless & Bluetooth - that never was resolved. I have since removed all references and occurrences of ATHEROS - I do not need or use WiFi or bluetooth on this machine. Logitech is the only wireless and it has its own transceiver.
The first time I found a problem - by some dumb luck - DISM and SFC was able to repair the problem. It showed up again about a week later ... this time thwarting every attempt to repair the issue. This issue affected Windows Explorer. Now comes the FUN PART.
Reinstalled the OS three times ... after a few weeks ... BAM!!! SFC complained and SFC and DISM could not fix the problem. OKAY, here we go AGAIN. Unreliable tools for an unreliable world.
REINSTALLED OS for the FOURTH TIME. Decided to track the machine installations for a few weeks. Reinstall apps - using SFC every other day to verify OS. Came back clean. Also implemented incremental backups as long as it came back clean. I have considered restoring from the last clean backup - that does not identify the TRUE offender.
All my apps and data reside on ISOLATED servers b/c it is a pain in the *** to keep digging out all the CD/DVD disks. My network is physically split - two network cards in each machine. My servers are physically disconnected from WAN, always on a isolated LAN. So no issues there. It is clean. I verified its OS and data, that was not fun but necessary.
After several days of testing, it was clear the APPS fileserver is not infected. The data is verified and still reliable.
I have verified 8 other machines - they are clean. SFC is content so no issues there.
My internet connection uses 3 firewalls, 2 stand alone appliances with antivirus PLUS Windows FW and AV. Just because I can.
Utilizing several different AV products to check for potential infections on my machine has yielded nothing. So, whatever this is, either it is so rare no one has found it or it is just that potential time bomb waiting to go off.
In either event, it DOES affect my machine. In the past, it affected windows explorer causing it to take forever to display drives and files. Now it is affecting the devices and printers window causing it to take forever to find devices. I also seem to have problems staying connected to 2 printers, both the same HP m477s. No connection problems with two HP 4000s, HP 6500, Oki, Zebra labels, or the High Speed Line printer.
DISM has found nothing wrong with the image. I have compared images from 2 different sources - against each other then against the PC - no discernible differences found. Thusly I should be able to rule out a corrupt image source.
After SIX times running SFC, rebooting after each completion, this PARASITE manages to evade "KNOWN" repair efforts and thwarts detection in potentially other infected DLL files.
Not knowing exactly what the "eventing provider" does or what other DLLs it interacts with makes it difficult to track down the offender.
Here is the actual repair note:
2019-05-22 10:49:39, Info CSI 0000070b [SR] Repairing corrupted file [ml:48{24},l:46{23}]"\??\C:\Windows\SysWOW64"\[l:78{39}]"api-ms-win-eventing-provider-l1-1-0.dll" from store
2019-05-22 10:49:39, Info CSI 0000070e [SR] Repairing corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:78{39}]"api-ms-win-eventing-provider-l1-1-0.dll" from store
I can reboot, re-run SFC in VERIFY ONLY and it will not be repaired.
BEST REASON *I* avoid Windows 8.1?
It refuses to run some older programs I spent allot of money for. I am not interested to replace good working software just because it refuses to run on Windows 8.1. Maybe other people have DEEP POCKETS. I work for a living. Do not suggest "COMPATIBILITY MODE" because it sucks, been there, done that - does NOT WORK for apps I do use.
I am old school ... DOS. I was coding before DOS on HP mini computers and the Intel 8080, who remembers those? Career burnout in 1990.
I have attempted to make a script file to run SFC and take the necessary actions - well, imagine that - NO %ERRORLEVEL% return, now THAT sucks. No information can be found about SFC or DISM returning any completion codes. Basically that rules out any BATCH FILES, does it not.
There is no information in regards to properly repairing this problem, short of another REINSTALLATION. If there is a VIRUS in some other DLL, it would be prudent to locate it and eliminate it.
I need to be able to trace "api-ms-win-eventing-provider" execution to determine which other DLL is corrupting this - it could be happening during a reboot, more than likely.
This elusive problem needs to be exposed and eliminated - permanently.
Anyone have similar issues?
Continue reading...