Hello @lffoar,
Just for additional information purposes,Autorunsis basically anAdvanced System Toolcapable of MANY different actions. This video is well worth a watch to familiarise yourself with the tasks available . . .
> Advanced Autoruns Tutorial - How to Disable Programs that Start with Windows
I hope this helps.
What you are seeing is the result of a process... so why not use a tool that monitors processes?
Sysinternals/TechNet's free, portable Process Monitor (ProcMon) can be set to filter for cmd.exe firing and should show what triggered it.
1. Download and unzip ProcMon. (I save/unzip it to a C:\Support folder I've created to store such tools.)
2. Create a new shortcut to procmon.exe and amend the shortcut's properties so it uses Run as administrator (a) and uses a /NoConnect switch (b), as per the following screenshot:
(The latter is so ProcMon doesn't start capturing events automatically when it's run.)
3. Start ProcMon from the shortcut and accept the EULA. You only need to do this the first time you use it.
4. When the main ProcMon window appears, press CTRL+L to bring up the Filter dialog.
5. Change the top line (a) to match the screenshot below, then click on the Add button (b) then click on the OK button (c) to dismiss the dialog.
That's your filter set which will watch for any event that triggers the command processor cmd.exe, i.e. any flashing CMD window you see.
6. Click the Filter menu and make sure Drop Filtered Events is enabled:
The reason for this that ProcMon captures ALL events by default to your device's swapfile... and if you are capturing events for a while (e.g. looking for events which may only happen once every hour or two) then it's easy to exhaust the swapfile.
7. Now that ProcMon has been configured, press CTRL+E to start capturing events (or click on the icon 3rd in from the left in the toolbar).
You can now minimise ProcMon whilst you continue using your device. If you spot a CMD window appearing then look at ProcMon to see if the event has been captured and shows the process which triggered it (in the second default column - Process Name). Once the event has been captured you can press CTRL+E again to stop capturing.
Hope this helps...
Last edited by RickC; 12 Jul 2021 at 17:14.
Rick,
got as far as opening and setting the PM as you said.........and then got lost :(
What do I do with this screen, I've clicked all over but don't seem to be getting anywhere.
- - - Updated - - -
I've done some hunting and checked with Dr Google.......I'm a technology handicapped ol' feller you see.
Anyway, in the event viewer I get these messages. My power settings are all set to high performance if that matters?
I recently "upgraded" to 21H1 and wondering if this may be causing a problem. I don't have a restore point far enough back to try it though.
@lffoar - My apologies... I'm an idiot.
I forgot to add the all-important Step 7, i.e. to start ProcMon actually capturing events. I've amended my post above to include this.
PS - I have never seen ProcMon look like your screenshot... the icons in the toolbar are completely different to what I'm used to:
Last edited by RickC; 13 Jul 2021 at 09:08.
Many thanks for the info. I missed that there had been an update to v3.83.
I updated but hate the new look. I wish there was a changelog (e.g. on the windows-sysinternals-procmon forum) so I could see what disadvantages there may be to reverting to the previous version I was using (where the Capture icon indicated far more clearly when it was active).
I also have run into an issue with the "Edit Filter" - it does not populate the line you just selected to filter..
Well, I have fiddled here, fiddled there, fiddled every bloody where..........I think the problem is being caused by Avast. I shut down all shields and the problem does not appear. Now my quandary is what to do. I have used Avast free since getting a computer around 200 years ago and have had no trouble with it at all. I'll wait until the next version upgrade but if not fixed I'm not going to pay for Norton or the like so is the inbuilt MS Defender up to scratch?
BTW thanks for your input lads, much appreciated
BUGGAR, as I'm writing this...with Avast turned off, I got another "flash"
Assuming the flash is Cmd.exe, it might be helpful to temporarily redirect Cmd.exe to Notepad.exe using an Image File Execution registry entry. Then, the next time something tries to run cmd.exe, notepad.exe will run instead, but stay open.
Then just open Procmon.exe and view the Process Tree to see what fired up notepad.exe.
I've attached two Reg files. One to set up the redirect and one to remove the redirect.
Quote
