Windows Security Service missing.

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

got hit by a virus (while I had access control turned off), cleaned up fine
but Windows Security Service disappeared and I now get the complaint on
startup that it isnt running and I can't turn it on.

so it isn't listed in the services list so I'd like to know how to
re-install the service WITHOUT reinstalling vista.
 
got hit by a virus (while I had access control turned off), cleaned up fine
but Windows Security Service disappeared and I now get the complaint on
startup that it isnt running and I can't turn it on.

so it isn't listed in the services list so I'd like to know how to
re-install the service WITHOUT reinstalling vista.
Click to expand...

There is no such thing as the "Windows Security Service," at least not on a
legitimate installation of Vista. Either you are not getting the name right
or, more likely, the infection has not been completely removed. Can you tell
us more about how exactly you are getting notified that this is missing?
 
There is no such thing as the "Windows Security Service," at least not on a
legitimate installation of Vista. Either you are not getting the name right
or, more likely, the infection has not been completely removed. Can you tell
us more about how exactly you are getting notified that this is missing?
Click to expand...

Correction: Security Center Service
Little red icon with cross (x) appears on startup, click it and the Windows
Security Center pops up showing the Windows Update, Firewall, Defender etc.
on the Left and on the right says Security Center on right and "The Security
Center service is turned off."

And when I ask it to turn on it complains "The Security Center service can't
be started."

Thanks
 
Correction: Security Center Service
Little red icon with cross (x) appears on startup, click it and the Windows
Security Center pops up showing the Windows Update, Firewall, Defender etc.
on the Left and on the right says Security Center on right and "The Security
Center service is turned off."
Click to expand...

Aah. That makes more sense. Can you do two things for me:
1. Click the Window button
2. Type "eventvwr.msc" in the search dialog
3. Accept the UAC prompt
4. Expand Windows Logs and click on System
5. On the right-hand side, click "Filter current log..."
6. Select "Warning," "Critical," and "Error" and hit OK
7. Find the event(s) from the Service Control Manager that relates to the
Security Center Service and select it
8. Hit the "Copy" button on the right hand side
9. Respond to this message and past the entire event into the response

10. Step 2: Click the Window button: All Programs:Accessories
11. Right-click Command Prompt and select "Run as administrator..."
12. In the command prompt, type "sc qc wscsvc"
13. Click the little "C:\_" icon in the upper left corner
14. Select Edit:Mark...
15. Click-drag the cursor over all the output from the sc command to select it
16. Right-click anywhere in the selection
17. In the reply to this post, paste the output so we can see what it says.

This information will help troubleshoot what is going on.
 
part 1
====
The wincom32 service failed to start due to the following error:
The system cannot find the file specified.

The MCSTRM service failed to start due to the following error:
The system cannot find the file specified.

part 2
====
C:\WINDOWS\system32>sc qc wscsvc
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.
 
part 1
====
The wincom32 service failed to start due to the following error:
The system cannot find the file specified.

The MCSTRM service failed to start due to the following error:
The system cannot find the file specified.

part 2
====
C:\WINDOWS\system32>sc qc wscsvc
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.
Click to expand...

Have you ever had Real Player installed on this system? If you have mcstrm
may be legit, but otherwise it is almost certainly a leftover from the
infection. Can you run sc qc mcstrm? If it shows you a binary path that is
not %systemroot%\system32\drivers it would be a piece left over of the
malware that took over your system. The name of the service seems to indicate
the same thing.

wincom32 is a component of a number of downloaders (malware). It appears the
removal process removed some of the infection, but not the services that were
created. Neither of those services have corresponding binaries left on the
system any longer, which is why they fail to start. Neither has to do with
the Security Center. Here is one link about Wincom32.sys
http://www.symantec.com/security_response/writeup.jsp?docid=2007-011917-1403-99&tabid=2

It appears that the malware somehow managed to remove the Windows Security
Center service, which is why it is not running. sc is telling you that it has
been removed as an installed service. To be honest, I would suggest you
flatten the computer and start over. That would give you a far better chance
at having a fully functional system than attempting to recover the things
that you know have been hosed. There could very well be other detritus left
over which was not removed and you really have no way to find it.
 
It appears that the malware somehow managed to remove the Windows Security
Center service, which is why it is not running. sc is telling you that it has
been removed as an installed service. To be honest, I would suggest you
flatten the computer and start over. That would give you a far better chance
at having a fully functional system than attempting to recover the things
that you know have been hosed. There could very well be other detritus left
over which was not removed and you really have no way to find it.
Click to expand...

Quite correct. However, I'd really like the service details so I can at
least try to "re-install" it. Considering the complexities and time of
getting my development up and running again, I really can't afford to go a
day without my pc as I rebuild it. If i could just get a copy of the registry
key it should be enough.

If it takes longer than a coffee break it'll just have to be another one of
those annoying things I cope with.
 
It appears that the malware somehow managed to remove the Windows Security
Quite correct. However, I'd really like the service details so I can at
least try to "re-install" it. Considering the complexities and time of
getting my development up and running again, I really can't afford to go a
day without my pc as I rebuild it. If i could just get a copy of the registry
key it should be enough.
Click to expand...

It doesn't take very long, but the problem is that I don't think your PC is
clean. I think there are traces of malware still on it. If you are willing to
take the risk that something will keep forwarding your personal information
to some criminal in China, then run this command from an elevated command
prompt and Windows Security Center should work again:

sc create wscsvc type=share start=delayed-auto error=normal
binPath="C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted"
depend=RpcSc/WinMgmt obj="NT AUTHORITY\LocalService" /DisplayName="Security
Center"
 
Thanks, I am definately sure I have gotten rid of every critter so its just
minor surgery required.

Something is missing from your "command"
1. remember spaces after xxxx=[ ]
2. There is nothing after the -k, is that right as it complains about "The
system cannot find the file specified." when I try start it.

sc create wscsvc type= share start= delayed-auto error= normal binPath=
"C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" depend=
RpcSs/WinMgmt obj= "NT AUTHORITY\LocalService" DisplayName= "Security Center"
 
Tried this based on my XP box with no luck.. so I still have the wrong -k
command

sc create wscsvc type= share start= delayed-auto error= normal binPath=
"C:\Windows\System32\svchost.exe -k netsvcs LocalServiceNetworkRestricted"
depend= RpcSs/WinMgmt obj= "NT AUTHORITY\LocalService" DisplayName= "Security
Center"
 
Something is missing from your "command"
1. remember spaces after xxxx=[ ]
2. There is nothing after the -k, is that right as it complains about "The
system cannot find the file specified." when I try start it.
Click to expand...

Sorry, I'm a moron. There is no slash before "DisplayName". This works:
sc create wscsvc type= share start= delayed-auto error= normal binPath=
"C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" depend=
RpcSc/WinMgmt obj= "NT AUTHORITY\LocalService" DisplayName= "Security Center"

You still need the right security descriptor on it. This will fix it:
sc sdset wscsvc
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CR;;;AU)(A;;CCLCRP;;;S-1-5-80-2006800713-1441093265-249754844-3404434343-1444102779)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
 
Back
Top