Windows Security Service missing.

03-15-2007

got hit by a virus (while I had access control turned off), cleaned up fine
but Windows Security Service disappeared and I now get the complaint on
startup that it isnt running and I can't turn it on.

so it isn't listed in the services list so I'd like to know how to
re-install the service WITHOUT reinstalling vista.

03-15-2007

> got hit by a virus (while I had access control turned off), cleaned up fine
> but Windows Security Service disappeared and I now get the complaint on
> startup that it isnt running and I can't turn it on.
>
> so it isn't listed in the services list so I'd like to know how to
> re-install the service WITHOUT reinstalling vista.

There is no such thing as the "Windows Security Service," at least not on a
legitimate installation of Vista. Either you are not getting the name right
or, more likely, the infection has not been completely removed. Can you tell
us more about how exactly you are getting notified that this is missing?

03-16-2007

> There is no such thing as the "Windows Security Service," at least not on a
> legitimate installation of Vista. Either you are not getting the name right
> or, more likely, the infection has not been completely removed. Can you tell
> us more about how exactly you are getting notified that this is missing?

Correction: Security Center Service
Little red icon with cross (x) appears on startup, click it and the Windows
Security Center pops up showing the Windows Update, Firewall, Defender etc.
on the Left and on the right says Security Center on right and "The Security
Center service is turned off."

And when I ask it to turn on it complains "The Security Center service can't
be started."

Thanks

03-16-2007

> Correction: Security Center Service
> Little red icon with cross (x) appears on startup, click it and the Windows
> Security Center pops up showing the Windows Update, Firewall, Defender etc.
> on the Left and on the right says Security Center on right and "The Security
> Center service is turned off."

Aah. That makes more sense. Can you do two things for me:
1. Click the Window button
2. Type "eventvwr.msc" in the search dialog
3. Accept the UAC prompt
4. Expand Windows Logs and click on System
5. On the right-hand side, click "Filter current log..."
6. Select "Warning," "Critical," and "Error" and hit OK
7. Find the event(s) from the Service Control Manager that relates to the
Security Center Service and select it
8. Hit the "Copy" button on the right hand side
9. Respond to this message and past the entire event into the response

10. Step 2: Click the Window button: All Programs:Accessories
11. Right-click Command Prompt and select "Run as administrator..."
12. In the command prompt, type "sc qc wscsvc"
13. Click the little "C:\_" icon in the upper left corner
14. Select Edit:Mark...
15. Click-drag the cursor over all the output from the sc command to select it
16. Right-click anywhere in the selection
17. In the reply to this post, paste the output so we can see what it says.

This information will help troubleshoot what is going on.

03-16-2007

part 1
====
The wincom32 service failed to start due to the following error:
The system cannot find the file specified.

The MCSTRM service failed to start due to the following error:
The system cannot find the file specified.

part 2
====
C:\WINDOWS\system32>sc qc wscsvc
[SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

03-16-2007

> part 1
> ====
> The wincom32 service failed to start due to the following error:
> The system cannot find the file specified.
>
> The MCSTRM service failed to start due to the following error:
> The system cannot find the file specified.
>
> part 2
> ====
> C:\WINDOWS\system32>sc qc wscsvc
> [SC] OpenService FAILED 1060:
>
> The specified service does not exist as an installed service.

Have you ever had Real Player installed on this system? If you have mcstrm
may be legit, but otherwise it is almost certainly a leftover from the
infection. Can you run sc qc mcstrm? If it shows you a binary path that is
not %systemroot%\system32\drivers it would be a piece left over of the
malware that took over your system. The name of the service seems to indicate
the same thing.

wincom32 is a component of a number of downloaders (malware). It appears the
removal process removed some of the infection, but not the services that were
created. Neither of those services have corresponding binaries left on the
system any longer, which is why they fail to start. Neither has to do with
the Security Center. Here is one link about Wincom32.sys:
http://www.symantec.com/security_res...403-99&tabid=2

It appears that the malware somehow managed to remove the Windows Security
Center service, which is why it is not running. sc is telling you that it has
been removed as an installed service. To be honest, I would suggest you
flatten the computer and start over. That would give you a far better chance
at having a fully functional system than attempting to recover the things
that you know have been hosed. There could very well be other detritus left
over which was not removed and you really have no way to find it.

03-19-2007

> It appears that the malware somehow managed to remove the Windows Security
> Center service, which is why it is not running. sc is telling you that it has
> been removed as an installed service. To be honest, I would suggest you
> flatten the computer and start over. That would give you a far better chance
> at having a fully functional system than attempting to recover the things
> that you know have been hosed. There could very well be other detritus left
> over which was not removed and you really have no way to find it.

Quite correct. However, I'd really like the service details so I can at
least try to "re-install" it. Considering the complexities and time of
getting my development up and running again, I really can't afford to go a
day without my pc as I rebuild it. If i could just get a copy of the registry
key it should be enough.

If it takes longer than a coffee break it'll just have to be another one of
those annoying things I cope with.

03-19-2007

> > It appears that the malware somehow managed to remove the Windows Security
> > Center service, which is why it is not running. sc is telling you that it has
> > been removed as an installed service. To be honest, I would suggest you
> > flatten the computer and start over. That would give you a far better chance
> > at having a fully functional system than attempting to recover the things
> > that you know have been hosed. There could very well be other detritus left
> > over which was not removed and you really have no way to find it.
>
> Quite correct. However, I'd really like the service details so I can at
> least try to "re-install" it. Considering the complexities and time of
> getting my development up and running again, I really can't afford to go a
> day without my pc as I rebuild it. If i could just get a copy of the registry
> key it should be enough.

It doesn't take very long, but the problem is that I don't think your PC is
clean. I think there are traces of malware still on it. If you are willing to
take the risk that something will keep forwarding your personal information
to some criminal in China, then run this command from an elevated command
prompt and Windows Security Center should work again:

sc create wscsvc type=share start=delayed-auto error=normal
binPath="C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted"
depend=RpcSc/WinMgmt obj="NT AUTHORITY\LocalService" /DisplayName="Security
Center"

03-19-2007

Thanks, I am definately sure I have gotten rid of every critter so its just
minor surgery required.

Something is missing from your "command"
1. remember spaces after xxxx=[ ]
2. There is nothing after the -k, is that right as it complains about "The
system cannot find the file specified." when I try start it.

sc create wscsvc type= share start= delayed-auto error= normal binPath=
"C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" depend=
RpcSs/WinMgmt obj= "NT AUTHORITY\LocalService" DisplayName= "Security Center"

03-19-2007

Tried this based on my XP box with no luck.. so I still have the wrong -k
command

sc create wscsvc type= share start= delayed-auto error= normal binPath=
"C:\Windows\System32\svchost.exe -k netsvcs LocalServiceNetworkRestricted"
depend= RpcSs/WinMgmt obj= "NT AUTHORITY\LocalService" DisplayName= "Security
Center"

03-15-2007	#1 (permalink)
Julian Dicks Guest	Windows Security Service missing. got hit by a virus (while I had access control turned off), cleaned up fine but Windows Security Service disappeared and I now get the complaint on startup that it isnt running and I can't turn it on. so it isn't listed in the services list so I'd like to know how to re-install the service WITHOUT reinstalling vista.

03-15-2007	#2 (permalink)
Jesper Guest	RE: Windows Security Service missing. > got hit by a virus (while I had access control turned off), cleaned up fine > but Windows Security Service disappeared and I now get the complaint on > startup that it isnt running and I can't turn it on. > > so it isn't listed in the services list so I'd like to know how to > re-install the service WITHOUT reinstalling vista. There is no such thing as the "Windows Security Service," at least not on a legitimate installation of Vista. Either you are not getting the name right or, more likely, the infection has not been completely removed. Can you tell us more about how exactly you are getting notified that this is missing?

03-16-2007	#3 (permalink)
Julian Dicks Guest	RE: Windows Security Service missing. > There is no such thing as the "Windows Security Service," at least not on a > legitimate installation of Vista. Either you are not getting the name right > or, more likely, the infection has not been completely removed. Can you tell > us more about how exactly you are getting notified that this is missing? Correction: Security Center Service Little red icon with cross (x) appears on startup, click it and the Windows Security Center pops up showing the Windows Update, Firewall, Defender etc. on the Left and on the right says Security Center on right and "The Security Center service is turned off." And when I ask it to turn on it complains "The Security Center service can't be started." Thanks

03-16-2007	#4 (permalink)
Jesper Guest	RE: Windows Security Service missing. > Correction: Security Center Service > Little red icon with cross (x) appears on startup, click it and the Windows > Security Center pops up showing the Windows Update, Firewall, Defender etc. > on the Left and on the right says Security Center on right and "The Security > Center service is turned off." Aah. That makes more sense. Can you do two things for me: 1. Click the Window button 2. Type "eventvwr.msc" in the search dialog 3. Accept the UAC prompt 4. Expand Windows Logs and click on System 5. On the right-hand side, click "Filter current log..." 6. Select "Warning," "Critical," and "Error" and hit OK 7. Find the event(s) from the Service Control Manager that relates to the Security Center Service and select it 8. Hit the "Copy" button on the right hand side 9. Respond to this message and past the entire event into the response 10. Step 2: Click the Window button: All Programs:Accessories 11. Right-click Command Prompt and select "Run as administrator..." 12. In the command prompt, type "sc qc wscsvc" 13. Click the little "C:\_" icon in the upper left corner 14. Select Edit:Mark... 15. Click-drag the cursor over all the output from the sc command to select it 16. Right-click anywhere in the selection 17. In the reply to this post, paste the output so we can see what it says. This information will help troubleshoot what is going on.

03-16-2007	#5 (permalink)
Julian Dicks Guest	RE: Windows Security Service missing. part 1 ==== The wincom32 service failed to start due to the following error: The system cannot find the file specified. The MCSTRM service failed to start due to the following error: The system cannot find the file specified. part 2 ==== C:\WINDOWS\system32>sc qc wscsvc [SC] OpenService FAILED 1060: The specified service does not exist as an installed service.

03-16-2007	#6 (permalink)
Jesper Guest	RE: Windows Security Service missing. > part 1 > ==== > The wincom32 service failed to start due to the following error: > The system cannot find the file specified. > > The MCSTRM service failed to start due to the following error: > The system cannot find the file specified. > > part 2 > ==== > C:\WINDOWS\system32>sc qc wscsvc > [SC] OpenService FAILED 1060: > > The specified service does not exist as an installed service. Have you ever had Real Player installed on this system? If you have mcstrm may be legit, but otherwise it is almost certainly a leftover from the infection. Can you run sc qc mcstrm? If it shows you a binary path that is not %systemroot%\system32\drivers it would be a piece left over of the malware that took over your system. The name of the service seems to indicate the same thing. wincom32 is a component of a number of downloaders (malware). It appears the removal process removed some of the infection, but not the services that were created. Neither of those services have corresponding binaries left on the system any longer, which is why they fail to start. Neither has to do with the Security Center. Here is one link about Wincom32.sys: http://www.symantec.com/security_res...403-99&tabid=2 It appears that the malware somehow managed to remove the Windows Security Center service, which is why it is not running. sc is telling you that it has been removed as an installed service. To be honest, I would suggest you flatten the computer and start over. That would give you a far better chance at having a fully functional system than attempting to recover the things that you know have been hosed. There could very well be other detritus left over which was not removed and you really have no way to find it.

03-19-2007	#7 (permalink)
Julian Dicks Guest	RE: Windows Security Service missing. > It appears that the malware somehow managed to remove the Windows Security > Center service, which is why it is not running. sc is telling you that it has > been removed as an installed service. To be honest, I would suggest you > flatten the computer and start over. That would give you a far better chance > at having a fully functional system than attempting to recover the things > that you know have been hosed. There could very well be other detritus left > over which was not removed and you really have no way to find it. Quite correct. However, I'd really like the service details so I can at least try to "re-install" it. Considering the complexities and time of getting my development up and running again, I really can't afford to go a day without my pc as I rebuild it. If i could just get a copy of the registry key it should be enough. If it takes longer than a coffee break it'll just have to be another one of those annoying things I cope with.

03-19-2007	#8 (permalink)
Jesper Guest	RE: Windows Security Service missing. > > It appears that the malware somehow managed to remove the Windows Security > > Center service, which is why it is not running. sc is telling you that it has > > been removed as an installed service. To be honest, I would suggest you > > flatten the computer and start over. That would give you a far better chance > > at having a fully functional system than attempting to recover the things > > that you know have been hosed. There could very well be other detritus left > > over which was not removed and you really have no way to find it. > > Quite correct. However, I'd really like the service details so I can at > least try to "re-install" it. Considering the complexities and time of > getting my development up and running again, I really can't afford to go a > day without my pc as I rebuild it. If i could just get a copy of the registry > key it should be enough. It doesn't take very long, but the problem is that I don't think your PC is clean. I think there are traces of malware still on it. If you are willing to take the risk that something will keep forwarding your personal information to some criminal in China, then run this command from an elevated command prompt and Windows Security Center should work again: sc create wscsvc type=share start=delayed-auto error=normal binPath="C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" depend=RpcSc/WinMgmt obj="NT AUTHORITY\LocalService" /DisplayName="Security Center"

03-19-2007	#9 (permalink)
Julian Dicks Guest	RE: Windows Security Service missing. Thanks, I am definately sure I have gotten rid of every critter so its just minor surgery required. Something is missing from your "command" 1. remember spaces after xxxx=[ ] 2. There is nothing after the -k, is that right as it complains about "The system cannot find the file specified." when I try start it. sc create wscsvc type= share start= delayed-auto error= normal binPath= "C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" depend= RpcSs/WinMgmt obj= "NT AUTHORITY\LocalService" DisplayName= "Security Center"

03-19-2007	#10 (permalink)
Julian Dicks Guest	RE: Windows Security Service missing. Tried this based on my XP box with no luck.. so I still have the wrong -k command sc create wscsvc type= share start= delayed-auto error= normal binPath= "C:\Windows\System32\svchost.exe -k netsvcs LocalServiceNetworkRestricted" depend= RpcSs/WinMgmt obj= "NT AUTHORITY\LocalService" DisplayName= "Security Center"

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
The Security Centre service can't be started	James Exasperated	Vista security	4	06-27-2007 02:48 PM
Security Service and Windows Wireless Service stopped working	Kolin Tregaskes	Vista General	3	06-11-2007 12:34 PM
How do I restart the service of Windows Security Center?	Loiselle	Vista security	2	02-21-2007 04:43 AM
security center service	=?Utf-8?B?YW1pdA==?=	Vista security	0	07-28-2006 04:03 AM