I am aware of the WM_TIMECHANGE message in the Win32 API, but is it possible to find out which application or process is changing the time?
I have an application (Windows XP) where I'm logging events and the time logged with the events is changing unexpectedly.
I have already checked: Daylight Savings adjustment is turned off, and automatic syncing with an internet time server is also turned off.
Is there a process in the Windows OS (except for DST changes and NTP) that could set the system time?
Time changes are saved to the Windows Event Log, specifically, they're saved to the security log. Now, this isn't guaranteed to work; admins can clear the security log, but it's a way to find the PID and the file name of the process that called SetSystemTime.
This answer talks about finding the event in the System log; however, you should also be able to find it in the Security log by looking for event ID 4616. I've added a sample record here (with various bits redacted):
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4616</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12288</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2013-10-07T18:55:08.999738200Z" />
<EventRecordID>29419283</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5460" />
<Channel>Security</Channel>
<Computer>some computer ID</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-SID_REDACTED</Data>
<Data Name="SubjectUserName">UserName</Data>
<Data Name="SubjectDomainName">DOMAIN</Data>
<Data Name="SubjectLogonId">0xBADDFOOD</Data>
<Data Name="PreviousTime">2013-10-07T18:55:08.996254000Z</Data>
<Data Name="NewTime">2013-10-07T18:55:09.000000000Z</Data>
<Data Name="ProcessId">0xPID</Data>
<Data Name="ProcessName">C:\Windows\System32\dllhost.exe</Data>
</EventData>
</Event>
Note that the process name is stored explicitly.
Related
Good afternoon,
In our company, we are trying to change one of our current custom services, from NSSM to a custon-made with PS.
This code, already works on W7 and W10 1607 machines. But the same code, fails to start con machines with W10 1809.
This is the code (With other non related stuff):
$params = #{
Name = "CertFix"
BinaryPathName = "c:\winhttpcertcfg.exe -g -c LOCAL_MACHINE\MY -s HOSTNAME -a USER"
DependsOn = "NetLogon"
DisplayName = "certfix"
StartupType = "Automatic"
Description = "Service to give USER permission on the machine certificate"
}
New-Service #params
The error that it gives is:
Log Name: System
Source: Service Control Manager
Date: 18/01/2023 18:28:35
Event ID: 7000
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: hostname.store.domain.grp
Description:
The certfix service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7000</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2023-01-18T17:28:35.711754000Z" />
<EventRecordID>31657</EventRecordID>
<Correlation />
<Execution ProcessID="124" ThreadID="1664" />
<Channel>System</Channel>
<Computer>hostname.store.domain.grp</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">certfix</Data>
<Data Name="param2">%%1053</Data>
<Binary>63006500720074006600690078000000</Binary>
</EventData>
</Event>
Log Name: System
Source: Service Control Manager
Date: 18/01/2023 18:28:35
Event ID: 7009
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: hostname.store.domain.grp
Description:
A timeout was reached (30000 milliseconds) while waiting for the certfix service to connect.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7009</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2023-01-18T17:28:35.711754000Z" />
<EventRecordID>31656</EventRecordID>
<Correlation />
<Execution ProcessID="124" ThreadID="1664" />
<Channel>System</Channel>
<Computer>hostname.store.domain.grp</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">30000</Data>
<Data Name="param2">certfix</Data>
<Binary>63006500720074006600690078000000</Binary>
</EventData>
</Event>
The service is working on previous builds. But we are unable to make it work on 1809. Any advice would be great. Thanks in advance
I tried changing various ways on the BinaryPathName parameter, to fit the advice on the
oficial New-Service page
but without success.
I have a major trouble with my application.
I have an application angular 2. I packaged this app with Cordova. And then with visual studio, I have built a windows application.
In my app I use WebSocket, my app uses WebSockets to send a message to a local server WS. This server is running in local through a windows service.
My problem is that I can't connect my app with the WS server. In the on error event, I don't have anything.
If I build my app on my computer and install it in this same computer it works, but if I install this app in another computer or tablet it doesn't work.
All devices are on windows 10.
Here are my config.xml from my cordova project
<?xml version="1.0" encoding="utf-8"?>
<widget defaultlocale="fr-FR" id="toto" version="1.0.0" windows-packageVersion="1.0.0.1" xmlns="http://www.w3.org/ns/widgets" xmlns:cdv="http://cordova.apache.org/ns/1.0" xmlns:vs="http://schemas.microsoft.com/appx/2014/htmlapps">
<content src="index.html" />
<access origin="*" />
<vs:features />
<preference name="SplashScreen" value="screen" />
<preference name="windows-target-version" value="10.0" />
<preference name="windows-phone-target-version" value="10.0" />
<preference name="WindowsDefaultUriPrefix" value="ms-appx://" />
<plugin name="cordova-plugin-whitelist" version="1" />
<allow-intent href="http://*/*" />
<allow-intent href="https://*/*" />
<allow-intent href="tel:*" />
<allow-intent href="sms:*" />
<allow-intent href="mailto:*" />
<allow-intent href="geo:*" />
<platform name="wp8">
<splash height="1280" src="res/screens/wp8/SplashScreenImage.png" width="768" />
</platform>
<plugin name="cordova-windows-capability-localnetwork" src="https://github.com/dilhan2013/cordova-windows-capability-localnetwork.git" version="0.1.0" />
<vs:platformSpecificValues>
<vs:platformSpecificWidget platformName="windows">
</vs:platformSpecificWidget>
</vs:platformSpecificValues>
<preference name="DisallowOverscroll" value="true" />
<preference name="KeyboardDisplayRequiresUserAction" value="false" />
<plugin name="cordova-plugin-console" version="1.0.7" />
</widget>
Thank you for your help.
Sorry in advance for my English
The problem in this particular situation comes from the fact that the app is trying to reach the Web Socket running on localhost.
Like it is mentioned as an answer to this post : Cannot connect to localhost in windows store application, developed windows store app can be isolated from loopback for security reasons.
The solution consists first in finding the installed app PackageFamilyName (this can also be done with the SID from regedit, like in the post mentioned above). For this, run this Power Shell command:
Get-AppxPackage | ? { $_.Name -like 'APP_NAME' }
APP_NAME can be part of the name you know your app has.
Once the description of the package is displayed, add the app to the NetIsolation exemption list by entering the PackageFamilyName in the following Power Shell command:
CheckNetIsolation LoopbackExempt -a -n="PackageFamilyName"
The app should now be part of the exemption list displayed with:
CheckNetIsolation LoopbackExempt -s
And it should be allowed to access the localhost.
Check your WS server, does it accept incoming requests from hosts other than localhost?
I am using Visual Studio 2015 and Team Foundation Power Tools 2015 and the explorer extension and the command line tool is not working. When i type tfpt in Devleoper Command Prompt for VS2015, i get the following error.
Unhandled Exception: System.IO.FileNotFoundException: Could not load file or
assembly 'Microsoft.TeamFoundation.Common, Version=12.0.0.0,
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' or one of its
dependencies. The system cannot find the file specified. at
Microsoft.TeamFoundation.PowerTools.CommandLine.CommandLine.Main(String[] args)
I have run things in admin and that makes no difference.
Here is what I get when i run the TF command.
C:\Program Files (x86)\Microsoft Visual Studio 14.0>tf
Microsoft (R) TF - Team Foundation Version Control Tool, Version 14.0.24712.0
TFS is working fine in VS. When I had VS2013 and TFS Power Tools 2013 everything was working fine. What else do I need to do to get this working?
edit: I have resolved the command line issue, but now the shell extension isnt working. I do not see the green check boxes in windows explorer, and when i right click a folder I do not get a TFS option. I am noticing multiple processes for it which is obviously does not seem good. Continues to create new processes until memory problems arise.
Additionally, Seeing these 2 events in the windows log.
Log Name: Application
Source: TFSShellExt
Date: 9/25/2016 7:25:40 PM
Event ID: 3
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: MyComp
Description:
TFS Shell Extension event:\n Failed to start COMProvider while updating workspaces.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="TFSShellExt" />
<EventID Qualifiers="32770">3</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2016-09-25T23:25:40.000000000Z" />
<EventRecordID>156525</EventRecordID>
<Channel>Application</Channel>
<Computer>MyComp</Computer>
<Security />
</System>
<EventData>
<Data>Failed to start COMProvider while updating workspaces.</Data>
</EventData>
</Event>
and
Log Name: Application
Source: TFSShellExt
Date: 9/25/2016 7:25:40 PM
Event ID: 3
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: MyComp
Description:
TFS Shell Extension event:\n More than 5 failed calls to com provider.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="TFSShellExt" />
<EventID Qualifiers="32770">3</EventID>
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2016-09-25T23:25:40.000000000Z" />
<EventRecordID>156524</EventRecordID>
<Channel>Application</Channel>
<Computer>MyComp</Computer>
<Security />
</System>
<EventData>
<Data>More than 5 failed calls to com provider. </Data>
</EventData>
</Event>
I just tested with my VS2015.3 and PowerTools on my machine, but couldn't reproduce your issue:
The error complains Could not load file or assembly 'Microsoft.TeamFoundation.Common, Version=12.0.0.0', you may try to clean the cache in C:\Users\username\AppData\Local\Microsoft\Team Foundation\x.0\Cache to see whether it helps you.
I am attempting to create a XPath Event Filter to Execute a scheduled task upon completion of another one. My XPath looks like this
<QueryList>
<Query Id="0" Path="Microsoft-Windows-TaskScheduler/Operational">
<Select Path="Microsoft-Windows-TaskScheduler/Operational">
*[System[Provider[#Name='Microsoft-Windows-TaskScheduler'] and Task = 102 and (EventID=102)]]
</Select>
<Select Path="Microsoft-Windows-TaskScheduler/Operational">
*[EventData[Data[#Name=’TaskName’] and (Data=’\Visual Studio Dark Theme′)]]
</Select>
<Select Path="OAlerts">
*[System[Provider[#Name='Microsoft-Windows-TaskScheduler'] and Task = 102 and (EventID=102)]]
</Select>
</Query>
</QueryList>
The Event I am trying to find is this one.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-TaskScheduler" Guid="{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}" />
<EventID>102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>102</Task>
<Opcode>2</Opcode>
<Keywords>0x8000000000000001</Keywords>
<TimeCreated SystemTime="2016-07-20T16:14:08.280937900Z" />
<EventRecordID>13055</EventRecordID>
<Correlation ActivityID="{0A2EAFD2-B40E-4C60-A099-80C020CBA547}" />
<Execution ProcessID="1164" ThreadID="6464" />
<Channel>Microsoft-Windows-TaskScheduler/Operational</Channel>
<Computer>GXLT012660.CoyoteLogistics.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="TaskSuccessEvent">
<Data Name="TaskName">\Visual Studio Dark Theme</Data>
<Data Name="UserContext">COYOTELOGISTICS\benjamin.drolet</Data>
<Data Name="InstanceId">{0A2EAFD2-B40E-4C60-A099-80C020CBA547}</Data>
</EventData>
</Event>
Whenever Creating a custom filter on Event Viewer with the XPath query above, I get the following error.
One of more logs in the query have errors.
Log: Microsoft-Windows-TaskScheduler/Operational
Error: The specified query is invalid.
This is rather old, so I hope you have found the answer since then, but I encountered the same problem.
What I found is that I used the wrong kind of single quotes in the query, hardly distinguishable in the editor, but when I see in your question *[EventData[Data[#Name=’TaskName’] and (Data=’\Visual Studio Dark Theme′)]], I suspect the issue is the same.
Try *[EventData[Data[#Name='TaskName'] and (Data='\Visual Studio Dark Theme')]]
I am getting this windows event on some machines that run this service but not all and during periods of no activity in terms of software usage. My problem is I have no idea what in the C++ code for the service might not be correctly handled. How can I relate event 7011 back into the C++ code...any ideas what this event actually means:
Log Name: System
Source: Service Control Manager
Date: 2/6/2018 9:54:03 AM
Event ID: 7011
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: LEGNCOA02.calegis.net
Description:
A timeout (120000 milliseconds) was reached while waiting for a transaction
response from the App Server service.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-
26931d2012f4}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="49152">7011</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2018-02-06T17:54:03.979566000Z" />
<EventRecordID>1654065</EventRecordID>
<Correlation />
<Execution ProcessID="660" ThreadID="186984" />
<Channel>System</Channel>
<Computer>LEGNCOA02.calegis.net</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">120000</Data>
<Data Name="param2">App Server</Data>
</EventData>
</Event>
The service does start and function correctly. The timeout for these events was extended in the registry but that just increased the time between events by the amount of timeout increase. In short it looks like windows is never getting what it expects.
I worked this out...
Where the service handles SERVICE_CONTROL_STOP
also handle from winsvc.h
SERVICE_CONTROL_PAUSE
SERVICE_CONTROL_CONTINUE
SERVICE_CONTROL_INTERROGATE
SERVICE_CONTROL_PARAMCHANGE
SERVICE_CONTROL_NETBINDADD
SERVICE_CONTROL_NETBINDREMOVE
SERVICE_CONTROL_NETBINDENABLE
SERVICE_CONTROL_NETBINDDISABLE
SERVICE_CONTROL_DEVICEEVENT
SERVICE_CONTROL_HARDWAREPROFILECHANGE
SERVICE_CONTROL_POWEREVENT
SERVICE_CONTROL_SESSIONCHANGE
SERVICE_CONTROL_PRESHUTDOWN
SERVICE_CONTROL_INTERROGATE was the one that windows was generating, no idea why it was doing that but responding as RUNNING seemed to handle it.