Remove From My Forums

RootKitRevealer Won't Run

Question
0

Sign in to vote

I am logged in as administrator on a Windows 2003 SP2 workgroup server and am trying to run RootKitRevealer. I get the error "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." The SYSTEM account and administrator account all have full control permissions to the %TEMP% folder, as well as the Authenticated Users group. I'm not sure what other permissions are needed to run this software. What file, device, or path is the error alluding to? What am I missing here?

Thursday, January 29, 2009 1:55 PM

Reply

|

Quote

All replies

0

Sign in to vote

Hi Peter,

Any chance AV / security software may be preventing RKR from running? I am able to run it on a Server 2003 SP2 system...

How is the error presented?

Friday, January 30, 2009 7:58 AM

Reply

|

Quote
0

Sign in to vote

molotov:

At the moment, there is no AV or security software installed. The Security Configuration Wizard was run when the NOS was installed though. The error is presented exactly as "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I can't figure out where the software is being blocked or denied access to system resources. I don't know what sequence of eevents has to take place for RKR to run. I do know that a temporary exe has to be created in the %TEMP% folder.

Friday, January 30, 2009 8:05 AM

Reply

|

Quote
0

Sign in to vote

The error is presented exactly as
Does it appear in a dialog box? Somewhere in the RKR UI?

Is anything logged to the event logs?

Friday, January 30, 2009 8:20 AM

Reply

|

Quote
0

Sign in to vote

The error appears in a dialog box labeled "C:\Utility\RootKitRevealer.exe". The dialog has a circular red symbol with a white X in it. There are no event log errors.

Friday, January 30, 2009 8:36 AM

Reply

|

Quote
0

Sign in to vote

Can you interact with the RKR UI while the message is displayed? (I'm trying to determine if the message is displayed by RKR, or by Windows; the string "appr" [from appropriate] does not appear anywhere in the RKR executable image.)

Friday, January 30, 2009 8:43 AM

Reply

|

Quote
0

Sign in to vote

The error is immediate and RKR never starts. This appears to be a Windows generated error. No files are ever created in the %TEMP% folder.

Friday, January 30, 2009 10:15 AM

Reply

|

Quote
0

Sign in to vote

The error is immediate and RKR never starts.
Out of curiosity - can you try running rootkitrevealer.exe as SYSTEM? (psexec -sid c:\path\to\rootkitrevealer.exe)

Friday, January 30, 2009 10:23 AM

Reply

|

Quote
0

Sign in to vote

No, I am logged on as Administrator and running it by double-clicking the exe from Windows Explorer.

Friday, January 30, 2009 10:32 AM

Reply

|

Quote
0

Sign in to vote

Can you try an alternate way of starting it, by running rootkitrevealer.exe as SYSTEM? (psexec -sid c:\path\to\rootkitrevealer.exe)

Friday, January 30, 2009 10:37 AM

Reply

|

Quote
0

Sign in to vote

Using psexec as suggested, I get the following response:

C:\>C:\Utility\psexec -sid c:\Utility\rootkitrevealer.exe

PsExec v1.72 - Execute processes remotely
Copyright (C) 2001-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\Utility\rootkitrevealer.exe started on [server name] with process ID 304.

PID 304 lists rootkitrevealer.exe using 3604 K of memory but there is no UI. CPU stays at 00 so the process is not active.

Friday, January 30, 2009 10:49 AM

Reply

|

Quote
0

Sign in to vote

For what it is worth, I get the same behavior when I run Process Explorer (I just tried it). I suspect that PE goes through the same startup routine.

Friday, January 30, 2009 10:53 AM

Reply

|

Quote
0

Sign in to vote

PID 304 lists rootkitrevealer.exe using 3604 K of memory but there is no UI. CPU stays at 00 so the process is not active.
I'd expect that it's awaiting EULA acceptance, but it was executed with the -i param. Wonder if you might try killing the currently executing rootkitrevealer.exe process, setting [HKEY_USERS\.DEFAULT\Software\Sysinternals\RootkitRevealer\EulaAccepted] (REG_DWORD) to 1, and trying again.

Friday, January 30, 2009 11:08 AM

Reply

|

Quote
0

Sign in to vote

For what it is worth, I get the same behavior when I run Process Explorer (I just tried it). I suspect that PE goes through the same startup routine.
Both PE and RKR extract and load a driver; it seems like your Administrator account may not be able to do this.

Perhaps, try running procexp.exe with psexec -sid as well...

Friday, January 30, 2009 11:09 AM

Reply

|

Quote
0

Sign in to vote

So we are not loading a driver. Starting PE with psexec does start a new process in Task Manager but there is no UI. Starting RKR with the Registry set as suggested starts a new process but it apparently terminates immediately. No rootkitrevealer process shows up in Task Manager under that PID.

Friday, January 30, 2009 11:29 AM

Reply

|

Quote
0

Sign in to vote

Starting PE with psexec does start a new process in Task Manager but there is no UI.
Try setting [HKEY_USERS\.DEFAULT\Software\Sysinternals\ProcessExplorer\EulaAccepted] (REG_DWORD) to 1, and running Procexp.exe again. Do you get the same behavior as with rootkitrevealer.exe?

No rootkitrevealer process shows up in Task Manager under that PID.
Is there an odd, random-character process name (something goofy like lxjkkvng.exe, for example) running?

I assume you will encounter a similar behavior, if you try running Process Monitor...

Friday, January 30, 2009 11:38 AM

Reply

|

Quote
0

Sign in to vote

The EulaAccepted was set for PE so the results are the same when running it again. There is no oddly named process listed in Task Manager. I did look for a such named exe in the %TEMP% folder but there is none created.

Ditto on PM.

Friday, January 30, 2009 11:47 AM

Reply

|

Quote
0

Sign in to vote

Try launching RKR or PE with psexec as before, but omit the 'd' switch (psexec -si procexp.exe). Does PsExec indicate that procexp.exe exited and if so does it give an exit code?

Friday, January 30, 2009 11:56 AM

Reply

|

Quote
0

Sign in to vote

This time psexec stays in memory as psexec.exe and PSEXESVC.exe and PE is also loaded but there is no UI as last time. I had to end the process manually.

With RKR, I got this:

Error:1063
c:\Utility\rootkitrevealer.exe exited on [server name] with error code 0.

Friday, January 30, 2009 12:13 PM

Reply

|

Quote
0

Sign in to vote

Error 1063 would seem to be:
ERROR_FAILED_SERVICE_CONTROLLER_CONNECT: The service process could not connect to the service controller

That would give a bit more idea about why things are acting the way they are. Are you able to successfully stop and start a service such as the Print Spooler (unless, of course, print services are critical, etc.)?

Try running PE with psexec, but specify the same credentials you used to log in as an administrator (psexec -u admin -p pass c:\path\to\procexp.exe). Any PE UI by doing this?

Friday, January 30, 2009 12:26 PM

Reply

|

Quote
0

Sign in to vote

I can stop and start services such as the print spooler as admin. PE did start the UI when using the -u and -p switches. At least I have a way of running that now. RKR said that it did start with a PID under psexec with -u -p, but that PID did not show up in the Task Manager when I looked and no UI. Interesting.

Friday, January 30, 2009 12:54 PM

Reply

|

Quote
0

Sign in to vote

Can you verify with PE, that PE's driver is loaded (select SYSTEM process, enable DLL view in the lower pane [CTRL+L], and look for procexp113.sys)?

Friday, January 30, 2009 1:04 PM

Reply

|

Quote
0

Sign in to vote

In DLL view the driver that I see is PROCEXP111.SYS.

Friday, January 30, 2009 1:09 PM

Reply

|

Quote
0

Sign in to vote

Presumably, you're running an older version of PE, then. (The current version is v11.32.)

Can you now, from Process Explorer, run RootkitRevealer.exe (File->Run, or File->Runas)?

Friday, January 30, 2009 1:15 PM

Reply

|

Quote
0

Sign in to vote

Yes, I do have to update PE, mine is 11.12. I can't run RKR from PE though. I get the same error as before.

Friday, January 30, 2009 1:19 PM

Reply

|

Quote
0

Sign in to vote

If you exit PE, can you restart it as you normally would launch it (by double-clicking the EXE rather than using PsExec and specifying the administrator credentials)?

Using File -> Runas in PE did not work to run RKR, specifying the administrator credentials?

Friday, January 30, 2009 1:30 PM

Reply

|

Quote
0

Sign in to vote

Running RKR in PE as RunAs produced the error "Unable to execute process: Access denied". There was no prompt for credentials.

I can't restart PE by double-clicking in Windows Explorer, I have to use psexec.

Friday, January 30, 2009 1:36 PM

Reply

|

Quote
0

Sign in to vote

How are you logged into the server? RDP? If so, are you logged into the console session (mstsc.exe /admin or mstsc.exe /console, depending on TSC version)?

Friday, January 30, 2009 1:47 PM

Reply

|

Quote
0

Sign in to vote

I have logged on both through the local console as administrator and from Remote Desktop with the same credentials. Results are the same either way.

Monday, February 2, 2009 6:39 AM

Reply

|

Quote
0

Sign in to vote

If you try to run RKR, can you check with Process Explorer to see if the RKR driver (RKREVEAL150.SYS) is loaded?

Tuesday, February 3, 2009 8:14 PM

Reply

|

Quote
0

Sign in to vote

I compared a system with PE that RKR runs on and the affected system. The driver RKREVEAL150.SYS does not load on the affected system when the error is displayed. I do see the driver for PE in the DLL list under System in PE. It seems that the driver cannot be created in the %WINNT%\System32\Drivers folder. Is there anything that has to take place between the KR exe running and prior to that driver being created?

Wednesday, February 4, 2009 10:07 AM

Reply

|

Quote
0

Sign in to vote

Process Monitor might be able to provide additional information, if you're able to get it to run using a technique similar to the one you used to get Process Explorer to run...

Wednesday, February 4, 2009 10:27 AM

Reply

|

Quote
0

Sign in to vote

I played around with PM yesterday and this morning to see if I could learn any more. I have not come up with anything useful. When I start RKR, it seems to go through four iterations of the same processes, all successful according to PM. A snippet of the processes from PM are as follows:

"Time of Day","Process Name","PID","Operation","Path","Result","Detail"

"09:14:36.8829340","Procmon.exe","1832","IRP_MJ_QUERY_INFORMATION","C:\Utility\RootkitRevealer.exe","SUCCESS","Type: QueryNameInformationFile, Name: \Utility\RootkitRevealer.exe"
"09:14:36.9186007","Procmon.exe","1832","IRP_MJ_QUERY_INFORMATION","C:\Utility\RootkitRevealer.exe","SUCCESS","Type: QueryNameInformationFile, Name: \Utility\RootkitRevealer.exe:Zone.Identifier"
"09:14:38.7006080","Explorer.EXE","3896","FASTIO_NETWORK_QUERY_OPEN","C:\Utility\RootkitRevealer.exe","SUCCESS","CreationTime: 11-01-2006 12:07:06, LastAccessTime: 02-05-2009 09:14:32, LastWriteTime: 11-01-2006 12:07:06, ChangeTime: 02-05-2009 09:12:52, AllocationSize: 335,872, EndOfFile: 334,720, FileAttributes: N"
"09:14:38.7008094","Explorer.EXE","3896","IRP_MJ_CREATE","C:\Utility\RootkitRevealer.exe","SUCCESS","Desired Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"
"09:14:38.7008659","Explorer.EXE","3896","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Utility\RootkitRevealer.exe","SUCCESS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE"
"09:14:38.7008818","Explorer.EXE","3896","FASTIO_QUERY_INFORMATION","C:\Utility\RootkitRevealer.exe","SUCCESS","Type: QueryStandardInformationFile, AllocationSize: 335,872, EndOfFile: 334,720, NumberOfLinks: 1, DeletePending: False, Directory: False"
"09:14:38.7008962","Explorer.EXE","3896","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Utility\RootkitRevealer.exe","SUCCESS",""
"09:14:38.7009106","Explorer.EXE","3896","FASTIO_ACQUIRE_FOR_SECTION_SYNCHRONIZATION","C:\Utility\RootkitRevealer.exe","SUCCESS","SyncType: SyncTypeOther"
"09:14:38.7009225","Explorer.EXE","3896","FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION","C:\Utility\RootkitRevealer.exe","SUCCESS",""
"09:14:38.7009912","Explorer.EXE","3896","IRP_MJ_CLEANUP","C:\Utility\RootkitRevealer.exe","SUCCESS",""
"09:14:38.7010135","Explorer.EXE","3896","IRP_MJ_CLOSE","C:\Utility\RootkitRevealer.exe","SUCCESS",""

All of this will repeat three more times from the third timestamp to the last one. There are no failures or access denied errors that I can see that are associated with trying to start RKR. I would have expected to see some sort of access denied or something when trying to create RKREVEAL150.SYS. It appears that we are not even getting that far.

Does RKREVEAL150.SYS actually get created in %WINNT%\System32\Drivers\? I ask because in running PE, a driver, PROCEXP113.sys is created with that path, as indicated in PE. However, no such file can be found in that path. Is this a virtual driver?

Thursday, February 5, 2009 6:43 AM

Reply

|

Quote
0

Sign in to vote

What filter were you using in Procmon? Recall that RootkitRevealer.exe creates and starts a temporary, randomly named service, which will load the driver when started.

Does RKREVEAL150.SYS actually get created in %WINNT%\System32\Drivers\?
Yes.

However, no such file can be found in that path.
Many Sysinternals utilities use the technique of extracting the driver file to disk, loading the driver, and deleting the driver file after the driver is loaded.

Thursday, February 5, 2009 7:30 AM

Reply

|

Quote
0

Sign in to vote

I was using a filter for RKR and access denied. I did not see any processes related to RKR in the raw PM output after the initial successful processes. What filters would you suggest?

Thursday, February 5, 2009 8:13 AM

Reply

|

Quote
0

Sign in to vote

No initial filters, but after you capture the events see what process may be started by services.exe. Note the name of that process, and change the filter to include events for that PID.

Thursday, February 5, 2009 8:20 AM

Reply

|

Quote
0

Sign in to vote

I should have clarified that the PM output above of filtered from an unfiltered capture. I did not use any precaputure filters in any PM session.

I tried again and I did not find any services.exe entry in PM under Process Name or under Path after RKR was started.

Thursday, February 5, 2009 8:45 AM

Reply

|

Quote
0

Sign in to vote

If those are all the events attributable to rootkitrevealer.exe, it seems that rootkitrevealer.exe is not even able to create the randomly-named program file that it will launch as a service...
You're still getting the "Windows cannot access the specified device, path, or file." message?

Thursday, February 5, 2009 8:53 AM

Reply

|

Quote
0

Sign in to vote

Yes, that message is immediate after running RKR. So it appears that the process is getting squelched after RKR runs but before services.exe gets into the picture.

BTW: Your daily affirmation is quite clever! I had not run across that one.

Thursday, February 5, 2009 9:04 AM

Reply

|

Quote
0

Sign in to vote

And the rootkitrevealer.exe process is not running, while the dialog displays?

Thursday, February 5, 2009 9:40 AM

Reply

|

Quote
0

Sign in to vote

No the RKR process is not listed when the error dialog displays. The error displays as soon as I run the exe and RKR is gone.

Thursday, February 5, 2009 11:31 AM

Reply

|

Quote
0

Sign in to vote

Can you try profiling execution of rootkitrevealer.exe with Dependency Walker? Open the executable in DW, choose Profile->Start Profiling, check all boxes, and click OK. Then save the .DWI file, ZIP it, and upload it somewhere. Provide the link to the ZIP file; you may wish to password-protect the ZIP file, and privately share the password with those you choose to allow to examine the contents.

Thursday, February 5, 2009 6:39 PM

Reply

|

Quote
0

Sign in to vote

I had to run Depends the same way as PE through psexec. I did get an error during profiling that "Rootkit Revealer must be run from the console". I don't know if this is to be expected.

I have a .dwi file for RKR as requested available via FTP on our server. Please contact me through terminus@kubotekusa.com for access.

Tuesday, February 10, 2009 12:14 PM

Reply

|

Quote
0

Sign in to vote

I did get an error during profiling that "Rootkit Revealer must be run from the console".
Does it only do this when profiling with DW? Were you logged into session 0?

I've sent you a PM...

Tuesday, February 10, 2009 4:07 PM

Reply

|

Quote
0

Sign in to vote

Judging by the .DWI, and your description, RKR exited because it detected it was not run in session 0. Can you please ensure you are logged into the console session, and the re-run the profile?

Thursday, February 12, 2009 7:31 PM

Reply

|

Quote
0

Sign in to vote

Sorry to take so long to reply back. I was able to get on-site today and run Depends from the server console instead of Remote Desktop. The .dwi file is in the same place as the last one. RKR did start and run under Depends this time.

Tuesday, February 17, 2009 10:38 AM

Reply

|

Quote
0

Sign in to vote

When you profile rootkitrevealer.exe with DW, do you encounter the "Windows cannot access the specified device, path, or file." message? Does any RKR UI display?

Wednesday, February 18, 2009 8:34 PM

Reply

|

Quote
0

Sign in to vote

In the last session of Depends that the last .dwi file came from, I got no errors and the RKR interface opened. I was able to run it. It found nothing, thankfully.

I logged into the server console today and I can run RKR, PE, PM, but not Depends. However PE, PM, and RKR run sometimes without getting the error, sometimes fails with the error. This is really baffling. I can't run RKR and Depends at all from remote desktop without the error.

I tried installing McAfee VirusScan 8 logged into the console, but it would not start without the same error. However, it will run from within Depends while profiling. Again, baffling.

Friday, February 20, 2009 11:01 AM

Reply

|

Quote
0

Sign in to vote

And there are still no messages logged to the event logs? If you are (now??) consistently unable to run depends.exe, can you run Procmon and set the filter to include activity related to depends.exe (Process Name is depends.exe then Include)? Any events of interest?

Monday, February 23, 2009 3:35 AM

Reply

|

Quote
0

Sign in to vote

I realise this thread is dated but for anyone else who comes across this the answer can be found here: http://www.mssqltips.com/sqlservertip/1262/windows-cannot-access-the-specified-device-path-or-file-error/

If the link is dead then to fix the problem with this kind of error go to the executable, right click on it, left click on Properties, and click the button labelled Unblock. Click OK and try your application. It should now open.

Sunday, December 4, 2011 11:45 AM

Reply

|

Quote
0

Sign in to vote

CodeIntegrity (!!?) says the driver is not SIGNED, so it is not loaded. That simple. I am convinced that most people dealing with Microsoft have NO IDEA what they are talking about but still are very enthusiastic giving replies. Here and in all other fora. I found this BIT of information quite unexpectedly among thousands of Event Log pages. I have just played with sysinternals and it was not very helpful. It was bought by MS for how much? And it was not revised and SIGNED? Now, can ANYONE UNDERSTAND that I cannot make the cursor **hide while typing**? I feel there is someone in my machines but I find no way to close the holes. And no antivirus works either. For all that matters... THESE DID NOT GROW IN TREES, THESE ARE HUMAN MADE, THERE IS NO REAL REASON NOT MAKE ALL THIS PERFECT. Willingly.

Monday, September 30, 2013 9:31 PM

Reply

|

Quote
0

Sign in to vote

don't use RR any longer, it is dead for so many years. Use other tools like http://www.gmer.net/

Tuesday, October 1, 2013 9:04 PM

Reply

|

Quote
0

Sign in to vote

Have a look at https://serverfault.com/questions/506691/rootkit-revealer-is-failing-to-run-why

looks like it will not work on 64bit systems

Friday, January 13, 2023 6:58 AM

Reply

|

Quote