开发者

CMD.exe closes immediately after calling (Win7 64)

开发者 https://www.devze.com 2023-02-18 20:02 出处:网络
Has anyone found such behavior when Command Processor (cmd.exe) closes immediately after calling it? I’ve run McAfee AV and Windows System开发者_运维技巧 File Check(sfc.exe) and nothing wrong was det

Has anyone found such behavior when Command Processor (cmd.exe) closes immediately after calling it? I’ve run McAfee AV and Windows System开发者_运维技巧 File Check (sfc.exe) and nothing wrong was detected, I’ve even copied cmd.exe file from other win 7 machine and it is still working same way. Strangest thing is – on the windows 7 64 there is also 32 bit version of that file which works perfectly normal.

SysInternals Process Monitor shows that cmd.exe process ends with exit code 0x0... o_O

Also calling commands directly from start menu, like ping, works normal…

Maybe that question is not strictly related to coding but that issue holds me from doing many things related to actual application development and environment check.


Answering all questions:

  • superuser, safe mode, run as admin, changing ownership and permissions - didn't help
  • I was calling by menu start as well as d-clicking cmd.exe with same result,
  • No virsus either malware found by today's scanning with McAfee, Anti-malware, MS Malicious removal... etc

Finally I got it SOLVED:

  • Run regedit
  • Go to HKLM\Software\Microsoft\Command Processor\ or HKEY_CURRENT_USER\Software\Microsoft\Command Processor\ or HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\

  • For some reason there was AUTORUN key with "EXIT" inside.

  • Remove the AutoRun key and everything should went back to normal.
  • CMD.exe should start to work again.

Also,

In some cases, the Command prompt is also opening on Startup, which is when the above solution is applied hangs the system on Command prompt when you logon.

This can be fixed by using Autoruns, where you need to disable command prompt startup registries on Logon/Startup tab. (there can be more than one entries)

That one also explains why exit code was 0x0.

Have no idea what kind of thing set that key up... McAfee showed some activity lat week and I've noticed it last Friday.

Hope these symptoms and my answer will help someone in future


I had this problem and found something to try that solved my problem.

Investigate registry entry HKLM\Software\Microsoft\Command Processor If there is an "Autorun" key, this key causes the batch file entry in this key to run at the beginning of the command prompt execution. You can try to skip this execution to test the solution using RUN cmd.exe /d

If the problem is user specific, check HKCU\Software\Microsoft\Command Prompt for this key. The current user entry mixes in with the local machine entry so if the key exists in the current user registry then it will try to execute the listed batch file. On my computer the key was there but empty. If there is a batch file in this key then figure out what that batch file is doing and if you want it there. I deleted the key all together and the problem went away.
On my computer the key was present in current user but not in local machine.

Somehow some virus probably put this key in the registyr but since it is a valid key, it is hard for malware detectors to find this.

I didn't find any other solutiosn to this problem on the web so please let others know if this works for you. I never post on forums but saw a bunch of questions about this and on good solutions so I thought I had to post.

I got the idea about this solution from this link.
http://software.oberberger.com/2008/09/interesting-stuff-about-cmdexe.html

Good luck.


I suspect this is a virus called vmprotected cryptocurrency miner.

I found an app in C:\Users{profilename}\AppData\Roaming\Microsoft\SoundModule\SoundModule.exe

Also: The follow values were modified Also there are two main keys you need to modify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

The shell key should have a value of explorer.exe and it was changed to %Comspec% which causes the command prompt to execute on login.

I would highly recommend you run a full virus scan and ensure the keys and executables are removed


I've had similar problem - cmd.exe was closing immediately after starting. I was able to keep it running by executing cmd.exe /K cmd.exe, but it was closing after any invalid command. I've found out that my problem was caused by non default code page:

C:\>chcp
Active code page: 65001

To fix the problem I've removed registry entry:

[HKEY_CURRENT_USER\Console\%SystemRoot%_system32_cmd.exe]
"CodePage"=dword:0000fde9

Another solution is to change cmd.exe font from raster fonts to a true type one.


This is a shot in the dark, but I have seen problems like this in the past when incorrectly specifying a debugger via Image File Execution Options. You might check to see if there's an entry for 'cmd.exe' there.


Answering in case anyone else still runs into this problem. I have recently experienced same issue, and the reason for that was a bitcoin mining malware. I used Malwarebytes to scan the computer and remove the malware, which immediately resolved the problem.

0

精彩评论

暂无评论...
验证码 换一张
取 消