question

cybertrapped avatar image
0 Votes"
cybertrapped asked steviefaux answered

I Am Unable to Run The Just Downloaded procexp.exe Because The Deleted Older procexp64.exe Keeps Creeping Open

I just downloaded procexp.exe from https://live.sysinternals.com/procexp.exe (downloaded 20210915 between 9 - 9:30 PDT)

(sha256 0F2081EBD2EF0BAAFDD699DBD1B77853A35B50943418ED6207F896599F41084C)

I put the file @ C:\, and with PowerShell Administrator CLI I called C:\procexp.exe and procexp64.exe popped up. With itself, I explore procexp64.exe, and its properties showed the location of its image @ C:\Users\SomeUser\AppData\Local\Temp\procexp64.exe and the command line as "C:\procexp.exe"

So I closed the procexp64.exe window and deleted C:\procexp64.exe (which I had downloaded a few months ago).

Again, with PowerShell as Administrator I called C:\procexp.exe, and the familiar window popped up. When I filtered for "procexp," I saw two processes, procexp64.exe and procexp.exe

I tried to bring the window of procexp.exe to the front (right clicking the mouse), but I could not because the Window menu item was greyed out.

I tried to bring the window of procexp64.exe to the front, I was able to select the Window item from the menu that appears when I right click this process. And well... it was the window I was working with.

Thinking that perhaps some cache is at play during this odd situation, I SHA256 the two files, and I get:

C:\procexp.exe
0F2081EBD2EF0BAAFDD699DBD1B77853A35B50943418ED6207F896599F41084C

C:\Users\SomeUser\AppData\Local\Temp\procexp64.exe
77358157EFBF4572C2D7F17A1A264990843307F802D20BAD4FB2442245D65F0B

The reason I downloaded the procexp.exe today is because procexp64.exe would shutdown as troubleshoot process dirmngr from GnuGP gpg's CLI. SO I checked event viewer and found:

 Event Time: 9/15/2021 9:17:53 AM.223
 Record ID: 11985
 Event ID: 1001
 Level: Information
 Channel: Application
 Provider: Windows Error Reporting
 Description: Fault bucket 1609796576240296912  type 4 
    
 Event Name: APPCRASH
 Response: Not available
 Cab Id: 0
    
 Problem signature:
 P1: procexp64.exe
 P2: 16.43.0.0
 P3: 611b18e1
 P4: procexp64.exe
 P5: 16.43.0.0
 P6: 611b18e1
 P7: c000041d
 P8: 0000000000040b40
 P9: 
 P10: 
    
 Attached files:
 \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDAFA.tmp.mdmp
 \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD0E.tmp.WERInternalMetadata.xml
 \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDBB.tmp.xml
 \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE19.tmp.csv
 \\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE78.tmp.txt
 \\?\C:\Users\SomeUser\AppData\Local\Temp\WERDF24.tmp.appcompat.txt
    
 These files may be available here:
 \\?\C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_procexp64.exe_dbab7ec7d00bc871158944e434e86f47e4bb560_c2ae7e9e_931b3ca1-8a8a-4318-97dc-02a5581527b5
    
 Analysis symbol: 
 Rechecking for solution: 0
 Report Id: c4fd20d3-4a18-43f0-8bdb-1303e64460c2
 Report Status: 268435456
 Hashed bucket: ec11c4e2f37a93ffd6572574ff7163d0

Of the even't referenced files, I only found C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_procexp64.exe_dbab7ec7d00bc871158944e434e86f47e4bb560_c2ae7e9e_931b3ca1-8a8a-4318-97dc-02a5581527b5\Report.wer This is the content:

Version=1
EventType=APPCRASH
EventTime=132761962695246351
ReportType=2
Consent=1
UploadTime=132761962719245607
ReportStatus=268435456
ReportIdentifier=931b3ca1-8a8a-4318-97dc-02a5581527b5
IntegratorReportIdentifier=c4fd20d3-4a18-43f0-8bdb-1303e64460c2
Wow64Host=34404
NsAppName=procexp64.exe
OriginalFilename=Procexp.exe
AppSessionGuid=000073b0-0005-004d-bd93-12c64caad701
TargetAppId=W:00063b8a1b9bb575663585011ecd5b422fcb00000904!0000d3dc46078a137f17c50887ff6f17be40dab20626!procexp64.exe
TargetAppVer=2021//08//17:02:03:13!174ad2!procexp64.exe
BootId=4294967295
TargetAsId=11492
UserImpactVector=806355760
IsFatal=1
EtwNonCollectReason=4
Response.BucketId=ec11c4e2f37a93ffd6572574ff7163d0
Response.BucketTable=4
Response.LegacyBucketId=1609796576240296912
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=procexp64.exe
Sig[1].Name=Application Version
Sig[1].Value=16.43.0.0
Sig[2].Name=Application Timestamp
Sig[2].Value=611b18e1
Sig[3].Name=Fault Module Name
Sig[3].Value=procexp64.exe
Sig[4].Name=Fault Module Version
Sig[4].Value=16.43.0.0
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=611b18e1
Sig[6].Name=Exception Code
Sig[6].Value=c000041d
Sig[7].Name=Exception Offset
Sig[7].Value=0000000000040b40
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=10.0.19042.2.0.0.768.101
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=f552
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=f5525a7bfe390a118fa62329258a9cf1
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=c2a9
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=c2a916903a0584c515dfe33eda93d5ae
UI[2]=C:\Users\SomeUser\AppData\Local\Temp\procexp64.exe
LoadedModule[0]=C:\Users\SomeUser\AppData\Local\Temp\procexp64.exe
LoadedModule[1]=C:\WINDOWS\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\WINDOWS\System32\KERNEL32.DLL
LoadedModule[3]=C:\WINDOWS\System32\KERNELBASE.dll
LoadedModule[4]=C:\WINDOWS\System32\SHLWAPI.dll
LoadedModule[5]=C:\WINDOWS\System32\msvcrt.dll
LoadedModule[6]=C:\WINDOWS\System32\WS2_32.dll
LoadedModule[7]=C:\WINDOWS\System32\RPCRT4.dll
LoadedModule[8]=C:\WINDOWS\System32\SETUPAPI.dll
LoadedModule[9]=C:\WINDOWS\System32\cfgmgr32.dll
LoadedModule[10]=C:\WINDOWS\System32\ucrtbase.dll
LoadedModule[11]=C:\WINDOWS\System32\bcrypt.dll
LoadedModule[12]=C:\WINDOWS\System32\CRYPT32.dll
LoadedModule[13]=C:\WINDOWS\System32\GDI32.dll
LoadedModule[14]=C:\WINDOWS\System32\win32u.dll
LoadedModule[15]=C:\WINDOWS\System32\gdi32full.dll
LoadedModule[16]=C:\WINDOWS\System32\msvcp_win.dll
LoadedModule[17]=C:\WINDOWS\System32\USER32.dll
LoadedModule[18]=C:\WINDOWS\System32\COMDLG32.dll
LoadedModule[19]=C:\WINDOWS\System32\combase.dll
LoadedModule[20]=C:\WINDOWS\System32\shcore.dll
LoadedModule[21]=C:\WINDOWS\System32\SHELL32.dll
LoadedModule[22]=C:\WINDOWS\System32\ADVAPI32.dll
LoadedModule[23]=C:\WINDOWS\System32\sechost.dll
LoadedModule[24]=C:\WINDOWS\System32\ole32.dll
LoadedModule[25]=C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\COMCTL32.dll
LoadedModule[26]=C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
LoadedModule[27]=C:\WINDOWS\System32\OLEAUT32.dll
LoadedModule[28]=C:\WINDOWS\SYSTEM32\MPR.dll
LoadedModule[29]=C:\WINDOWS\SYSTEM32\VERSION.dll
LoadedModule[30]=C:\WINDOWS\SYSTEM32\credui.dll
LoadedModule[31]=C:\WINDOWS\SYSTEM32\ACLUI.dll
LoadedModule[32]=C:\WINDOWS\SYSTEM32\WTSAPI32.dll
LoadedModule[33]=C:\WINDOWS\SYSTEM32\POWRPROF.dll
LoadedModule[34]=C:\WINDOWS\SYSTEM32\UxTheme.dll
LoadedModule[35]=C:\WINDOWS\SYSTEM32\NTDSAPI.dll
LoadedModule[36]=C:\WINDOWS\SYSTEM32\WINHTTP.dll
LoadedModule[37]=C:\WINDOWS\SYSTEM32\XmlLite.dll
LoadedModule[38]=C:\WINDOWS\System32\IMM32.DLL
LoadedModule[39]=C:\WINDOWS\SYSTEM32\UMPDC.dll
LoadedModule[40]=C:\WINDOWS\SYSTEM32\winsta.dll
LoadedModule[41]=C:\WINDOWS\SYSTEM32\dbghelp.dll
LoadedModule[42]=C:\WINDOWS\SYSTEM32\dbgcore.DLL
LoadedModule[43]=C:\WINDOWS\System32\wow64cpu.DLL
LoadedModule[44]=C:\WINDOWS\System32\wow64.dll
LoadedModule[45]=C:\WINDOWS\System32\wow64win.dll
LoadedModule[46]=C:\WINDOWS\system32\mscoree.dll
LoadedModule[47]=C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
LoadedModule[48]=C:\WINDOWS\SYSTEM32\kernel.appcore.dll
LoadedModule[49]=C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll
LoadedModule[50]=C:\WINDOWS\SYSTEM32\ucrtbase_clr0400.dll
LoadedModule[51]=C:\WINDOWS\SYSTEM32\VCRUNTIME140_CLR0400.dll
LoadedModule[52]=C:\WINDOWS\System32\bcryptPrimitives.dll
LoadedModule[53]=C:\WINDOWS\system32\netfxperf.dll
LoadedModule[54]=C:\Windows\Microsoft.NET\Framework64\v4.0.30319\perfcounter.dll
LoadedModule[55]=C:\WINDOWS\SYSTEM32\pdh.dll
LoadedModule[56]=C:\WINDOWS\System32\MSCTF.dll
LoadedModule[57]=C:\WINDOWS\SYSTEM32\TextShaping.dll
LoadedModule[58]=C:\WINDOWS\System32\Wintrust.dll
LoadedModule[59]=C:\WINDOWS\SYSTEM32\MSASN1.dll
LoadedModule[60]=C:\WINDOWS\SYSTEM32\textinputframework.dll
LoadedModule[61]=C:\WINDOWS\System32\CoreUIComponents.dll
LoadedModule[62]=C:\WINDOWS\System32\CoreMessaging.dll
LoadedModule[63]=C:\WINDOWS\SYSTEM32\wintypes.dll
LoadedModule[64]=C:\WINDOWS\SYSTEM32\ntmarta.dll
LoadedModule[65]=C:\WINDOWS\system32\Oleacc.dll
LoadedModule[66]=C:\WINDOWS\SYSTEM32\DEVOBJ.dll
LoadedModule[67]=C:\WINDOWS\System32\clbcatq.dll
LoadedModule[68]=C:\Windows\System32\taskschd.dll
LoadedModule[69]=C:\Windows\System32\SspiCli.dll
LoadedModule[70]=C:\WINDOWS\SYSTEM32\sxs.dll
LoadedModule[71]=C:\WINDOWS\SYSTEM32\CRYPTSP.dll
LoadedModule[72]=C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordbi.dll
LoadedModule[73]=C:\WINDOWS\system32\rsaenh.dll
LoadedModule[74]=C:\WINDOWS\SYSTEM32\CRYPTBASE.dll
LoadedModule[75]=C:\WINDOWS\SYSTEM32\windows.storage.dll
LoadedModule[76]=C:\WINDOWS\SYSTEM32\Wldp.dll
LoadedModule[77]=C:\WINDOWS\System32\imagehlp.dll
LoadedModule[78]=C:\WINDOWS\system32\propsys.dll
LoadedModule[79]=C:\WINDOWS\SYSTEM32\gpapi.dll
LoadedModule[80]=C:\WINDOWS\SYSTEM32\profapi.dll
LoadedModule[81]=C:\WINDOWS\SYSTEM32\WindowsCodecs.dll
LoadedModule[82]=C:\WINDOWS\SYSTEM32\cryptnet.dll
LoadedModule[83]=C:\WINDOWS\SYSTEM32\WINNSI.DLL
LoadedModule[84]=C:\WINDOWS\System32\NSI.dll
LoadedModule[85]=C:\WINDOWS\SYSTEM32\MrmCoreR.dll
LoadedModule[86]=C:\WINDOWS\SYSTEM32\iertutil.dll
LoadedModule[87]=C:\Windows\System32\thumbcache.dll
LoadedModule[88]=C:\WINDOWS\SYSTEM32\policymanager.dll
LoadedModule[89]=C:\WINDOWS\SYSTEM32\msvcp110_win.dll
LoadedModule[90]=C:\WINDOWS\system32\wbem\wbemprox.dll
LoadedModule[91]=C:\WINDOWS\SYSTEM32\wbemcomn.dll
LoadedModule[92]=C:\WINDOWS\system32\wbem\wbemsvc.dll
LoadedModule[93]=C:\WINDOWS\system32\wbem\fastprox.dll
LoadedModule[94]=C:\WINDOWS\SYSTEM32\amsi.dll
LoadedModule[95]=C:\WINDOWS\SYSTEM32\USERENV.dll
LoadedModule[96]=C:\WINDOWS\system32\WRusr.dll
LoadedModule[97]=C:\WINDOWS\System32\PSAPI.DLL
LoadedModule[98]=C:\WINDOWS\SYSTEM32\MSIMG32.dll
LoadedModule[99]=C:\WINDOWS\SYSTEM32\webio.dll
LoadedModule[100]=C:\WINDOWS\system32\mswsock.dll
LoadedModule[101]=C:\WINDOWS\SYSTEM32\DNSAPI.dll
LoadedModule[102]=C:\Windows\System32\rasadhlp.dll
LoadedModule[103]=C:\WINDOWS\System32\fwpuclnt.dll
LoadedModule[104]=C:\WINDOWS\system32\schannel.DLL
LoadedModule[105]=C:\WINDOWS\SYSTEM32\mskeyprotect.dll
LoadedModule[106]=C:\WINDOWS\SYSTEM32\NTASN1.dll
LoadedModule[107]=C:\WINDOWS\SYSTEM32\ncrypt.dll
LoadedModule[108]=C:\WINDOWS\system32\ncryptsslp.dll
LoadedModule[109]=C:\WINDOWS\SYSTEM32\DPAPI.DLL
LoadedModule[110]=C:\WINDOWS\System32\coml2.dll
State[0].Key=Transport.DoneStage1
State[0].Value=1
OsInfo[0].Key=vermaj
OsInfo[0].Value=10
OsInfo[1].Key=vermin
OsInfo[1].Value=0
OsInfo[2].Key=verbld
OsInfo[2].Value=19042
OsInfo[3].Key=ubr
OsInfo[3].Value=1165
OsInfo[4].Key=versp
OsInfo[4].Value=0
OsInfo[5].Key=arch
OsInfo[5].Value=9
OsInfo[6].Key=lcid
OsInfo[6].Value=1033
OsInfo[7].Key=geoid
OsInfo[7].Value=244
OsInfo[8].Key=sku
OsInfo[8].Value=101
OsInfo[9].Key=domain
OsInfo[9].Value=0
OsInfo[10].Key=prodsuite
OsInfo[10].Value=768
OsInfo[11].Key=ntprodtype
OsInfo[11].Value=1
OsInfo[12].Key=platid
OsInfo[12].Value=10
OsInfo[13].Key=sr
OsInfo[13].Value=0
OsInfo[14].Key=tmsi
OsInfo[14].Value=221267222
OsInfo[15].Key=osinsty
OsInfo[15].Value=1
OsInfo[16].Key=iever
OsInfo[16].Value=11.789.19041.0-11.0.1000
OsInfo[17].Key=portos
OsInfo[17].Value=0
OsInfo[18].Key=ram
OsInfo[18].Value=8006
OsInfo[19].Key=svolsz
OsInfo[19].Value=930
OsInfo[20].Key=wimbt
OsInfo[20].Value=0
OsInfo[21].Key=blddt
OsInfo[21].Value=191206
OsInfo[22].Key=bldtm
OsInfo[22].Value=1406
OsInfo[23].Key=bldbrch
OsInfo[23].Value=vb_release
OsInfo[24].Key=bldchk
OsInfo[24].Value=0
OsInfo[25].Key=wpvermaj
OsInfo[25].Value=0
OsInfo[26].Key=wpvermin
OsInfo[26].Value=0
OsInfo[27].Key=wpbuildmaj
OsInfo[27].Value=0
OsInfo[28].Key=wpbuildmin
OsInfo[28].Value=0
OsInfo[29].Key=osver
OsInfo[29].Value=10.0.19041.1165.amd64fre.vb_release.191206-1406
OsInfo[30].Key=buildflightid
OsInfo[30].Value=CCA699D9-19E7-4B7A-B468-168C4C3ABEE7.1
OsInfo[31].Key=edition
OsInfo[31].Value=Core
OsInfo[32].Key=ring
OsInfo[32].Value=Retail
OsInfo[33].Key=expid
OsInfo[33].Value=RS:97A7
OsInfo[34].Key=fconid
OsInfo[35].Key=containerid
OsInfo[36].Key=containertype
OsInfo[37].Key=edu
OsInfo[37].Value=0
FriendlyEventName=Stopped working
ConsentKey=APPCRASH
AppName=Sysinternals Process Explorer
AppPath=C:\Users\SomeUser\AppData\Local\Temp\procexp64.exe
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=82DF231D2A89ABA7A69459F990BC7F81
MetadataHash=396090815

Could I get some feedback on this?

How can run the recently downloaded application, and stop the deleted and older application from running (or what I call creeping open)?

Thank you






windows-sysinternals-generalwindows-sysinternals-procexp
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

steviefaux avatar image
0 Votes"
steviefaux answered

This is because you are on a 64bit processor. Although you have downloaded and only run procexp.exe, it contains procexp64.exe built into it. When it detects you are on a 64bit chip, it unpacks procexp64.exe and runs that. That is why you'll always see procexp64.exe as a child process of procexp.exe

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.