Question: Significance of Unknown Owner/File Missing

By Bobbye
May 21, 2008
  1. This is a general question in that it does not pertain to any specific log. But it is something I see frequently in the HijackThis logs and have wondered if there is a particular significance:

    O23 - Service: @%SystemRoot%\system32\****1*****- ****2****Unknown owner - C:\Windows\System32\****3****(file missing)

    1********'exe' or 'dll' file followed by a number such as -100
    2********Name or acronym of Service
    3.*******same exe file as #1.

    All unknown/missing aren't in the SystemRoot, but I am wondering if these Services can actually load without the information. Is the "@" significant, as I sometimes see other files, preceded by the "@" that have the 'unknown owner/file missing?

    This is a learning experience for me and I would appreciate information if there is any. I realize that each log is specific to the person who runs the program.

    And if this is an 'unanswerable' question, please let me know-politely.
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I am not going to give a full answer as I am slightly confused by the question, but sometimes when you see a bunch of (file missing) they aren't missing at all. I have seen this a lot when the user has Vista 64 bit. It seems like a compatibility issue between HJT and the OS.

    Hope this is a good start on what you are looking for. And never suggest a user fix any (File Missing) entries

    *unless they are malicious
    *unless they are 02 or 03 entries.(these don't matter if they are malicious or not)
  3. Bobbye

    Bobbye Helper on the Fringe Topic Starter Posts: 16,335   +36

    Thanks Blind Dragon- Interestingly enough, what prompted me to ask about this was a particular Log I looked at from a Vista user. There were 11 of the 023 entries like the example I gave, plus some others not in the systemroot category, but still 023.

    In the 02 category, one I notice often in Vista with no name/no file is the Windows Live Call HoverToCall class for Windows Live Messenger, a legit BHO per the CSLID. This one sticks in my mind because I'ver looked up the CLSID so many time! According to what you say above though,
    I won't be telling anyone to zap these entries- it's always interesting though when it's 'out of the ordinary'..

    Appreciate your help.
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I hope that made sense. If you see a 02 or 03 with (File Missing) you can have them fix those.

    For other entries check if they are legit or not and if not then have them fix the entry, you also want to have them look for the file on a malicious entry that says the file is not there, because I have seen many times where the file is there.

    So the main thing to see is if the entry is good or bad, then make your decision.
  5. Bobbye

    Bobbye Helper on the Fringe Topic Starter Posts: 16,335   +36

    Again, thanks.Learning is a good thing.
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...