Author Topic: [9.0.2011] running bcdedit.exe at startup?  (Read 10357 times)

0 Members and 1 Guest are viewing this topic.

Online NON

  • Japanese User
  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5514
  • Whatever will be, will be.
[9.0.2011] running bcdedit.exe at startup?
« on: December 26, 2013, 12:40:32 PM »
After updating to 9.0.2011, Online Armor is repeatedly asking that AvastSvc.exe is trying to run bcdedit.exe from temporary directory.

What is this behavior?


Windows Vista SP2 32bit / avast! 2014 Free 9.0.2011 / Online Armor Free
Desktop: Win10 Pro 22H2 64bit / Core i5-7400 3.0GHz / 32GB RAM / Avast 23 Premium Beta(Icarus) / Comodo Firewall
Notebook: Win10 Pro 22H2 64bit / Core i5-3340M 2.7GHz / 12GB RAM / Avast 23 Free / Windows Firewall Control
Server: Win11 Pro 23H2 64bit / Core i3-4010U 1.7GHz / 12GB RAM / Avast One 23 Essential

Avast の設定について解説しています。よろしければご覧ください。

ank91

  • Guest
Re: [9.0.2011] running bcdedit.exe at startup?
« Reply #1 on: December 26, 2013, 12:48:04 PM »
yes, i can confirm that.
i m on win xp, and there is no reason to run Bcdedit.exe on xp.
and it avast  9.0.2011 free .
« Last Edit: December 27, 2013, 06:45:02 AM by ank91 »

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: [9.0.2011] running bcdedit.exe at startup?
« Reply #2 on: December 26, 2013, 01:38:58 PM »
http://technet.microsoft.com/en-us/library/cc709667%28v=ws.10%29.aspx
If Online Armor telling that avast wanna configure BCD, then we must assume that this action is legitimate. But such action can easily be malicious as well.

Do you wish to check that? FRST shall resolved the mystery. Or you/we can clean temp files. All files in %temp% should be safe to remove. This CMD commands shall attempt to clean files from %temp% folder:

CMD (aka command prompt) > type:
Code: [Select]
DEL %TEMP%\*.* /F /S /Q
Enter and then type ...

Code: [Select]
CMD: RD /S /Q %TEMP%
Enter ...

ank91

  • Guest
Re: [9.0.2011] running bcdedit.exe at startup?
« Reply #3 on: December 26, 2013, 03:24:15 PM »
@magna86

The file is NOT malicious, checked with online scanner.
But i m sure it comes from avast's "AvastEmUpdate.exe".

I use ccleaner frequently, and my TEMP folder seems to be clean always.

I m just curious why avast extract and running bcdedit.exe at logon.

I know about bcdedit ,it is command line to configure bcd database. It was introduced in vista and still being used in win8.1.


Offline bruce_b

  • Sr. Member
  • ****
  • Posts: 333
Re: [9.0.2011] running bcdedit.exe at startup?
« Reply #4 on: December 26, 2013, 08:23:22 PM »
I also have XP Pro with SP3 and the latest Avast Free version. Sometime last week, I also noticed BCDEDIT.EXE being created daily in C:/Windows/Temp  ... not sure why this is happening, but it does not seem to be causing any issues. It would be nice to know if this is a side affect of some update by Avast or not.

Thanks
Dell Dimension 8200 P4 1.8Ghz Windows XP PRO SP3
Avast Free Antivirus 18.8.2356
Toshiba Satellite C855-S5347 Celeron B830 1.8Ghz
Windows 10 Home 64 Bit Version 1909 Build 18363.900
Avast Free Antivirus 20.4.2410 Build 20.4.5312.578

Tetsuo

  • Guest
Re: [9.0.2011] running bcdedit.exe at startup?
« Reply #5 on: December 26, 2013, 09:56:22 PM »
I also have XP Pro with SP3 and the latest Avast Free version. Sometime last week, I also noticed BCDEDIT.EXE being created daily in C:/Windows/Temp  ... not sure why this is happening, but it does not seem to be causing any issues. It would be nice to know if this is a side affect of some update by Avast or not.

Thanks

It's Avast. It just keeps messing with your OS. I'm going back to the previous version.

Online NON

  • Japanese User
  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5514
  • Whatever will be, will be.
Re: [9.0.2011] running bcdedit.exe at startup?
« Reply #6 on: December 27, 2013, 12:39:24 AM »
Thank you for all your answers and advices.

I myself did not consider this is a malicious behavior, just wondering why this is needed.
Now I suppose this is related to GrimeFigher, as it is some kind of Linux system and might need a change of boot configuration.

http://technet.microsoft.com/en-us/library/cc709667%28v=ws.10%29.aspx
If Online Armor telling that avast wanna configure BCD, then we must assume that this action is legitimate. But such action can easily be malicious as well.

Do you wish to check that? FRST shall resolved the mystery. Or you/we can clean temp files. All files in %temp% should be safe to remove. This CMD commands shall attempt to clean files from %temp% folder:

CMD (aka command prompt) > type:
Code: [Select]
DEL %TEMP%\*.* /F /S /Q
Enter and then type ...

Code: [Select]
CMD: RD /S /Q %TEMP%
Enter ...
Thanks for the advice.
I deleted all TEMP files and rebooted the computer. Then, bcdedit.exe is created again.

Could you tell me how to use FRST tool?

But i m sure it comes from avast's "AvastEmUpdate.exe".
Strange, Online Armor says it's from AvastSvc.exe not AvastEmUpdate.exe...


I also have XP Pro with SP3 and the latest Avast Free version. Sometime last week, I also noticed BCDEDIT.EXE being created daily in C:/Windows/Temp  ... not sure why this is happening, but it does not seem to be causing any issues. It would be nice to know if this is a side affect of some update by Avast or not.
I also don't have any troubles about it.

I hope I have a clarification from avast! team about what this behavior is.
It is not my wish to make any criticism or rant towards avast!
Desktop: Win10 Pro 22H2 64bit / Core i5-7400 3.0GHz / 32GB RAM / Avast 23 Premium Beta(Icarus) / Comodo Firewall
Notebook: Win10 Pro 22H2 64bit / Core i5-3340M 2.7GHz / 12GB RAM / Avast 23 Free / Windows Firewall Control
Server: Win11 Pro 23H2 64bit / Core i3-4010U 1.7GHz / 12GB RAM / Avast One 23 Essential

Avast の設定について解説しています。よろしければご覧ください。

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: [9.0.2011] running bcdedit.exe at startup?
« Reply #7 on: December 27, 2013, 12:45:34 AM »
@ ank91
I did not say that BCDedit.exe is the malicious origin (although it could be if file isn't where is supposed to be) but changes BCD (activity itself) may be malicious and legitimate origin.

@NON


Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Under Optional Scan ensure "List BCD" are ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Online NON

  • Japanese User
  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5514
  • Whatever will be, will be.
Re: [9.0.2011] running bcdedit.exe at startup?
« Reply #8 on: December 27, 2013, 01:08:52 AM »
Thanks magna64, much appreciated.

FRST.txt and Addition.txt are attached.
Desktop: Win10 Pro 22H2 64bit / Core i5-7400 3.0GHz / 32GB RAM / Avast 23 Premium Beta(Icarus) / Comodo Firewall
Notebook: Win10 Pro 22H2 64bit / Core i5-3340M 2.7GHz / 12GB RAM / Avast 23 Free / Windows Firewall Control
Server: Win11 Pro 23H2 64bit / Core i3-4010U 1.7GHz / 12GB RAM / Avast One 23 Essential

Avast の設定について解説しています。よろしければご覧ください。

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: [9.0.2011] running bcdedit.exe at startup?
« Reply #9 on: December 27, 2013, 01:41:40 AM »
@NON

May we please continue tomorow? I'm tired ...  :(

Online NON

  • Japanese User
  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5514
  • Whatever will be, will be.
Re: [9.0.2011] running bcdedit.exe at startup?
« Reply #10 on: December 27, 2013, 05:14:25 AM »
@NON

May we please continue tomorow? I'm tired ...  :(
Please take your time, this is not urgent :)
Desktop: Win10 Pro 22H2 64bit / Core i5-7400 3.0GHz / 32GB RAM / Avast 23 Premium Beta(Icarus) / Comodo Firewall
Notebook: Win10 Pro 22H2 64bit / Core i5-3340M 2.7GHz / 12GB RAM / Avast 23 Free / Windows Firewall Control
Server: Win11 Pro 23H2 64bit / Core i3-4010U 1.7GHz / 12GB RAM / Avast One 23 Essential

Avast の設定について解説しています。よろしければご覧ください。

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: [9.0.2011] running bcdedit.exe at startup?
« Reply #11 on: December 27, 2013, 01:51:43 PM »
Hey NON,

FRST doesn't show active malware. Yes I see changes in BCD but in my opinion you do not need to pay attention on these changes, also as edit BCD may lead system in non-boot state.

There are no loaded files in %temp%, nor BCDEdit.exe in temp and that was the question right?

Unrelated to this case, you may use TFC to clean all your temp folders.
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

Also, download and run CCleaner if you will to clean some leftover registry keys.

You may delete FRST.exe (drag & drop FRST icon into recycle). C:\FRST <= folder you may delete or you may keep as \Hivs folder contains healthy registry hivs backup.



I hope I at least helped a little.  :)

Online NON

  • Japanese User
  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 5514
  • Whatever will be, will be.
Re: [9.0.2011] running bcdedit.exe at startup?
« Reply #12 on: December 27, 2013, 03:51:10 PM »
Thank you for checking.
I'm glad my mobile machine seems clean :)

I blocked BCDEdit.exe in temp folder when OnlineArmor asked me to decide, so it could be the reason of the file not-loading / not-existing.
Desktop: Win10 Pro 22H2 64bit / Core i5-7400 3.0GHz / 32GB RAM / Avast 23 Premium Beta(Icarus) / Comodo Firewall
Notebook: Win10 Pro 22H2 64bit / Core i5-3340M 2.7GHz / 12GB RAM / Avast 23 Free / Windows Firewall Control
Server: Win11 Pro 23H2 64bit / Core i3-4010U 1.7GHz / 12GB RAM / Avast One 23 Essential

Avast の設定について解説しています。よろしければご覧ください。

Avast0815User

  • Guest
Re: [9.0.2011] running bcdedit.exe at startup?
« Reply #13 on: January 01, 2014, 11:07:24 AM »
What is Avast doing with BCDEDIT?

How can I stop this? Avast should not mess up my boot-config.


And BCDEDIT in TEMP (6.1.7600.16385) is not the same as in WinSXS (6.1.7601.17514) - suspicious?



ank91

  • Guest
Re: [9.0.2011] running bcdedit.exe at startup?
« Reply #14 on: January 01, 2014, 04:15:35 PM »
it is not suspicious.
actualy the bcdedit in your temp is old version.
it is from win 7 sp0.


do you have grime fighter installed?