InputPersonalization.exe sandbox issue

This is a microsoft product with a microsoft folder path ( ProgramFiles/CommonFiles/MicrosoftShared/Ink/InputPersonalization.exe ), yet when I go to the folder path, this .exe does not exist. All files & folders are set to unhidden as well. I set it to safe & alerts still come frequently for this non-existent application. It is the same exact problem I am having with the non-existent ask.com updatetask.exe. I have also ran numerous reg cleaners, revo & final uninstallers.

I know this issue is a problem as I have seen other threads with similar problems, but I wanted to bring to light the issue with this application, as obviously defense+ isn’t sandboxing every program we have uninstalled over the life of our computer.

Can you please run a windows search for the filename, inc. system and hidden folders.

The path can me misleading

Mouse

PS how have you ‘unhidden’ the folders - recursive attrib -s-h or just revealed them in explorer?

Best wishes

Mouse

Well I did a search & windows found 2 InputPersonalization.exes. So I added them to safe files in defense +, then I rebooted. As I started typing this reply, I got the alert for InputPersonalization.exe. So I am not sure what I can do now. lol

Regarding your P.S.

As far as I know I have just revealed them in explorer.

Edit-

After posting I checked my safe files, & now for the first time InputPersonalization.exe is a safe file. So maybe this worked. Thanks Mouse. I will report back to let you know if it is fixed now. And BTW you were right, those .exes were hidden deep in windows.

Unfortunetly it vanished from my safe files, & began with the alerts again. I’m just not sure what could be the problem.

OK now you need to find if both are code signed. Try adding each file in My Trusted Vendors please. And tell me what happens. Also please could you tell me the date modified on both files.

Is either location a long path? Please give the paths if you don’t mind.

Can you speak for this file? Is it genuinely trustworthy?

Are any other files being sandboxed. Please check the D+ events after complete rebooting.

If other files are being sandboxed please post screen shots of events and active processes list (the latter when the sandbox alert is on the screen)

Sorry for all the info requests, but there are a number of possibilities.

Defining the 2 files as installer/updaters in D+ (or copying one of the files where D+ thinks it is) will probably work but I’d like to know the reason for the problem so it can be fixed!

Best wishes

Mouse

Best wishes

Mouse

No problem with the info requests mouse. This is the only way to figure out the problem & fix it, so I am glad to help.

Ok first, let me say that the InputPersonalization.exe & the ask/UpdateTask.exe are the only programs that I get alerts for several times a day. The frequency of the alerts ranges from once every 1-3 hours for each of these programs & seems to occur more often than not soon after a reboot. Ranging from a minute to a half hour after boot. The UpdateTask.exe problem seems to be fixed now & havn’t seen an alert for 24 hours on that one. InputPersonalization alerts are still the same.

Before I go on with the requested information, I wanted to mention the only other “errant” alert that I get once in awhile. It is for /ProgramFiles/Acer/Acer Assist.exe / I have only gotten this alert maybe 2 or 3 times in the last week & a half, with the last one occurring 4 days ago. This is another path that doesn’t exist, & a program that I have previously uninstalled. This program came with my laptop factory installation. I will be re-installing my laptop to factory soon & since this alert has been very minor in occurrence I didn’t post about it before.

Here are the two paths to the InputPersonalization.exes :

C:\Windows\winsxs\x86_microsoft-windows-t…nputpersonalization_31bf3856ad364e35_6.0.6001.18000_none_3fac12f5c6543548\InputPersonalization.exe ( date modified = 1/20/2008/10:25pm ) file size 194kb

C:\Windows\winsxs\x86_microsoft-windows-t…nputpersonalization_31bf3856ad364e35_6.0.6002.18005_none_41978c01c3760094\InputPersonalization.exe ( date modified = 1/20/2008/10:25pm ) file size 194kb

I also found this file below, I am not sure what significance it has, if any of the problem, but here it is.

C:\Windows\winsxs\x86_microsoft-windows-t…alization.resources_31bf3856ad364e35_6.0.6000.16386_en-us_ea48b2972841f72f\InputPersonalization.exe <----- this is a MUI file. ( date modified = 11/2/2006/8:41am ) file size 3kb

Now from what I have read online, InputPersonalization is a microsoft product that monitors your handwriting for different purposes. I have a drawing tablet, so I figured that it also might have some other purposes regarding tablets in generally, which is why I keep allowing it, & trying to have it stay that way.

I havn’t uninstalled InputPersonalization, nor do I think it is possible to remove it, at least from normal uninstallation methods.

I am now going to try adding the files to trusted vendors & reboot. If that doesn’t work I will let you know. I would then probably try defining them as installers/updaters.

Ok when I added both of the InputPersonalization.exes to my trusted vendors, both times it gave me a pop up that said that Microsoft is already on the list.

Well re diagnosis, there still are a number of possibilities

1. the long paths, but I think not else the sandbox alert would probably show no filename
2. punctuated paths - not yet a confirmed bug . Hope not, that would be a bit strange
3. MUI file cache. Quite likely think windows unpacks these files to run them every boot. OK to delete these file I think. So delete it but make a restore point to be impossibly cautious.
4. File that is created then deleted from the ‘Ink’ path every reboot. You could check for this using an undelete tool it will likely pick it up if deleted in last few days. Recuva.com is a good tool - please give date file last modified/created

So could you try the last two one by one in reverse order - 4 then 3 (for diagnosis purposes).

Oh there is also possibility that CIS is picking up file reference from registry in some way. But that would be too complex to determine I think.

Best wishes

Mouse

Ok Mouse this is what I did.

I first ran Recuva as you stated. I first scanned both the .exe path folder, & nothing came up. I even scanned the recycle bin & searched through results for any files that might belong to InputPersonalization to no avail.

I then went to delete the InputPersonalization.exe MUI file, but I am greeted with the “you need permission to delete this file”. Only thing is, I have full admin rights, so I am not sure why this would be, but somehow it is protected. Not sure what this means buddy.

I’d try safe mode. Possibly deletion from command line. Do you need to temporarily raise privs in your OS?

I’ll have an experiment later. Possibly got read-only or system attributes. In which case attrib -r-s-h will fix if I remember correctly. Sometimes attribs inherited from the folder (sigh) so do same to folder but replace afterwards (+ instead of -)

Best wishes

Mike

Well Mike, I changed permission rights for that MUI file via the file properties, & was able to delete it.

I will reboot & hopefully everything will be fine. I will let you know if this resolves the issue.

Ah well the simple approach…

lol Well the simple approach works, but didn’t stop another alert from showing up after boot up.

I Also checked the folder path that I deleted the MUI from, to see if a new one was created, & one was not.

I thought about the Task Scheduler mentioned by Languy in the other thread, so I opened it & sure enough in Task Scheduler (local), there is a task name of InputPersonalization & it says it keeps failing to run. I couldn’t find anywhere to be able to delete this task though, as I thought that might fix the problem. Let me know what you think.

Aha good :■■■■ for languy.

You should be able to remove it. Right click and delete? If not double click on it and disable it?

Else you may need to allow full control for your a/c under its security tab first.

Else Else disable task scheduler (after taking a system restore point) in control panel ~ services, just to see if that stops it. Then we can look up how to get permissions…

Well Mike, I decided to open Task Scheduler & have a look at it again. I never even knew it existed before, so I very noobishly wasn’t aware of the scroll bar in the main window to scroll down to tasks so you could edit them. Anyways, I disabled the InputPersonalization task. Rebooted, & no alert. One of the two triggers for that task was upon boot, which didn’t happen this time. ;D

So I think that this Task Scheduler might be a fix for some of these “phantom” files, as it seems to have worked for me here. If I wouldn’t of found the Ask.com UpdateTask update file in a search & deleted it, I think it would of probably shown in the Task Scheduler as well.

Thanks

I have told the devs!

So it will be sorted hopefully

Mouse

to delete the task try right click on task scheduler and select run as admin, now right click on the task and see if delete is there.

I’m going to move this to bug reports hope this is OK

Please post system details if you have not already, as described in the sticky posts.

Best wishes and many thanks

Mouse

I just wanted to report that after several reboots today I have not had any alerts for this issue, & that is not normal if this problem wasn’t resolved. :P0l

Thanks for telling us!

Well done languy!

Best wishes

Mike