I am Building a test install of XP SP2 on a year old dual core PC.
I installed WinXP SP2 (32bit) and then ran autopatcher.exe (to
upgrade to the latest MS fixes) from a DVD so as to not have
to access the net before updating. I then installed Comodo
3.0.18.309.
I open Control Panel, double click on “User Accounts” and then
single click on:
change the way users log on or off
I then get an orange “Defense+ Alert” that says:
mshta.exe is trying to access the service control manager
I allow that (but do not let it remember).
I then get a red “Defense+ Alert” that says:
mshta.exe is trying to access the disk directly
Which I block (but do not let it remember).
This is 100% repeatable. Just close “User Accounts” and double click
it again from Control Panel.
As I have seen messages warning me that various programs are
about to create or write normal files, this stikes me as truly
accessing the the disk directly which I would assume that
nothing but the file system layer or formatting/partitioning
software should do.
I have run virus scans on the system.
I have run Sysinternals RootKit Revealer on it.
I have verified that the MD5SUM of mshta.exe is the same
as on my girlfriend’s XP SP2 system.
Everything shows clean.
I am scared to let it actually write on the disk. Is anyone
else seeing this? Is this a false alarm in that it is really just
writing a file on the disk?
I think I recall that it asked for video and keyboard direct
access too, which I must have granted permanently, but
I was willing to let that slide as a security measure to protect
the password changing dialogs.
FYI: One of the MS fixes was to add a “User Accounts 2” icon
to Control Panel, but I don’t think that is related and I am not
using it.
Cliff