Procmon reveals cfp.exe repeatedly trying to create file msctf.dll [NBZ]

Opened up process monitor to check another thing and noticed lots of event spamming coming from cfp.exe.

Searched this forum and there seems like others have had problems with this in the past but no solution seems to have been provided.

So 2 - 3 years later and still the same problem ??? Isn’t it time to do something about this once and for all >:(

Oh, throwing the rule book at me, why don’t you…
with this extra time spend on this i do hope you’ll fix this issue, wasting my time is not nice

The bug/issue

1. What you did:
   Open process monitor from sysinternals

2. What actually happened or you actually saw:
   cfp.exe flooding the system with irrelevant messages

3. What you expected to happen or see:
   comodo being a good citizen, a good boy playing nice with all other programs on the computer

4. How you tried to fix it & what happened:
   I don’t know if i can fix this, myself.

5. If its an application compatibility problem have you tried the application fixes?:
   Not applicable

6. Details (exact version) of any application involved with download link:
   Not applicable

7. Whether you can make the problem happen again, and if so exact steps to make it happen:

8. open process monitor and boom!

9. Any other information (eg your guess regarding the cause, with reasons):
   (Comment removed by Moderator)

Files appended. (Please zip unless screenshots).

1. Screenshots illustrating the bug:
   Done
2. Screenshots of related event logs and the active processes list:
   Done
3. A CIS config report or file.
   Done
4. Crash or freeze dump file:
   doesn’t crash the system just floods it

Your set-up

1. CIS version, AV database version & configuration used:
   CIS 5.0.163652.1142 (NOTE: make this version string copyable in about box in next update, please!! )
   virus sig: 6493

2. a) Have you updated (without uninstall) from CIS 3 or 4, if so b) have you tried reinstalling?:
   Do not remember

3. a) Have you imported a config from a previous version of CIS, if so b) have U tried a preset config?:
   I have not imported anything, manually

4. Other major changes to the default config (eg ticked ‘block all unknown requests’, other egs here. )
   Disabled sandbox and antivirus due to malfunction, lack of settings and user control and plain annoyance.

5. Defense+ and Sandbox OR Firewall security level:
   Defense+ : Safe Mode

6. OS version, service pack, no of bits, UAC setting, & account type:
   Windows XP Pro SP3 32-bit
   account type: administrator
   UAC: Not applicable in windows xp

7. Other security and utility software running:
   No other software (excluding my brain and paranoia )

8. Virtual machine used (Please do NOT use Virtual box):
   Not applicable

If you want more info just ask ;D

[attachment deleted by admin]

We would very much appreciate it if you would edit your first post to create an issue report in line with the bug forum guidelines and format here. You can copy and paste the format from this topic.

To understand the reasons why we ask you to follow these guidelines please see below.

WHY WE ASK YOU TO FOLLOW THESE GUIDELINES
Bugs/issues can be impossible or very time consuming to fix if developers don’t have enough information to reproduce them. Since CIS is free, development time is limited. So if you want your issue fixed, please use the format below to describe it.

To avoid clutter, issues not described in the format below your post will not be moved to the ‘moderator verified’ issues topic. This means that the developers may not look at it.

Best wishes and many thanks in anticipation

Dennis

Thank you for the bug report. Much appreciated.

Moving to format verified.

Dennis

Hi, karamel. Thanks, for your report. Can you attache Procmon’s report in a text format (e.g. *.PML or *.CSV).

Here is a sample of just a few seconds (if even that)

[attachment deleted by admin]

And could you tell me, what languages you use in Windows?

It’s the Swedish version of windows i’m using. (If that’s what you mean)

Hi,
I am experiencing exactly the same problem.

I am using a German Version of XP Professional.

Regards and thx for the great software,
HWguru

I agree. I’m experiencing the same issue.

1. Screenshots illustrating the bug:
   My Process Monitor output is the same as shown by the OP’s screenshot.

Your set-up

1. CIS version, AV database version & configuration used:
   CIS 5.0.163652.1142 (NOTE: make this version string copyable in about box in next update, please!! )
   Firewall and D+ only (I use Avast 5.1.864 Free AV)

Issue happens with default Firewall, Proactive, and Internet Security configurations before making any changes.
Problem persists even if D+ slider is set to Disabled. I’ve had to completely disable D+ by checking “Deactivate the Defense+ permanently” and restarting to eliminate this issue.

2. a) Have you updated (without uninstall) from CIS 3 or 4, if so b) have you tried reinstalling?:
   I did not update. I’m a new user.

3. OS version, service pack, no of bits, UAC setting, & account type:
   Windows XP Pro SP3 32-bit
   account type: administrator
   UAC: Not applicable in windows xp

Only thing I found that helped is to disable ctfmon.exe from running at startup…
I know it’s not a solution but for those who don’t use it it’s a workaround.

Of course this could disable a few features one might(not) use;
http://support.microsoft.com/kb/282599

Ctfmon.exe activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office Language Bar.

Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.

Using the Windows Control Panel > Regional and Language Options > Languages > Text Services and Input Languages > Details dialog, turning off the Language Bar eliminates the cfp.exe hammering of msctf.dll. On my system I can do that by checking “Turn off advanced text services” in the Advanced pane.

Turning off the Language Bar is not an acceptable workaround for me. I’ve had to permanently disable D+.

Thanks for the help, Ronny. I figured it out before seeing your reply. A forum search for “Language Bar” or “msctf.dll” shows this is a very old issue.

Let’s hope they can make it History then this time

Hi,

I’ve just upgraded Comodo Firewall to 5.3.176757.1236 (for Windows XP). Following this upgrade, the cpu usage of Malwarebytes on my m/c has increased dramatically and sits at about 20% permanently.

What does this have to do with Comodo, I hear you say? Well the reason that MBAM is using so much cpu is that it’s suddenly doing 25MB/s of file i/o (reading), all of it on the file c:\windows\system32\msctf.dll, and this file i/o appears to be in direct response to file i/o from Comodo’s cfp.exe on that same file. Comodo is accessing msctf.dll once per ms (operations being QueryOpen, CreateFile, and CloseFile), and this i/o from cfp.exe repeats about 800 times per second. Comodo’s cfp.exe does not do this for any other file.

So, I’m wondering what’s so special about msctf.dll, and whether nor not this is likely to be a bug in cfp.

Thanks,
Jarmo

Can you please provide the stack traces for the operations?

Have attached stack traces from Process Monitor. Not sure they have everything you need but get back to me if you need more.

Sample event logs from Process Monitor are below:

“619452”,“8:03:06.1754986 PM”,“cfp.exe”,“5556”,“QueryOpen”,“C:\WINDOWS\system32\msctf.dll”,“SUCCESS”,“CreationTime: 8/10/2004 7:00:00 AM, LastAccessTime: 1/28/2011 8:03:06 PM, LastWriteTime: 4/14/2008 5:42:00 AM, ChangeTime: 2/18/2009 1:35:42 AM, AllocationSize: 299,008, EndOfFile: 297,984, FileAttributes: A”

“619453”,“8:03:06.1756851 PM”,“cfp.exe”,“5556”,“CreateFile”,“C:\WINDOWS\system32\msctf.dll”,“SUCCESS”,“Access: Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a”

“619542”,“8:03:06.1859069 PM”,“cfp.exe”,“5556”,“CloseFile”,“C:\WINDOWS\system32\msctf.dll”,“SUCCESS”,“”

[attachment deleted by admin]

Those stack traces don’t have any symbols at all…

Read this (taken from Sysinternals Forums):

To configure symbols in Process Explorer OR Process Monitor: 1) Download and install the current version of the Debugging Tools for Windows. 2) Note the location to which the Debugging Tools for Windows are installed (c:\program files\debugging tools for windows is a likely candidate) 3) Start Process Explorer. In the Options -> Configure Symbols dialog, for the "Dbghelp.dll path", specify or browse to the dbghelp.dll that was installed by the Debugging Tools for Windows (for example, c:\program files\debugging tools for windows\dbghelp.dll). Do not specify the dbghelp.dll that is in %systemroot%\system32 - that copy of dbghelp.dll does not include the functionality required. For the Symbols path, specify the following: srv*C:\Symbols*http://msdl.microsoft.com/download/symbols

That is all that is needed to configure symbols in Process Explorer; the Paged and Non Paged pool limits should be visible (when Process Explorer is run by an administrator), and when symbols are available the stacks of threads should resolve.

Will see if I can get symbols. Looks like I have to install .Net Framework 4 and then Debugging Tools for Windows from http://www.microsoft.com/whdc/devtools/debugging/default.mspx.

OK, have attached stack traces again, this time with some symbols. Hope this is what you were hoping to see.

It’s worth noting that when CFP is not running, MBAM does no file i/o. Also, I have now re-configured MBAM so that it ignores msctf.dll and cpu usage is back to normal – CFP is still performing the same file i/o every ms even though there’s no sign of file i/o from MBAM, so I think these two points are a strong argument for the MBAM file i/o being in response to the CFP file i/o (and not vice-versa).

[attachment deleted by admin]

No, there are still heaps of unresolved addresses. Did you wait until all of them were resolved before you copied the text?