Undo authorized permission: Userinit.exe

Userinit.exe is the Windows logon application which launches if you you’ve agreed to allow the “Help & Support” utility to contact Microsoft during a search. However, it also launches if you simply do a search of your hard drive and logs whatever you’re looking for to sc.window.com. This is tantamount to spying in my opinion and I’ve taken great pains to click the “Deny” button without actually checkmarking the option to do so permanently. But last night, I inadvertently checkmarked the “Always allow…” (and “Allow”) option which means that the application now phones home every time I do a search of my HD.

My question here is how can I undo the permanent aspect of this permission? Blocking the IP (show in the image) is not an option because that’ll also block Help & Support searches. The easiest thing to do would be to delete userinit.exe from the menu, but it doesn’t appear anywhere as far as I can tell.

[attachment deleted by admin]

Since this topic has gone unanswered for three days, am I to assume that the rule can’t be undone?


hmm :slight_smile: since comodo backsup to registry, did you search there?

have you set alert level to high might grab it there.

do you remember userinit.exe did grab a dll?

did you try rename userinit.exe but then your online help misses, you know what i mean, play there.

is it part of windowsupdate service only 1 time initiator, did you check IE, tools, files, objects?


if you go to FIREWALL /ADVANCED/NETWORK SECURITY POLICY/APPL RULES you should be able to find what you’re looking for. Simply delete the rule for Userinit.exe or edit it to suit your demands.
Hope this helps,
(You are using v3, aren’t you?)

Go to Security/Tasks/Scan for Known Applications. This may help the rule to show up in Application Monitor, if it’s not there already.

If that doesn’t help,

Go to Security/Advanced/Miscellaneous, and uncheck the 2nd box, “Do not show alerts for applications certified by Comodo.” This turns off the SafeList, so you should see alerts for the Windows processes.

While you’re there, do as Mike suggested, and move the Alert Frequency level to a higher setting.


Right-click the firewall’s systray icon, and Exit the gui. Wait a few seconds, and restart it from shortcut, etc.

Then repeat your original steps to cause the process to fire. This should pop a new alert, which you can deny w/remember.


PS: Sorry no one responded. Sometimes new posts slip off the grid unexpectedly.

Didn’t help unfortunately, it’s not listed.

Did both, but the only processes which produce alerts are vague ones like svchost.exe. I’m loathe to deny that somehow.

I tried something else though. I did an Windows key +F, went to Connections and noted the IP address that the Search utility wanted to connect to, but in the guise of explorer.exe. I subsequently created a rule to block the outgoing connection on those two ports which were 1068 and 1069 as shown in the first image.

After rebooting, I launched the Search utility again but was disappointed to note that it still connected to Microsoft, but this time on ports 1040 and 1041 effectively bypassing my rule. So I changed the Source port to “Any”, rebooted again and repeated the same steps. But it still connects which implies that the FW is ignoring the rule not to allow any outbound connections to that IP.

And here’s another funny thing. With the rule in place to block outbound connections in this way, I can login and preview what I’ve just written, can’t post it on this forum. Nothing happens when I click the “Post” button. If I remove the rule, I can post again.

EDIT: I added a pix showing both the Search utility (simply launching it is sufficient to make a connection) and the ports it wants to use.

[attachment deleted by admin]

Well, I’m pleased to say that thanks to gibran, this issue has been resolved. As he pointed out to me, the reason Userinit.exe doesn’t appear in the “Applications Monitor” is because the launch vehicle is explorer.exe. So by opening that, I was able to edit the rule from “Allow” to either “Ask”, or “Deny”.

I would have included a screenshot here, but I seem to be suffering from an eternal problem of not being able to upload screenshots again. This is not related to Comodo because the same thing happens with image hosting sites like http://imageshack.us
The only way I’ve been able to resolve this latter issue is to delete the User Profile for the respective account in System Properties.

Anyway, please feel free to lock this thread.

Thanks to everyone who contributed to this topic too.