Watch Activity (Killswitch) creates random ghosted Non-PNP services [M257]

A. THE BUG/ISSUE (Varies from issue to issue)
[ol]- What actually happened or U actually saw: Randomly named ghosted ‘Non-plug and play’ services created every time Watch Activity (Killswitch) is activated through the interface of CIS.

  • If not obvious, what U expected to happen or see: I did not expect to see randomly named obsolete services/drivers (With no associated file found) to keep multiplying every time you open the Watch activity monitor.
  • Can U reproduce the problem & if so how reliably?:Yes reliably.
  • If you can, precise steps to reproduce it. If not say what you did before it happened:
  1. View Watch Activity (Killswitch)
  2. Shut down all programs and reboot the system.
  3. View non present ‘Non-plug and play’ drivers in Windows device manager and find an extra non present driver/service entry for every time the Watch activity monitor has been opened (Example in screenshot).
  • If a software compatibility problem have U tried the conflict FAQ?:N/A
  • Any software except CIS/OS involved? If so - name, exact version, & download link:N/A.
  • Any other information, eg your guess at the cause, how U tried to fix it etc: I guess Killswitch requires a temporary service every time it is activated, but fails to remove it when closed.
    Workaround fix is to delete the services manually.
  • Always attach: Diagnostics file, Killswitch processes, dump (if freeze/crash). If complex: CIS logs & config, screenshots, video.

B. YOUR SETUP (Likely the same from issue to issue, users can copy forward)
[ol]- CIS version & configuration:V6.0.264710.2708, proactive.

  • Modules enabled & level. Defense+/HIPS, Autosandbox/BBlocker, Firewall, & AV:CIS proactive defaults.
  • Have U updated (without uninstall) from a previous version of CIS:Yes, only from V6.0.260739.2674.
    [li]if so, have U tried a a clean reinstall - if not please do?:No but I will, only if necessary.
    [/li]- Have U imported a config from a previous version of CIS:No.
    [li]if so, have U tried a standard config - if not please do:N/A.
    [/li]- Have U made any other major changes to the default config? (egs here.):No.
  • OS version, SP, 32/64 bit, UAC setting, account type, & virtual machine used :Win 7, No SP, 32Bit, UAC off, Admin, No VM.
  • Other security & sandbox software a) currently installed b) installed since last OS install:a) None b) Previous versions of CIS

[attachment deleted by admin]

I have variations of this issue on Vista, that are not present on Windows 7.

Comodo Autorun entry for the randomly created services (Example in screenshot).

Service entries in the registry (Screenshot), in Windows 7 they are under Legacy drivers.

Window event viewer system error logs for these random services on boot (Example attached).

Also sometimes these services will not delete using Windows device manager and the ‘sc delete servicename’ command is required to remove them, where as in Windows 7 they can be removed every time within Windows device manager.

[attachment deleted by admin]

SO THAT’S WHAT WAS CREATING THEM?! Would you believe I ran a couple of thorough rootkit scans and wasted hours in trying to figure out where these 5 random lettered devices were coming from?! I suppose I must thank you for providing me an answer with your bug report.

You are welcome Searinox,
I believe it and I am sorry to hear they wasted time for you (They do look a bit scary). :slight_smile:
I was not sure until I found the ccekrnlG entries in vistas registry then it clicked as to what program was creating them.
It still took some time to work out what action was causing them.
Kind regards.

Me too (Win 7 64 bit, 2708), including the windows events Many :■■■■ s for captainsticks for documenting this.


Thank you very much for your report in standard format, with all information supplied. The care you have taken is much appreciated by Comodo, and will increase the likelihood that this bug can be fixed.

Developers may or may or may not communicate with you in the forum or by PM/IM, depending on time availability and need. Because you have supplied complete information they may be able to replicate and fix the bug without doing so.

Many thanks again


Not fixed in _2801.

Not fixed in _2813.

Thanks, tracker updated

Hi Captainsticks,
I’m sorry for the late reply.
I can not reproduce this problem by your report.
By design, when run Killswitch as Administrator, CCE will extract and load a temporary service(random name) in memory and immediately remove it both in HD and registry.
For your case, because the registry entry has not been removed for some unknown reason, please delete it manually.

Thanks for the feedback,
Best Regards

It happens on my PC too, so I guess there are circumstances where the key is not removed.

The question is what are those circumstances?

Best wishes


Hi Captainsticks & mouse1,
Please help run a test and tell me the result.

  1. Restart Winodws;
  2. Run ‘Process hacker’( as Administrator;
  3. Run ‘KillSwitch’ as Administrator and then ‘Process hacker’ will prompt 'The service xxxxxxx(xxxxxxx) has been created.‘ in system tray;
  4. Open registry and navigate to ‘HKLM\SYSTEM\CurrentControlSet\services’, and check if the ‘xxxxxxx’(mentioned in step3) key still exists.

Thanks a lot.

Thanks for the reply Flykite,
Over the next day or so, I will follow the instructions above and post back the results.

Hi Flykite,
Process Hacker shows the service being created when opening KillSwitch, but it does not show in the mentioned registry location before or after closing KillSwitch.
The only location I can find the newly created service in the registry is under “Legacy Drivers”.

Process Hacker does show the service being deleted when closing KillSwitch, but it stays present under “Legacy Drivers” and also as a ghosted service in Windows Device Manager even after numerous system reboots.
I have tried this on Win7 and Vista SP2 both 32-bit with the same results.
Thank you.

Can you please check and see if this is fixed with the newest version (6.2.282872.2847)? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.

Not fixed in _2847.

Thanks for checking this.

I’ve updated the tracker.

Not fixed in _2860.

Thanks for checking this. The tracker has been updated.

Can you please check and see if this is fixed with the newest version (6.3.294583.2937)? Please let us know whether it is fixed or you are still experiencing the problem.

Thank you.

PM sent.