• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

NIS History has started showing two odd entries virtually nonstop

NIS 21.5.0.19, Windows 7. I have long had a program called Hot Keyboard Pro, that allows extensive creation of customized keyboard shortcuts to perform actions of my choosing.

Last night I happened to look at NIS' Full History for an unrelated issue, and noticed that, starting about an hour before I checked, I keep getting the following firewall "information" entries repeated as a pair (i.e, same second).  This pair of entries recurs seconds to minutes apart, NON-STOP (and it's still happening):

An instance of C:\Program Files (x86)\HotkeyboardPro\HkHook64.exe" is preparing to access the internet.

An instance of C:\Windows\System32\Conhost.exe " is preparing to access the internet.

If I turn off Hot KeyBoard Pro (just to test...I NEED that program!), both entries stop appearing, but then restart when I turn Hot Keyboard Pro back on (it normally runs nonstop).

HkHook64.exe is NOT the main Hot Keyboard Pro progam file (that is hotkeyb.exe).  I wrote the program creator, Imposant, and they said:

"HKHook64.exe is Hot Keyboard 64 bit hook process. It does nothing but passes keyboard and mouse events from 64 bit processes to 32 bit Hot Keyboard executable. It does not access internet in any way, nor the HkHook64_45.dll (which is loaded by HkHook64.exe) does. HkHook64.exe is only 2560 bytes long (without digital signature), it imports KERNEL32.dll and HkHook64_44.dll only, so it technically cannot access the internet."

They also asked which firewall I'm using, and what exactly "preparing to access the internet" means.  I haven't mentioned Conhost.exe to them yet, because I didn't notice until later that a Conhost.exe entry always appears at the same time an a HkHook64 entry.

So, can anyone help me out here?  At least with the most basic question of what "preparing to access the internet" actually means? (And of course any other ideas/suggestions you have!)  I should note that I have the same program on another pc (that also has NIS), and the same exact situation is occuring there.  So I doubt it has anything to do with malware, although I ran a full system scan on both machines "just in case" and they came up clean.  I did a slew of Windows Updates about 10 hours before the issue started, but I temporarily "system restored" to before that point, but the virtually nonstop HkHook64.exe and Conhost.exe entries kept coming.  And there were no updates to HotKeyboard recently.

Thanks.

EDIT:  I just noticed that Full History has 300 of the entires about HkHook64.exe (just from the last hour alone!), and that every time a new one appears the oldest one drops off -- even though for other things Full History goes back far further in time.  I see the same pattern for the Conhost.exe entries.  This makes me wonder if maybe the problem has actually been going on a lot longer than I realize, given I check my Full history only very infrequently.  (I also clarified some points above.)

Replies

Kudos0

Re: NIS History has started showing two odd entries virtually nonstop

Fyi, support at Hot Keyboard tells me the following:

"conhost.exe is the system process that works as proxy between windows GUI and console applications. When you start any console app (e.g. cmd.exe) Windows spawns new conhost.exe. In fact, conhost.exe displays and supports window that represents a console app.

HKHook64.exe is a console app. So, when Hot Keyboard runs it (regardless of the fact that it is run hidden) Windows launches conhost.exe. "

But the question remains, why is NIS creating a huge, nonstop, rapidfire flood of "preparing to access" history entries for HKHook64.exe and conhost.exe (unless I turn off Hot Keyboard, which again I don't want to do)?

Kudos0

Re: NIS History has started showing two odd entries virtually nonstop

Any ideas?

Between just these two processes, I get 600 (!) entries per hour in Full History.  At the very least, is there some way I can tell NIS to stop logging the almost-continuous entries for what it perceives to be "preparing to access the internet" for these two processes?

Kudos1 Stats

Re: NIS History has started showing two odd entries virtually nonstop

I don't know if my 'problem' is the same as yours.  In reading about your problem, I noticed my Full History was bereft of "preparing to access the internet" entries in the entire months of August AND July.  Except ...

... when I accessed the internet three hours ago and ran LiveUpdate.  Subsequently, I have 20, and counting, such entries:

symerr.exe

palemoon and plug-in container

taskhost.exe

wmiprvse.exe

dllhost.exe

svchost.exe

"preparing to access the internet."

I have been quite active on the 'net.  For this to emerge now is baffling.  Windows Update was done Wednesday with a reboot.  NIS to 21.5 was done earlier than that.  Windows 7 x64 home premium sp1.

Kudos1 Stats

Re: NIS History has started showing two odd entries virtually nonstop

I am not familiar with the program, but I think I would begin by checking the settings for any networking or automatic updating options and disable them.  Norton is simply reporting that the program is continually attempting to go online (and I don't see that Norton is preventing it - so the repeated access requests are a mystery).  Make sure the program shows as "Auto" or "Allow" in the Norton Firewall Program rules, just to be sure that Norton is not causing the issue.

Kudos0

Re: NIS History has started showing two odd entries virtually nonstop


neigh-ho-ma wrote:

I don't know if my 'problem' is the same as yours.  In reading about your problem, I noticed my Full History was bereft of "preparing to access the internet" entries in the entire months of August AND July.  Except ...

... when I accessed the internet three hours ago and ran LiveUpdate.  Subsequently, I have 20, and counting, such entries:

symerr.exe

palemoon and plug-in container

taskhost.exe

wmiprvse.exe

dllhost.exe

svchost.exe

"preparing to access the internet."

I have been quite active on the 'net.  For this to emerge now is baffling.  Windows Update was done Wednesday with a reboot.  NIS to 21.5 was done earlier than that.  Windows 7 x64 home premium sp1.


Curious.  I *thought* I've noticed entries such as those in the past, but when I search for them in "full history" now I only see such entries for 8/14 and 8/15.  That sounds like the timing you cite.  I wonder if there is some sort of systematic problem that might also figure into NIS (very incorrectly) thinking that hkhook64.exe is preparing to "access the internet."

Kudos0

Re: NIS History has started showing two odd entries virtually nonstop

OK, it is clear now that one of those history-flooding (and FALSE) entries about hkhook64.exe and conhost.exe "attempting to access the internet" is triggered simply by my changing the focus from one window to another.  I.e., clicking on a window.  This could include anything from opening a new tab in my browser to opening the NIS dialog to opening an email to opening the hidden notification-area icons to opening a command window to...you name it.  No wonder these false "preparing to access the internet entries" are coming fast and furious, nonstop.

It's very annoying and is a bug -- very likely a new one.

As a workaround, does anyone have any idea how to stop NIS from logging entries about hkhook64.exe and conhost.exe?

I was led to this discovery by the following comments from support at Hot Keyboard Pro:

"Hot Keyboard periodically (e.g. when you switch the active window) sets and removes its keyboard and mouse hook. When it removes the hook, hkhook64.exe exits. When it sets the hook back, it runs hkkook64.exe again (Windows in turn runs conhost.exe, etc). It is possible that initialization of some library that is made when hkhook64.exe is run makes some function call that is interpreted as "is preparing to access the Internet" by NIS. "

This is further demonstrated by the fact that -- in addition to NIS logging a pair of false "preparing to access the internet" entries in history every time I change window focus, Task Manager also changes the pid for hkhook64.exe to indicate that it has been restarted.  And of course this happens extremely frequently as I use my computer (as long as Hot Keyboard [hotkeyb.exe*32] is running, which is always).

Kudos1 Stats

Re: NIS History has started showing two odd entries virtually nonstop

Hi,
To view what action the particular process or executable is doing on network, use resource monitor from performance tab of task manager. Navigate to network tab and click the process you want to observe.
Just below it, on next section named Network Activity, you can see the ips to which they are contacting...
Hope it helps....
regards, CV | There is no ONE TOUCH KEY to security . Be alert and vigilant. . | Always have a Backup Plan!
Kudos0

Re: NIS History has started showing two odd entries virtually nonstop

Thanks for the suggestion.  Doing this further confirms that there is NOT actually any network activity for HkHook64.exe (or Conhost.exe) despite all the "preparing to access the internet" entries that continually flood Full History and Firewall Activities.  The only way I can get any component of Hot Keyboard to show up in Network Activity is -- not surprisingly -- by clicking on "Check for Update" in the program's GUI, which causes the main program file (hotkeyb.exe) to show up under network actvity as it goes online to check.

Anyone else out there have Hot Keyboard Pro on a 64-bit system, running in the background?  If so, are you seeing all the HkHook64.exe and Conhost.exe "preparing to access the internet" entries in Full History?  I'm pretty sure the answer should be "yes," especially since -- as I stated earlier -- the same thing is happening on my other pc.

Kudos1 Stats

Re: NIS History has started showing two odd entries virtually nonstop

I think my 'problem' solved itself, Ardmore, and maybe in a sense yours, as well.

When you mentioned "Firewall Activities", I took a look at mine.  Surprise, surprise!  None of yesterday's "preparing to access the internet" entries were there.  Backtracking, I looked at Full History and found the same thing -- yesterday's entries were gone.  Only today's exist.  Apparently, Norton housekeeping does a good job cleaning out these entries.

That leaves the question, "Does the logging impact negatively on performance?"

Kudos0

Re: NIS History has started showing two odd entries virtually nonstop

Great observations, neigh-ho-ma.  I had noticed that the "preparing to access" entries cleared pretty quickly, but I thought that I had just reached some sort of threshold for identical entries, maybe 300, after which the oldest one dropped off after the new one entered the list.  But on further examination it does appear that -- as you found -- a "preparing to access" Info entry goes away after 24 hours.  As long as the problem has to remain, I guess those rotating deletions are a good thing.  And it makes me wonder if this has actually been going on ever since I switched to the 64-bit version of Hot Keyboard about 4 months ago, but between then and yesterday I've just had no reason to look at the Full History (or at least not at the most recent 24 hours)?

Wish Norton did a better job of documenting how these things work.  Indeed, it took me awhile to learn that "Recent History" is NOT just the most recent items in Full History.  Recent History actually omits a lot of the entries that go into Full History no matter how recently they occurred, which is certainly nonintuitive.

But none of this solves the mystery of the rapid-fire, apparently bogus, "preparing to access the internet" entries logged for HkHook64.exe and Conhost.exe.  Even the explanation I found about how "preparing to access the internet" does NOT necessarily mean "preparaing to go online" (see Reese's post in the link below) doesn't seem to explain this one.

Looks like a bug, and yes, a key question would be whether performance is adversely affected by the bogus entries.  Fortunately I don't see any evidence of that, but I don't know for sure.  In any event it sure makes it a messy proposition trying to examine Full History or Firewall Activities logs.

Reese Anschultz post referenced above: 

http://community.norton.com/t5/Norton-Internet-Security-Norton/KeePassX-is-preparing-to-access-the-internet/m-p/443072#M156638

Kudos0

Re: NIS History has started showing two odd entries virtually nonstop

Some years ago, probably during Windows Vista, I had noticed certain programs required conhost.exe running concurrently.  This was, to my limited knowledge, a bridge to the past Windows legacy.  While the programs may serve their purposes, I was reluctant to use them and was determined to forge forward towards the future without them.  Whenever I see conhost.exe running in the taskmanager, I find the culprit and then an alternative if possible.

Anyways, in the settings/network/smart firewall/program rules tab, IF there is an hkhook64.exe entry that was automatically generated, then it likely tried to access the internet and it can be blocked.  Conhost.exe can't be selected or blocked.  It won't even generate a program rule.

Kudos0

Re: NIS History has started showing two odd entries virtually nonstop



Anyways, in the settings/network/smart firewall/program rules tab, IF there is an hkhook64.exe entry that was automatically generated, then it likely tried to access the internet and it can be blocked.  Conhost.exe can't be selected or blocked.  It won't even generate a program rule.


No automatic entry was generated in the firewall for HkHook64.exe, which is not surpising because -- as explained earlier -- it does not, and cannot, access the internet.  (The main program file, hotkeyb.exe does have an automatic entry, which permits internet access.  It was probably generated the first time the program checked for an update.)

Just out of curiosity I manually added a firewall rule for HkHook64.exe. I tried setting it up as everything from full-block to full connection privilege, and not surprisingly they all had no effect, since HkHook64.exe is not actually trying to access the internet despite the flood of bogus "preparing to access" Info entries in Full History. Despite requesting rule alerts or monitoring in all cases, none appear -- again no surprise since it is not actually going, or trying to go, online. But in all cases the "preparing to acess the internet" Info-entry flood keeps coming. It's apparently an NIS bug, or maybe there is something in the Hot Keyboard program code that is misleading NIS; I'm certainly no expert on coding conventions.

Accepted Solution
Kudos0

Re: NIS History has started showing two odd entries virtually nonstop

Today I noticed that NIS is creating "preparing to access the internet" entries for ANY AND ALL exe's that execute, whether called manually (e.g., Firefox) or behind the scenes (e.g., any of numerous Windows or NIS processes...or subroutines of other programs).  These entries appear ONLY in Full History and Firewall Activities, and appear for about 24 hours, with new ones appearing all the time.  So the only reason I was seeing so many HkHook64.exe "preparing to acccess" entries is that it is something that executes every time I change focus to a new window -- i.e., *extremely* frequently.

I will mark this as the solution (even though all I did was expose a more-general issue) and start a new thread on the more-general issue.

This thread is closed from further comment. Please visit the forum to start a new thread.