News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Command prompt windows appear after I log in

    Posted on crimsoncricket Comment on the AskWoody Lounge

    Home Forums AskWoody support Windows Windows 10 Questions: Win10 Command prompt windows appear after I log in

    • This topic has 20 replies, 6 voices, and was last updated 3 months ago.
    Viewing 14 reply threads
    • Author
      Posts
      • #2169965 Reply
        crimsoncricket
        AskWoody Lounger

        I’m a Windows 10 Pro (1903. Build 18362.239) x64 user on a HP desktop.  I started up my computer and logged into my account a few weeks back and a few black command prompt windows quickly appeared and disappeared on my desktop. I ran Autoruns and Process Monitor to try to determine what happened, but wasn’t sure how to interpret the results.  There were some yellow and pink highlighted items in Autoruns that seemed odd to me, but also didn’t have any obvious connection to the command prompt windows.

        This happened again when I logged into my admin account and also happened again several days later when I logged into my regular account. The only changes that I made on my computer were uninstalling Avast and Adobe Flash.  Now that my schedule has finally freed up, I was hoping someone here could help me to figure out what happened.  I still have the Autoruns log if that would help.

      • #2169966 Reply
        Bluetrix
        AskWoody MVP

        It sounds like a script ran. autoexe.bat for instance, but I thought those were a Win7 thing.

        We have had a thread where someone was looking for VBscript help to stop the “blink” Cmd window from appearing when the script ran at startup. Not sure if it’s the same problem though, just a thought.

        1 user thanked author for this post.
        • #2170318 Reply
          crimsoncricket
          AskWoody Lounger

          It sounds like a script ran. autoexe.bat for instance, but I thought those were a Win7 thing.

          We have had a thread where someone was looking for VBscript help to stop the “blink” Cmd window from appearing when the script ran at startup. Not sure if it’s the same problem though, just a thought.

          I did upgrade from Windows 7, so you could be onto something here.  Especially since an error window about OnDrive.exe failing to run appeared when I logged into my admin account earlier.

      • #2169998 Reply
        Alex5723
        AskWoody Plus

        You may have a virus/malware.. running.
        Run a thorough check of your system.

        1 user thanked author for this post.
      • #2170003 Reply
        Rick Corbett
        AskWoody_MVP

        There were some yellow and pink highlighted items in Autoruns that seemed odd to me

        This is normal. Yellow just means that an expected item couldn’t be found. This can happen with badly-written uninstallers that remove files but leave the ‘run’ call. Pink indicates unsigned entries or entries missing publisher information.

        If you still have the saved .ARN file then by all means attach it for someone to have a look at. (You’ll very probably need to ZIP it… I don’t think .ARN is an approved filetype for uploading.)

        Do you have any HP bloatware installed? I’ve noticed that their scheduled tasks sometimes use DOS-type commands (like wget) to download version info to check if the bloatware is up-to-date.

        Hope this helps…

        1 user thanked author for this post.
        • #2170320 Reply
          crimsoncricket
          AskWoody Lounger

          There were some yellow and pink highlighted items in Autoruns that seemed odd to me

          This is normal. Yellow just means that an expected item couldn’t be found. This can happen with badly-written uninstallers that remove files but leave the ‘run’ call. Pink indicates unsigned entries or entries missing publisher information.

          If you still have the saved .ARN file then by all means attach it for someone to have a look at. (You’ll very probably need to ZIP it… I don’t think .ARN is an approved filetype for uploading.)

          Do you have any HP bloatware installed? I’ve noticed that their scheduled tasks sometimes use DOS-type commands (like wget) to download version info to check if the bloatware is up-to-date.

          Hope this helps…

          Thanks for clearing that up.  I’m having trouble getting the .ARN files to open, so I’m going to tackle that sometime over the next day or so.  Worst case scenario is that I’ll have to run Autoruns again and take some screenshots.

          As for your other question, I might still have some HP bloatware (but it seems to be eclipsed by all of Windows 10’s bloatware).

      • #2170086 Reply
        JohnW
        AskWoody Plus

        I run Windows Defender on my Win 10 laptop, and every time it gets signature updates I see a command prompt window flash up on the screen.

        1 user thanked author for this post.
      • #2170319 Reply
        crimsoncricket
        AskWoody Lounger

        You may have a virus/malware.. running.
        Run a thorough check of your system.

        I’ve only run Windows Security so far, but it looks like I’m clean.  I’ll update if I find anything using other tools.

      • #2173431 Reply
        crimsoncricket
        AskWoody Lounger

        For peace of mind, I would also suggest getting Malwarebytes free edition and running an on-demand malware scan. This is my first, second opinion scanner.  The download includes a 14-day premium trial, which you can turn off at any time, thus reverting early to the free edition. The premium adds real-time support. https://www.malwarebytes.com/premium/

        I also use the free Emsisoft Emergency Kit scanner as another second opinion malware scanner. It is totally portable, no installation required! https://www.emsisoft.com/en/home/emergencykit/

        Emsisoft Emergency Kit is a free portable antivirus that you can use as a secondary scanner or to disinfect PCs

        https://www.ghacks.net/2019/07/26/emsisoft-emergency-kit-free-portable-antivirus/

        Thanks for the advice!  I was all clear with Malwarebytes but Emsisoft failed to run due to a “Failed to create bin64/epp.sys” error message.  Do you have any advice on resolving that?

      • #2173434 Reply
        crimsoncricket
        AskWoody Lounger

        The command prompts appeared again.  Although they vanished too quickly for me to get a screenshot, I did notice how they mentioned “System32.”  I’m attaching two zipped Autoruns logs in the hope that someone can help me figure out what’s going on.  I can also post the results of my Rkill scan if anyone thinks it’ll help.

        Attachments:
      • #2174189 Reply
        Paul T
        AskWoody MVP

        I’d disable SuperAntiSpyware and test.

        cheers, Paul

        p.s. The reviews I’ve seen don’t rate it well.

        1 user thanked author for this post.
      • #2174512 Reply
        crimsoncricket
        AskWoody Lounger

        I’d disable SuperAntiSpyware and test.

        cheers, Paul

        p.s. The reviews I’ve seen don’t rate it well.

        I only use SuperAntiSpyware free edition, which doesn’t have any real-time protection to disable.  Do you mean I should uncheck “Run in the background (system tray)” and “Start SuperAntiSpyware with Windows” prior to running Emsisoft?

        • #2174525 Reply
          JohnW
          AskWoody Plus

          I bought the paid edition of SuperAntiSpyware more than 10+ years ago.

          Don’t even have it installed anymore, as there are apparently better products available now. So haven’t any current experience with it to comment on it.

          I Googled your error with Emsisoft Emergency Kit and apparently there is sometimes an issue with the EEK folder at: “C:\EEK”, or “C:\Program Files (x86)\EEK”, or whatever location it was directed to at run time.

          Try deleting that folder if it exists, and try again.

          Download: If you don’t have the Emsisoft Emergency Kit yet, download it here. It’s free for private use and it’s fully portable, which means no installation is required. The download package just unpacks to “C:EEK” or any other destination of your choice and place a shortcut on your Desktop.

          Note: If you don’t need the software anymore, just delete the whole folder and the shortcut at any time.

          How to find and clean malware infections with Emsisoft Emergency Kit

          https://blog.emsisoft.com/en/16796/how-to-find-and-clean-malware-infections-with-emsisoft-emergency-kit-2/#download

          Dual malware scanner engines – EMSI + Bitdefender

          https://blog.emsisoft.com/en/17657/an-in-depth-look-at-the-emsisoft-scanner-technology/

      • #2174621 Reply
        Rick Corbett
        AskWoody_MVP

        @crimsoncricket – I’ve just had a look at your autorunsfeb82020 – Copy.arn file and you have a whole bunch of programs (including services and scheduled tasks) that could be the cause of command prompt windows appearing as they carry out checks and updates.

        However you mention that the issue began after you had uninstalled Avast and Adobe Flash. If you type Avast into Autoruns’ Filter box it will show you that Avast has not removed a Scheduled Task for its SafeZone browser:

        ARN-Avast

        I wonder if one of the command prompt windows is a warning that the task has run but cannot find the launcher file? To check, remove the tick from the checkbox and restart.

        Next, before investigating other scheduled tasks and services, in Autoruns just remove the tick marks against the 8 programs that run automatically from the registry then restart the PC:

        ARN-Run

        This is just a quick check to see if the command windows continue to pop up. Once you’re restarted the PC, put the 8 ticks back into the checkboxes and report back.

        (Was this PC updated from Windows 8? The first ARN file I looked at showed stuff that I hadn’t seen before.)

        Hope this helps…

        Attachments:
      • #2175851 Reply
        crimsoncricket
        AskWoody Lounger

        If you don’t have the Emsisoft Emergency Kit yet, download it here

        Thanks, Emsisoft says I’m all clear!

      • #2176004 Reply
        crimsoncricket
        AskWoody Lounger

        @crimsoncricket – I’ve just had a look at your autorunsfeb82020 – Copy.arn file and you have a whole bunch of programs (including services and scheduled tasks) that could be the cause of command prompt windows appearing as they carry out checks and updates.

        However you mention that the issue began after you had uninstalled Avast and Adobe Flash. If you type Avast into Autoruns’ Filter box it will show you that Avast has not removed a Scheduled Task for its SafeZone browser:

        ARN-Avast

        I wonder if one of the command prompt windows is a warning that the task has run but cannot find the launcher file? To check, remove the tick from the checkbox and restart.

        Next, before investigating other scheduled tasks and services, in Autoruns just remove the tick marks against the 8 programs that run automatically from the registry then restart the PC:

        ARN-Run

        This is just a quick check to see if the command windows continue to pop up. Once you’re restarted the PC, put the 8 ticks back into the checkboxes and report back.

        (Was this PC updated from Windows 8? The first ARN file I looked at showed stuff that I hadn’t seen before.)

        Hope this helps…

        I’ve tried to post this two times without success, hopefully third time’s the charm:

        Thanks!  I didn’t see any command prompts after following your instructions.  But since the command prompts only randomly appear at startup and not every time, I’m not sure that one of those services is the culprit.  Especially since the Windows Defender entry didn’t appear in Autoruns this time when I was unchecking stuff!

        I’ve never had Windows 8.  What was the stuff you didn’t recognize?  Perhaps the Windows Defender file is a holdover from when I had the standalone tool of that name installed on Windows 7?  I think one of the .ARN files was generated in my regular account and the other was from my admin account.  I have some screenshots of another Autoruns scan in did in my admin account that had some differences from the .ARN files.  There’s also an interesting rkill scan log from my regular account that could potentially be of use due to its “Checking Windows Service Integrity” results.  Do you want me to post them?

        • #2176077 Reply
          Rick Corbett
          AskWoody_MVP

          It’s good you haven’t seen the popups since. It more or less confirms that they were caused by one of the autostarting programs that are run from the registry rather than a scheduled task or service.

          Delete the autorun entry for the Avast Safe Browser then start putting the ticks back in the checkboxes – just a couple at a time and test for a few days – to see if/when the popups return. This is to try to narrow down which of the autostarting programs cause the popups.

          If you’ve never had Windows 8 then it must have a leftover from the standalone version of Defender. I don’t think there’s much reason to see any further .ARN files but I’m happy to have a look at the rkill scan log if you want to attach it.

          Hope this helps…

      • #2176131 Reply
        crimsoncricket
        AskWoody Lounger

        It’s good you haven’t seen the popups since. It more or less confirms that they were caused by one of the autostarting programs that are run from the registry rather than a scheduled task or service.

        Delete the autorun entry for the Avast Safe Browser then start putting the ticks back in the checkboxes – just a couple at a time and test for a few days – to see if/when the popups return. This is to try to narrow down which of the autostarting programs cause the popups.

        If you’ve never had Windows 8 then it must have a leftover from the standalone version of Defender. I don’t think there’s much reason to see any further .ARN files but I’m happy to have a look at the rkill scan log if you want to attach it.

        Hope this helps…

        Great, I’ll definitely do that.  Here’s the Rkill log; you’ve been extremely helpful!

        Attachments:
        • #2176183 Reply
          Paul T
          AskWoody MVP

          Please don’t quote the whole post for a line or two answer. Highlight the relevant section of the post then click the quote button.

          cheers, Paul

          1 user thanked author for this post.
      • #2176246 Reply
        Rick Corbett
        AskWoody_MVP

        Here’s the Rkill log

        I can’t see any issues with the Rkill log.

        All the ‘[Incorrect ImagePath]’ entries are because Rkill apparently is still not fully compatible with Windows 10.

        Hope this helps…

        1 user thanked author for this post.
    Viewing 14 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Command prompt windows appear after I log in

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Cancel