14 November 2018
Simple Cleaning Process to make PCs Running Great Again (Part2) - Disabling Prefetch and Getting rid of RegSvr32 running problem.
This part 2 goes further to clean up the PCs, better than what can be done by commercial cleaning programs such as CCleaner or other virus program.
Section I : Disabling Prefetch and Superfetch Files
What are they?
They are simply Windows tools that are supposed to make PCs running faster. It is often used during XP days but is still being used today in Windows 10.
Programs that are frequently used but did not get started during Windows startup will be started up in the background automatically, provided the Prefetch files to start the programs are stored in [C:\windows\Prefetch].
SuperFetch is another feature of the Windows OS that determines which program can have its necessary files and data all loaded into the RAM memory to make programs run even faster.
As programs can get started automatically, it is often used by hackers or viruses as “back doors” to gain access to the PCs without user’s permission.
The Conventional Wisdom?
If one has Windows OS and program files installed in SSD drives, the prefetch and superfetch functions are less useful; one should disable these features by taking the following steps
Description | Action | Remarks |
1. Disabling Prefetch | 1. Start up [Regedit] as Admin and navigate to [PrefetchParameters] at the address shown on the top of the next picture and change the [EnablePrefetcher]’s value from [3] to [0] | |
2. Disabling the SuperFetch | 1. Start up [Services] as Admin and navigate to [Superfetch Properties] as shown; 2. Stop the operation of SuperFetch if it is running; 3. In the dropdown box of [Startup type] , select [Disable] |
If one is still using the ordinary mechanical hard disk drive, it is recommended to keep the Prefetch and SuperFetch functions but do the cleaning up every month by deleting all the files in [C:\Widnows\Prefetch] that are ending with [.pf]. These deleted files will be re-installed by those programs as they are in operation.
Section II: Getting Rid of Running RegSVR
Those monitoring their PCs using [Task Manager] might find that sometimes RegSvr or RegSvr32 kept running non-stop, consuming lots of CPU time as shown in the attached.
There was no warning or notification. Some said that it was caused by viruses; others said that some OS files were missing. Most solved the problem by installing virus programs while others simply just deleted the RegSvr files from the PC, which is not advisable.
This section II will present one of the easy ways to identify and get rid of the RegSvr problem by using just Windows’ own programs. The same method can also be used to identify and get rid of some viruses that kept buggering and consuming unnecessary CPU time.
What Happened ?
The PC is most likely infected by viruses; if it is some OS file such as DLL files missing, PCs will usually give some warnings. These viruses often disguise themselves and try to gain access through the “back door” by registering the process and using the [Prefetch] function to start their operation. In this case, some files were found missing and Windows could not register the program and kept trying.
How To Resolve?
Task Manager can identify RegSvr is taking up much time but it can’t tell which program or virus is the “culprit”. Luckily, Microsoft has a tool called “Process Monitor” or [ProcMon] where one can monitor the working of the various Window Processes. This article will concentrate on how to use this tool to “catch the culprit”.
Where can I Download?
Step by Step Example of using [ProcMon]
Description | Action | Remarks (Click Picture to Enlarge) |
1. Starting up [ProcMon] | One would be greeted by the following screen which shows all the defaulted processes. The screen will move so fast and there is no way to monitor the processes without setting up the [Filter] | |
2. Setting up [Filter] | In the [Menu], click [Filter] and then select [Filter] in the drop down list. | The following screen will appear, showing no less than 20 processes being monitored. As we want only to monitor RegSvr, a filter is required. |
3, What to Put in the [Filter] | 1. In the [Display entries matching…], hit the first dropdown list and select [Process Name] 2. In the 3rd dropdown list, key in [RegSvr32.exe] to monitor only the RegSvr32 process. 3. Uncheck all other defaulted processes 4. Click [Apply], the [OK] | Observe the running event recording at the bottom of the screen, the meter should run to indicate ProcMon is working properly. If ProcMon detected that [RegSvr32.exe] has been used, it will start to report the details |
4. How to know which is the virus? | 1. check the [result] and the [Details] columns of ProcMon. 2. Identify which program started the RegSvr first and where is this program located | In this particular case, RegSvr was requested by a Prefetch file called “RegSvr32.exe-03D3FB87.pf”. This one is highly suspicious to be a virus. It is trying to use the back door to register the process. |
2. Goto the file address by right click the process and select [Jump To]. Try putting a [.bak] at the back of filename. However, if it is a Registry address, export the Registry by clicking [File] in the menu and select [Export]. Save it in place with a file name so that one could restore it by [import] should anything were to happen. | If the Windows refused to allow modification of filename or deletion of the registry key, goto Q&A section for answer. Note: One could use “WinPretchView” to study these prefetch files | |
5. Restart the computer | Check if the problem has been resolved; if not, repeat step 3 and step 4 | Look out for processes that have suspicious long names with all the unknown machine language especially those files found in the folder called “\[username]\AppData\Local\”; |
Q&A
Description | Action | Remarks |
1. PC refused to let me rename the file or delete the Registry Keys | Two Ways 1. Tradition way Safe boot Windows; hopefully, the file or Registry keys will not be used and can be deleted 2. Complicated way Take control of the file or the registry key. Here is how to take control of the files | It is locked by Windows or the virus when it is using or making attempts to use the file. |
2. The problem still around | 1. Try other methods; | Viruses come in many forms; not necessary all are using the same method to protect themselves. After mastering the use of Task Manager and ProcMon, one should have more confident to find other ways to tackle the other viruses. |
-------------------------------------------------------------------------------------------------------------------
Other similar articles
tinyurl : https://tinyurl.com/y9nu2d77