terrypin Posted November 12, 2009 Report Share Posted November 12, 2009 Has anyone here taken a close look at the list of windows that appears under the 'Hidden' tab when you're adding a window for scoping? I can't begin to fathom many of mine. Some look like hack or phishing attempts, such as Alliance & Leicester Bank Plc. (newcc@alliance-leicester.co.uk). I'm guessing it may have been part of a spam email I received yesterday. But as I simply deleted it (together with several others in my daily intake, if they hadn't already been zapped by MailWasher), I don't understand how a 'window' can have appeared and still be hanging around. Others are repeated scores of times, like Default IME, M and many more, some of which I recognise, like Second Copy 2000 (but why 5 identical windows?). A couple are names of macros I've edited in the last day or so, like Open containing folder 2 - Variables, but which have long since been closed and haven't been used for hours. Others (the majority) are plain baffling, and seem to refer to stuff that is really old and no longer running, like MS_WebcheckMonitor (a process I closed weeks ago, when I discovered it running and research showed it to be at best wasteful and at worst intrusive). Probably the weirdest is You are using a Pirated Licence Key - worrying, as to the best of my knowledge I'm not! The list remains unchanged after terminating and restarting ME Pro. So my questions are: Anyone have any insights here please? In particular, how can I find the source of these entries and examine them more closely? And I wonder if there's a bug in ME Pro, not clearing out old 'hidden' windows? -- Terry, East Grinstead, UK Quote Link to comment Share on other sites More sharing options...
kevin Posted November 12, 2009 Report Share Posted November 12, 2009 Macro Express Pro gets the list of windows, both visible and hidden, from Windows. Do you ever turn off your computer? From your description it sounds like you leave it on for weeks at a time. Personally, I turn my computers off each night. As Macro Express Pro runs it requests memory from Windows (alloc). Then, when finished with that block of memory, it tells Windows it no longer needs that block (free). Windows frees up most of the memory but with each alloc/free cycle Windows keeps 16 bytes flagged as used. Depending on the commands used in your macros and how often they run, over time the accumulation of 16 bytes blocks adds up and starts to affect your computer's performance. When Macro Express Pro is closed, all memory is freed. We recommend that you periodically restart Macro Express Pro (if not your computer). A scheduled macro that runs at 2:00 am containing the Restart Macro Express command will do this automatically. To be on the safe side I would run this daily but you should do this a minimum of once a week. Quote Link to comment Share on other sites More sharing options...
terrypin Posted November 12, 2009 Author Report Share Posted November 12, 2009 Macro Express Pro gets the list of windows, both visible and hidden, from Windows. Do you ever turn off your computer? From your description it sounds like you leave it on for weeks at a time. Personally, I turn my computers off each night. As Macro Express Pro runs it requests memory from Windows (alloc). Then, when finished with that block of memory, it tells Windows it no longer needs that block (free). Windows frees up most of the memory but with each alloc/free cycle Windows keeps 16 bytes flagged as used. Depending on the commands used in your macros and how often they run, over time the accumulation of 16 bytes blocks adds up and starts to affect your computer's performance. When Macro Express Pro is closed, all memory is freed. We recommend that you periodically restart Macro Express Pro (if not your computer). A scheduled macro that runs at 2:00 am containing the Restart Macro Express command will do this automatically. To be on the safe side I would run this daily but you should do this a minimum of once a week. As I said: "The list remains unchanged after terminating and restarting ME Pro" I do that frequently. And my last PC reboot was earlier today, following an automatic windows update. (There are long gaps when I leave my PC running, for overnight backups, but before any critical tests like this I usually reboot.) As of my last check a minute ago, there are 211 'hidden' windows listed by ME Pro. Any other ideas on where they come from, how I can examine them, and how I can get rid of them? I've just run the only other tool I have that displays a list of all windows, Stiletto. It shows a total of 51, most of which are 'hidden'. So I still suspect ME Pro is not cleaning up in the way you describe. To the extent of 160 obsolete windows it would appear! Are these held in any file or registry key? -- Terry, East Grinstead, UK Quote Link to comment Share on other sites More sharing options...
Cory Posted November 12, 2009 Report Share Posted November 12, 2009 I think your machine is Humpty Dumpty. ...................................... A few of the windows and apps you have described sound very much like a malware infection and one of the newest breed of malware that claim to be anti-malware. I’ve had to deal with several “AntiVirus 2009” infections with in the last several months. You are seeing many things I can not explain but while fighting these bugs I have seen many oddities like this. First and foremost many of these make job 1 to cripple your antivirus software in a way that makes it look like it’s still working. Norton in particular. I’ve had 3 people bring me PC’s that they claim have no viruses because they ran a scan with the most recent DATs and they came out clean. I’ve even confirmed this by performing the scan on their machine and getting a clean bill of health from the AV software. However when I yank the drive and put it in my mule machine and scan it I find thousands of infected files. IE the AV lights were on but no one was home. BTW I have never been able to clean a machine that I booted from. IE I had to install it on another known clean machine to fix it. And in those cases I’ve tried to clean from the infected machine it was instantly evident that they are very clever and molest tens of thousands of machine settings and files to hook themselves back it. As soon as you think you’ve cleaned it you reboot and something triggers and BAM! You’re re-infected. Now the reason I say “Humpty Dumpty” is because these little bastards do so much damage that no human can undo all the crap they change. Even if you manage to eradicate it certain services like DNS may never work properly again. IMHO the only solution is an FnR (Format and Reinstall). Fortuitously Windows 7 was just release so it might be a good time for a clean install of a new OS. Quote Link to comment Share on other sites More sharing options...
kevin Posted November 12, 2009 Report Share Posted November 12, 2009 As I said: Macro Express Pro gets the list of windows, both visible and hidden, from Windows itself. Macro Express Pro does not keep a list of windows. When you ask for the list via a macro command, Macro Express Pro asks Windows for the list of windows. The list is not held in a file, a cache or registry keys. Do you have another program that enumerates the visible and hidden windows currently running? If so, tell us what it shows. Quote Link to comment Share on other sites More sharing options...
kevin Posted November 12, 2009 Report Share Posted November 12, 2009 Cory, this is interesting. I am working on a computer right now that has many funny symptoms. But it is scanning clean now. Maybe it is time to reformat it. Do you find that Vista is less susceptible to malware than XP? Quote Link to comment Share on other sites More sharing options...
terrypin Posted November 12, 2009 Author Report Share Posted November 12, 2009 I think your machine is Humpty Dumpty....................................... A few of the windows and apps you have described sound very much like a malware infection and one of the newest breed of malware that claim to be anti-malware. I've had to deal with several "AntiVirus 2009" infections with in the last several months. You are seeing many things I can not explain but while fighting these bugs I have seen many oddities like this. First and foremost many of these make job 1 to cripple your antivirus software in a way that makes it look like it's still working. Norton in particular. I've had 3 people bring me PC's that they claim have no viruses because they ran a scan with the most recent DATs and they came out clean. I've even confirmed this by performing the scan on their machine and getting a clean bill of health from the AV software. However when I yank the drive and put it in my mule machine and scan it I find thousands of infected files. IE the AV lights were on but no one was home. BTW I have never been able to clean a machine that I booted from. IE I had to install it on another known clean machine to fix it. And in those cases I've tried to clean from the infected machine it was instantly evident that they are very clever and molest tens of thousands of machine settings and files to hook themselves back it. As soon as you think you've cleaned it you reboot and something triggers and BAM! You're re-infected. Now the reason I say "Humpty Dumpty" is because these little bastards do so much damage that no human can undo all the crap they change. Even if you manage to eradicate it certain services like DNS may never work properly again. IMHO the only solution is an FnR (Format and Reinstall). Fortuitously Windows 7 was just release so it might be a good time for a clean install of a new OS. Thanks, but I don't see any evidence of viruses, trojans or malware of any sort. This PC is well-protected in several complementary ways. That's not to say it's impregnable, but your speculation is quite a reach from the description of hidden windows I supplied! How many hidden windows does ME Pro report for you? Anyone else taken a look? Any thoughts on my hard evidence of Stiletto versus ME Pro? -- Terry, East Grinstead, UK Quote Link to comment Share on other sites More sharing options...
terrypin Posted November 12, 2009 Author Report Share Posted November 12, 2009 As I said: Macro Express Pro does not keep a list of windows. When you ask for the list via a macro command, Macro Express Pro asks Windows for the list of windows. The list is not held in a file, a cache or registry keys. Do you have another program that enumerates the visible and hidden windows currently running? If so, tell us what it shows. As I mentioned, Stiletto reports a total of 51 open windows. The names are a mixture of the obvious ones I know about (open or minimised) and the rest I assume must be what ME Pro calls 'hidden'. BTW, is that an ME Pro term? Googling has so far not delivered me anything relevant on Windows' 'Hidden windows'. I've also posted a question about it in an XP Usenet newsgroup and in the SysInternals Forum. -- Terry, East Grinstead, UK Quote Link to comment Share on other sites More sharing options...
kevin Posted November 13, 2009 Report Share Posted November 13, 2009 The Windows API's have some kind of visible property. We may have chosen the term 'hidden'. The windows shown are all reported by Windows. Macro Express Pro does nothing other than request the list of windows via the Windows EnumWindows API (may not be the exact name). It may be that Stilletto is only listing visible windows. Nonetheless, the list of windows you are seeing is the list of windows reported by Windows itself. Quote Link to comment Share on other sites More sharing options...
paul Posted November 13, 2009 Report Share Posted November 13, 2009 Thanks, but I don't see any evidence of viruses, trojans or malware of any sort. This PC is well-protected in several complementary ways. That's not to say it's impregnable, but your speculation is quite a reach from the description of hidden windows I supplied! With respect, if this "well-protected" PC is the same one whose behaviour you have so often questioned, then I take your assertions with much salt! Over the last several months you have reported many problems that I and others have been unable to reproduce. I believe both Cory and I have suggested you rebuild your machine. I look forward to hearing that you've done that. Of course, if this is a different machine, then the above comments don't apply. Quote Link to comment Share on other sites More sharing options...
paul Posted November 13, 2009 Report Share Posted November 13, 2009 Thanks, but I don't see any evidence of viruses, trojans or malware of any sort. This PC is well-protected in several complementary ways. That's not to say it's impregnable, but your speculation is quite a reach from the description of hidden windows I supplied! With respect, if this "well-protected" PC is the same one whose behaviour you have so often questioned, then I take your assertions with much salt! Over the last several months you have reported many problems that I and others have been unable to reproduce. I believe both Cory and I have suggested you rebuild your machine. I look forward to hearing that you've done that. Of course, if this is a different machine, then the above comments don't apply. Quote Link to comment Share on other sites More sharing options...
terrypin Posted November 13, 2009 Author Report Share Posted November 13, 2009 With respect, if this "well-protected" PC is the same one whose behaviour you have so often questioned, then I take your assertions with much salt! Over the last several months you have reported many problems that I and others have been unable to reproduce. I believe both Cory and I have suggested you rebuild your machine. I look forward to hearing that you've done that. Of course, if this is a different machine, then the above comments don't apply. Also with respect, you really have got a thing about this, haven't you? (I don't just mean the double post. It seems you're always banging on about it! ) I'm sure there are some quirks on my system that a 'rebuild' as you call it would fix. (Not malware or viruses, which are completely different issues. I still believe that I have a clean system in that context.) But rebuild at what cost? When I changed my PC last time it took me months to get my scores of major and hundreds of minor programs running, configured and tweaked to my satisfaction. I'll repeat that when I'm ready, but it sure won't be for a long time yet. And certainly not to prove/disprove a few bugs in ME Pro, which BTW is where most of these quirks seem to arise! Also, I'd remind you that several times in the past I've raised what seem to be obscure issues, prompting superficial initial responses along the lines of 'it must be your PC'. Yet later these have turned out to be ME Pro bugs. Now, back on topic. I'm ready to believe that there's absolutely nothing wrong with ME Pro's reporting of these mysterious 'hidden' windows. But as I've raised some solid points that appear to contradict that, it would be good to get some equally solid evidence from the other side. So far I've not had any other relevant user feedback. Could you take a couple of minutes to check whether 1. Your list looks reasonable, i.e mostly recognisable. (How many, at a 'typical' stage of your work?) 2. It becomes minimal when you close most apps and restart ME Pro, ideally also after a reboot. (How many then?) Also, I'm trying to learn more about this Window entity called a 'hidden window' (or maybe 'invisible' window), so far without success. So any insights you or other technically adept users have would be much appreciated please. -- Terry, East Grinstead, UK Quote Link to comment Share on other sites More sharing options...
paul Posted November 13, 2009 Report Share Posted November 13, 2009 On a very new Windows 7 x64 system, 143 windows (repeat with ALL windows) Quote Link to comment Share on other sites More sharing options...
rberq Posted November 13, 2009 Report Share Posted November 13, 2009 Win XP and ME3, right after reboot, "nothing" running: 34 hidden windows. (repeat with hidden windows). Most of them are more or less identifiable. Quote Link to comment Share on other sites More sharing options...
Cory Posted November 13, 2009 Report Share Posted November 13, 2009 Vista is more secure. .................................................. Do you find that Vista is less susceptible to malware than XP?I have not had to disinfect any Vista machines yet. But the grain of salt is that probably only about a third of the machines whose owners would come to me for help are Vista. The world wanted a more secure OS and when MS gave them what they want the world turned their backs on it because the developers of the software and hardware didn’t want to get on board with adopting the new security measures and to the users it appeared that it was Vista’s fault. The other thing is that cheap people are the ones who skimp on security software, EG AVG Free and tend to buy crap hardware and bootleg crap. It’s hard to bootleg Vista so the folks who are proud of the fact that they have never had to pay for a Windows license opted to stay with XP. Unfairly this somehow gives them license to complain. My point is are Volvos inherently safer cars or is it because they have a reputation of being safe which only appeals to safe drivers? Quote Link to comment Share on other sites More sharing options...
Cory Posted November 13, 2009 Report Share Posted November 13, 2009 Here’s what I found. ............................................. Right now I have about 20 icons in the task bar but I also have taskbar open as well. Using the window browser MEP shows 29 visible and about 3000 hidden. Many of these hidden windows have many duplicates. Additionally there are many hidden windows appearing that were once visible windows I closed. IE many Outlook email items. Also some items for processes that are no longer running. In fact I have one here from a program I uninstalled this morning! I closed MEP and the hidden window count went down about 10. I logged off/on and I have 16 visible and 133 hidden. But I think the question here is if MEP is incorrectly displaying 3000 hidden windows or if there are indeed Windows is reporting 3000 hidden windows. I think we need to find another app that will tell us how many there are. I looked in Process Monitor but found no such facility. Quote Link to comment Share on other sites More sharing options...
Cory Posted November 13, 2009 Report Share Posted November 13, 2009 A funny. ................................... I searched myself and the first hit in Google was your post in the Sysinternals forum! Quote Link to comment Share on other sites More sharing options...
Cory Posted November 13, 2009 Report Share Posted November 13, 2009 I found a simple utility ........................................ http://software.filestube.com/download,7bf2c89d.html I ran this and found a total of about 900 windows when MEP only shows 185 in total. Here we can see the handle of each and the status. Most appear with a status of SW_HIDE and visible are SW_SHOWNORMAL. Many of the ones which appear redundant have additional text of (Disabled). I think these disabled windows might constitute the build up. Maybe MEP just needs to add the option to filter out the disabled windows. R maybe it is and that’s the difference between 900 and 185. Maybe Windows doesn't really destroy windows but keeps the handle handy for reuse or something. I'll let it run for awhile and see if it echoes what MEP is listing. Dang, I wish I could export this list for comparison. Quote Link to comment Share on other sites More sharing options...
terrypin Posted November 13, 2009 Author Report Share Posted November 13, 2009 I found a simple utility........................................ http://software.filestube.com/download,7bf2c89d.html I ran this and found a total of about 900 windows when MEP only shows 185 in total. Here we can see the handle of each and the status. Most appear with a status of SW_HIDE and visible are SW_SHOWNORMAL. Many of the ones which appear redundant have additional text of (Disabled). I think these disabled windows might constitute the build up. Maybe MEP just needs to add the option to filter out the disabled windows. R maybe it is and that's the difference between 900 and 185. Maybe Windows doesn't really destroy windows but keeps the handle handy for reuse or something. I'll let it run for awhile and see if it echoes what MEP is listing. Dang, I wish I could export this list for comparison. Thanks Cory - great find! I'd been searching for something like that without success. That reports 480 windows here - putting ME Pro's 211 into the shade No idea what most of them mean. The list includes the bizarre one I reported earlier, 'You are using a Pirated Licence Key', adding the string 'TPiratedLicenceKeyWarningForm.UnicodeClass'. Will study more closely tomorrow. BTW, I had a DrWatson intervention while running it. More precisely, it was while capturing the list with Snagit. Very odd though, can't recall ever seeing anything like that before. The capture (to clipboard) continued, which is why I can report that there are 480 names in the list. But I had to forcibly close DrWatson (two entries) in XP TM before I could contine normal working. Cue Paul... Another strand to the discussion: why does ME Pro offer these largely obscure hidden windows for Scoping? ME 3 didn't. What's the intention, the potential usefulness? -- Terry, East Grinstead, UK Quote Link to comment Share on other sites More sharing options...
terrypin Posted November 14, 2009 Author Report Share Posted November 14, 2009 FWIW, here are some random examples of the entries I had from using Wndlist.exe : No. of occurrences, Window name 59 tooltips_class32 130 TPUtilWindow 56 MozillaWindowClass 21 M' MSCTFIME UI 3 Internet Explorer_Hidden 8 GDI+ Window' GDI+ Hook Window Class 1 FancyMenuHiddenWnd 1 FirefoxMessageWindow 56 Default IME' IME 1 #32769 [Desktop] 1 Avira AntiVir Personal - Free Antivirus - SysTray' Afx:00400000:0 4 Auto-Suggest Dropdown 1 Afx:00400000:0:00010011:01100060:00000000 9 ComboLBox 1 Connections Tray' Connections Tray etc Total 497 ME Pro, using All Windows, listed only 183 (161 Hidden). So that's consistent with your test, Cory - although your number of 3,000 is in a different league! WinSpy is another tool that might be useful here, although I've so far not been able to get a consolidated list. Here's a simple macro for listing hidden windows via ME Pro in Notepad: HiddenWindows.mex So far nothing useful has emerged from all this for me! Can anyone suggest a useful application of a macro operating on hidden windows? -- Terry, East Grinstead, UK Quote Link to comment Share on other sites More sharing options...
rberq Posted November 14, 2009 Report Share Posted November 14, 2009 Can anyone suggest a useful application of a macro operating on hidden windows? Just for fun, how about using the ME command to UNHIDE a few of them? Quote Link to comment Share on other sites More sharing options...
Cory Posted November 15, 2009 Report Share Posted November 15, 2009 I think it’s a common util. ........................... I believe the window picker is a common utility used in many places. Of course you are not likely to scope to a hidden window but in the case you were using If Window Exists you might want to know about hidden windows. I know you don’t want to hear this but the fact that the good doctor is paying you a visit is another indication that your system has problems. Quote Link to comment Share on other sites More sharing options...
paul Posted November 15, 2009 Report Share Posted November 15, 2009 I know you don't want to hear this but the fact that the good doctor is paying you a visit is another indication that your system has problems. I'm not convinced about this! I've seen many Dr.Watson dumps (though not recently since I've chosen to disable the venerable quack) caused by problems in the software I'm using at the time, eg. Firefox, Microsoft Access, etc. Even my new installation of Windows 7 Professional x64 has produced a few dumps (though I'm extremely impressed by this new OS and would, without hesitation, recommend it over any of its predecessors). And, BTW, ME4 runs much faster for me. Quote Link to comment Share on other sites More sharing options...
terrypin Posted November 15, 2009 Author Report Share Posted November 15, 2009 Just for fun, how about using the ME command to UNHIDE a few of them? I sat down at my PC this morning with exactly that thought, Bob, and saw your post. My vague idea was along the lines of an interactive macro that would step through all my hidden windows, inviting me to perform various operations on each one in turn. Such as unhide, place on top, activate - even close, if I felt brave enough! But that means first getting comfortable with multiple choce commands (and maybe even 'dynamic macros' if that's the right term), areas I have little experience with. But I'll try out a few simple commands anyway. Edit: I made a start with a simple macro to unhide a window after prompting the user for a (partial) name. Unhide_a_window.mex -- Terry, East Grinstead, UK Quote Link to comment Share on other sites More sharing options...
rberq Posted November 15, 2009 Report Share Posted November 15, 2009 I sat down at my PC this morning with exactly that thought, Bob I looped through the whole hidden list, unhiding and putting on top for two seconds then hiding again. Many were simply a little piece of a title bar. Many others were a title bar with a window frame but nothing in it. Some of the empty windows were transparent, some were opaque. Nothing exciting appeared except the laptop Power Meter. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.