Aw man! So the problem was the cmd executable. I booted to my BartPE CD and immediately did Win+R to run a command line. Well apparently when you do that in Bart, it defaults to running it off the C drive. I saw some odd errors pop up and cmd.exe would not run. Running cmd.exe from the Bart CD worked fine however. So I replaced the cmd.exe on the server with the one from the CD. I had no strange problems renaming or deleting files while running Bart, and the psutils that didn't work before ran fine. Here's the "Aw Man!" part. This server uses a HostRAID. When in Bart, I see all the hard drives independently, non-RAID'd. I renamed the original cmd.exe on the C drive to I could upload it to an online virus scanning site after rebooting. I should have backed it up. When I rebooted the server the RAID must have corrected the discrepancy by deleting the cmd2.exe file that only existed on one of the two drives housing the OS. Doh.
Otherwise all the trouble I had before is now gone. It could have simply been corrupted, but I will be keeping a close eye on this server and doing some follow up tomorrow. -- Mike Gill From: Richard Stovall [mailto:[email protected]] Sent: Monday, June 07, 2010 5:23 PM To: NT System Admin Issues Subject: Re: Strange CMD, and permissions troubles, Can-o-worms This sounds awfully suspicious. Do you have a good backup of the volume in question? Without knowing any more, and assuming I had a good backup, I'd try a simple reboot first. If that failed to correct the problem(s) I'd look to begin some serious malware / rootkit detection from multiple vendors. Just for giggles, what happens if you download the newest versions of the pstools to a brand new location? Can you run them from there? On Mon, Jun 7, 2010 at 7:56 PM, Mike Gill <[email protected]> wrote: Wow, I opened a can of worms. In looking into an issue on my Win2K3 file server, I found that I can't run a certain application from the command line that I can from Explorer. It exists in the Program Files folder and I'm logged in as Administrator. The error message on the command line simply says Access Denied. Procmon shows the event, and declares the following results on the exe: Name Invalid, Invalid Parameter, Fast IO Disallowed, Buffer Overflow. This runs from the GUI just fine, so I don't think the problem is with the exe. The next part (no idea if it's related), is I tried running some other commands in diagnosing the above dilemma that also don't work. A few, but not all of the Sysinternal PS utils don't work. What's more, is when I right click and choose properties of one of the psutils that doesn't work, the security tab it non-existant. I can't delete/move/rename the file either. I've tried takeown, icacls, nothing let's me do anything with it. One thing that's different fro the first issue is I can't run them from the gui. Says I don't have permission either way. Chkdsk shows no errors. AV scans who no problems. The security tab is visible on other items, just not the ones I've discovered so far with this problem. The PS utils that don't work, do work when run from another folder. CMD.exe appears identical to same file on another server. In a few minutes I will be able to take the server down as people go home. Then I can try an offline delete. Any thoughts? Never seen this before. -- Mike Gill ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
