none
STISVC.EXE in triggering Event Logs

    Question

  • Dear All,

    I am Security Analyst for a firm, I need to figure out a event log message:

    19:47:45 Local3.Emerg <ServerIP> 5:30:00 [0] Category:(0); User:; The message '0' for application '' could not be formatted using library(ies): 'C:\WINDOWS\system32\stisvc.exe'. The log entry contains the following replacement strings:

    Note: <ServerIP> is my just an ip address.

    This is recieved on central SYSLOG server of mine and the server logging this alert is configured to function as File Server (MS 2003 Enterprise). I  did some websearch and found that STISVC is not a harmful executable and also not required for operating system(correct me if I am wrong). And even I can not remove it, because then it needs removal of OS itself.

    Please help me understand this message. I could also not trace back it on Server's Event Logs(maybe I am not able to).

    Thanks in advance.

    Regards


    Nutan Vishwakarma (IT Security Consultant)
    Tuesday, April 26, 2011 6:31 PM

All replies

  • Hi Nutan,

    Stisvc.exe is a Windows file created by Microsoft. The file is usually found in C:\Windows\system32\stisvc.exe folder. If you find it anywhere else, Please note that stisvc.exe could be a virus, trojan, worm, or spyware. Scan your computer with an antivirus software to make sure it is not infected.


    Thanks and Regards
    Scorpio_Milo
    MCTS: Windows Vista | Exchange Server 2007
    MCITP: Enterprise Support Technician
    MCITP: Server & Enterprise Administrator
    Microsoft Infrastructure Consultant
    Enterprise Service: Solution Architect
    Microsoft Storage Team - File Cabinet Blog
    My Blog
    Wednesday, April 27, 2011 3:42 AM
  • Hi Scorpio_Milo

    Thanks for the input, in my case it seems legitimate. it is at C:\Windows\system32\stisvc.exe folder. I have pasted the Event-log message exactly the same as it appears in my syslog server.

    Please revert if more information is required for elaboration. Please help me understand this message.

    Warm Regards,

     

     

     


    Nutan Vishwakarma (IT Security Consultant)
    Wednesday, April 27, 2011 6:48 PM
  • Hi,

    Be careful with this one. It could be virus.

    stisvc is a windows service, however it may not even be installed on your computer.  I am having a similar problem with WinXP.  DCOM is attempting to run stisvc, but it does not even exist on these computers.  And additionally, the image service is disabled.

    I suspect that trying to run stisvc, when no image work such as scanners or cameras is being done, is a virus symptom.  It appears that some of the virus are inserting keys that would cause attempts to run stisvc.  Like this:

    • [HKEY_LOCAL_MACHINE\SOFTWARE\FuckYou\DComLaunch]
      • CoInitializeSecurityParam = 0x00000001
      • DefaultRpcStackSize = 0x00000008
    • [HKEY_LOCAL_MACHINE\SOFTWARE\FuckYou]
      • HTTPFilter = "HTTPFilter"
      • LocalService = "Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV"
      • NetworkService = "DnsCache"
      • netsvcs = "6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule
      • DcomLaunch = "DcomLaunch TermService"
      • rpcss = "RpcSs"
      • imgsvc = "StiSvc"
      • termsvcs = "TermService"

     

    To summarize, I think stisvc is not a virus, and probably not infected.  HOWEVER, it appears to be a symptom of a virus if your computer is trying to run this service when it should not be.

     

    Monday, May 23, 2011 2:47 PM