Sign in with
Sign up | Sign in
Your question

Perfmon

Last response: in Windows XP
Share
September 6, 2005 10:11:13 AM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

Is perfmon.exe a critical system file?
Or would the computer still be able to boot properly if the file has been
removed from the system (including the registry entries - all of them
regarding perfmon)

Situation:
Windows server 2003, had a virus attack, junior administrator deleted the
virus "perfhmon.exe" from the system and all registry entries, but in doing
so also deleted the legitimate "perfmon.exe" and its registy entries.
I would like to know how i may be able to re-install the files and their
corresponding registry entries.

Any help would be greatly appreciated.

More about : perfmon

Anonymous
September 6, 2005 4:03:31 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

Machine should boot fine.

Windows File Protection should replace a perfmon.exe deleted from
%windir%\system32 with a copy from %windir%\system32\dllcache.

However if perfmon.exe is deleted from %windir%\system32\dllcache first,
that won't happen.

On XP Pro CD perfmon.exe is PERFMON.EX_ in the I386 folder.

I would assume that it is similar in 2003.

Expand PERFMON.EX_ from I386 folder to %windir%\system32

Expand PERFMON.EX_ from I386 folder to %windir%\system32\dllcache
or copy perfmon.exe from %windir%\system32 and paste in
%windir%\system32\dllcache

There is also a perfmon.msc, perfmon.ms_ on CD. Same deal

Expand PERFMON.EX_ from I386 folder to %windir%\system32

perfmon.exe should be in %windir%\system32 and %windir%\system32\dllcache


--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:062256C9-4ADC-4DE1-8220-21A80BF1A54E@microsoft.com,
Rich <Rich@discussions.microsoft.com> hunted and pecked:
> Is perfmon.exe a critical system file?
> Or would the computer still be able to boot properly if the file has been
> removed from the system (including the registry entries - all of them
> regarding perfmon)
>
> Situation:
> Windows server 2003, had a virus attack, junior administrator deleted the
> virus "perfhmon.exe" from the system and all registry entries, but in
> doing so also deleted the legitimate "perfmon.exe" and its registy
> entries.
> I would like to know how i may be able to re-install the files and their
> corresponding registry entries.
>
> Any help would be greatly appreciated.
September 12, 2005 11:05:20 AM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

Thanks Wesley.

That is a huge relief, but i still have a huge concern about the registry
files that were removed.. (all "perfmon" entries were removed from the
registry.) is there any way to restore them from the windows CD? (no backup
avaliable)

"Wesley Vogel" wrote:

> Machine should boot fine.
>
> Windows File Protection should replace a perfmon.exe deleted from
> %windir%\system32 with a copy from %windir%\system32\dllcache.
>
> However if perfmon.exe is deleted from %windir%\system32\dllcache first,
> that won't happen.
>
> On XP Pro CD perfmon.exe is PERFMON.EX_ in the I386 folder.
>
> I would assume that it is similar in 2003.
>
> Expand PERFMON.EX_ from I386 folder to %windir%\system32
>
> Expand PERFMON.EX_ from I386 folder to %windir%\system32\dllcache
> or copy perfmon.exe from %windir%\system32 and paste in
> %windir%\system32\dllcache
>
> There is also a perfmon.msc, perfmon.ms_ on CD. Same deal
>
> Expand PERFMON.EX_ from I386 folder to %windir%\system32
>
> perfmon.exe should be in %windir%\system32 and %windir%\system32\dllcache
>
>
> --
> Hope this helps. Let us know.
>
> Wes
> MS-MVP Windows Shell/User
>
> In news:062256C9-4ADC-4DE1-8220-21A80BF1A54E@microsoft.com,
> Rich <Rich@discussions.microsoft.com> hunted and pecked:
> > Is perfmon.exe a critical system file?
> > Or would the computer still be able to boot properly if the file has been
> > removed from the system (including the registry entries - all of them
> > regarding perfmon)
> >
> > Situation:
> > Windows server 2003, had a virus attack, junior administrator deleted the
> > virus "perfhmon.exe" from the system and all registry entries, but in
> > doing so also deleted the legitimate "perfmon.exe" and its registy
> > entries.
> > I would like to know how i may be able to re-install the files and their
> > corresponding registry entries.
> >
> > Any help would be greatly appreciated.
>
>
Related resources
Anonymous
September 12, 2005 1:38:20 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

Beats me. Does the Event Viewer work? Does the Performance (perfmon.msc)
snap-in work?

{72967903-68EC-11D0-B729-00AA0062CBB7} = WBEM PerfMon Property Provider
{F00B4404-F8F1-11CE-A5B6-00AA00680C3F} = WBEM PerfMon Instance Provider
Search of my registry for perfmon.
HKEY_CLASSES_ROOT\Applications\perfmon.exe
HKEY_CLASSES_ROOT\CLSID\{72967903-68EC-11D0-B729-00AA0062CBB7}
HKEY_CLASSES_ROOT\CLSID\{F00B4404-F8F1-11CE-A5B6-00AA00680C3F}
HKEY_CLASSES_ROOT\PerfFile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\perfmon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72967903-68EC-11D0-B729-00AA0062C
BB7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F00B4404-F8F1-11CE-A5B6-00AA00680
C3F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PerfFile\shell\open\command
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application
Sources
REG_MULTI_SZ
WSH
WMIAdapter
WmdmPmSN
WinMgmt
Winlogon
Windows Product Activation
Windows 3.1 Migration
WebClient
VSS
VBRuntime
Userinit
Userenv
UploadM
UPHClean
Tlntsvr
SysmonLog
SpoolerCtrs
Software Installation
SclgNtfy
SceSrv
SceCli
safrslv
SAFrdms
PerfProc
PerfOS
PerfNet
Perfmon
Perflib
PerfDisk
Perfctrs
Offline Files
Oakley
Ntbackup.ini
ntbackup
NeroCheck
MsiInstaller
MSDTC Client
MSDTC
mnmsrvc
Microsoft Office 10
Microsoft H.323 Telephony Service Provider
LoadPerf
HelpSvc
Folder Redirection
File Deployment
EventSystem
ESENT
EAPOL
DrWatson
DiskQuota
DataDynamics ActiveBar 1.0
crypt32
COM+
Ci
Chkdsk
Avg7UpdSvc
Avg7Alrt
AVG7
AutoEnrollment
Autochk
Application Management
Application Hang
Application Error
Application
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Perfmo
n
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application
same as ControlSet001\Services\Eventlog\Application
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Perfmo
n
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
same as ControlSet001\Services\Eventlog\Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Pe
rfmon


--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:235021D5-C0DA-4723-A717-F17E494A6488@microsoft.com,
Rich <Rich@discussions.microsoft.com> hunted and pecked:
> Thanks Wesley.
>
> That is a huge relief, but i still have a huge concern about the registry
> files that were removed.. (all "perfmon" entries were removed from the
> registry.) is there any way to restore them from the windows CD? (no
> backup avaliable)
>
> "Wesley Vogel" wrote:
>
>> Machine should boot fine.
>>
>> Windows File Protection should replace a perfmon.exe deleted from
>> %windir%\system32 with a copy from %windir%\system32\dllcache.
>>
>> However if perfmon.exe is deleted from %windir%\system32\dllcache first,
>> that won't happen.
>>
>> On XP Pro CD perfmon.exe is PERFMON.EX_ in the I386 folder.
>>
>> I would assume that it is similar in 2003.
>>
>> Expand PERFMON.EX_ from I386 folder to %windir%\system32
>>
>> Expand PERFMON.EX_ from I386 folder to %windir%\system32\dllcache
>> or copy perfmon.exe from %windir%\system32 and paste in
>> %windir%\system32\dllcache
>>
>> There is also a perfmon.msc, perfmon.ms_ on CD. Same deal
>>
>> Expand PERFMON.EX_ from I386 folder to %windir%\system32
>>
>> perfmon.exe should be in %windir%\system32 and %windir%\system32\dllcache
>>
>>
>> --
>> Hope this helps. Let us know.
>>
>> Wes
>> MS-MVP Windows Shell/User
>>
>> In news:062256C9-4ADC-4DE1-8220-21A80BF1A54E@microsoft.com,
>> Rich <Rich@discussions.microsoft.com> hunted and pecked:
>>> Is perfmon.exe a critical system file?
>>> Or would the computer still be able to boot properly if the file has
>>> been removed from the system (including the registry entries - all of
>>> them regarding perfmon)
>>>
>>> Situation:
>>> Windows server 2003, had a virus attack, junior administrator deleted
>>> the virus "perfhmon.exe" from the system and all registry entries, but
>>> in doing so also deleted the legitimate "perfmon.exe" and its registy
>>> entries.
>>> I would like to know how i may be able to re-install the files and their
>>> corresponding registry entries.
>>>
>>> Any help would be greatly appreciated.
September 13, 2005 4:54:02 AM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

Thanks for your timely response.. i will try adding those entries to my
registry and see if it works..

are the ID's similar to this "72967903-68EC-11D0-B729-00AA0062CBB7" SID's?
or are they the same on every installation?

Event viewer seems to be working fine, and every thing else (including
perfmon.msc) the problem i am having is with the "Performance Logs and
Alerts" service. i get the following error when trying to run the service...
"Configuration Manager: A required entry in the registy is missing or an
attempt to write to the registry failed" and " The system cannot find the
file specified"

i ran a search on the system for "perf" these are what i found.
perfc009.dat
perfci.h
perfci.ini
perfcounter.dll
perfctrs.dll
perfd009.dat
perfdisk.dll
perffilt.h
perffilt.ini
perfh009.dat
perfi009.dat
perfmon.exe
perfmon.msc
perfnet.dll
perfnw.dll
perfos.dll
perproc.dll
perfstingbackup.ini
perfts.dll
perfwci.ini

all located in the system32 folder.

"Wesley Vogel" wrote:

> Beats me. Does the Event Viewer work? Does the Performance (perfmon.msc)
> snap-in work?
>
> {72967903-68EC-11D0-B729-00AA0062CBB7} = WBEM PerfMon Property Provider
> {F00B4404-F8F1-11CE-A5B6-00AA00680C3F} = WBEM PerfMon Instance Provider
> Search of my registry for perfmon.
> HKEY_CLASSES_ROOT\Applications\perfmon.exe
> HKEY_CLASSES_ROOT\CLSID\{72967903-68EC-11D0-B729-00AA0062CBB7}
> HKEY_CLASSES_ROOT\CLSID\{F00B4404-F8F1-11CE-A5B6-00AA00680C3F}
> HKEY_CLASSES_ROOT\PerfFile\shell\open\command
> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\perfmon.exe
> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72967903-68EC-11D0-B729-00AA0062C
> BB7}
> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F00B4404-F8F1-11CE-A5B6-00AA00680
> C3F}
> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PerfFile\shell\open\command
> HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application
> Sources
> REG_MULTI_SZ
> WSH
> WMIAdapter
> WmdmPmSN
> WinMgmt
> Winlogon
> Windows Product Activation
> Windows 3.1 Migration
> WebClient
> VSS
> VBRuntime
> Userinit
> Userenv
> UploadM
> UPHClean
> Tlntsvr
> SysmonLog
> SpoolerCtrs
> Software Installation
> SclgNtfy
> SceSrv
> SceCli
> safrslv
> SAFrdms
> PerfProc
> PerfOS
> PerfNet
> Perfmon
> Perflib
> PerfDisk
> Perfctrs
> Offline Files
> Oakley
> Ntbackup.ini
> ntbackup
> NeroCheck
> MsiInstaller
> MSDTC Client
> MSDTC
> mnmsrvc
> Microsoft Office 10
> Microsoft H.323 Telephony Service Provider
> LoadPerf
> HelpSvc
> Folder Redirection
> File Deployment
> EventSystem
> ESENT
> EAPOL
> DrWatson
> DiskQuota
> DataDynamics ActiveBar 1.0
> crypt32
> COM+
> Ci
> Chkdsk
> Avg7UpdSvc
> Avg7Alrt
> AVG7
> AutoEnrollment
> Autochk
> Application Management
> Application Hang
> Application Error
> Application
> HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Perfmo
> n
> HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application
> same as ControlSet001\Services\Eventlog\Application
> HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Perfmo
> n
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
> same as ControlSet001\Services\Eventlog\Application
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Pe
> rfmon
>
>
> --
> Hope this helps. Let us know.
>
> Wes
> MS-MVP Windows Shell/User
>
> In news:235021D5-C0DA-4723-A717-F17E494A6488@microsoft.com,
> Rich <Rich@discussions.microsoft.com> hunted and pecked:
> > Thanks Wesley.
> >
> > That is a huge relief, but i still have a huge concern about the registry
> > files that were removed.. (all "perfmon" entries were removed from the
> > registry.) is there any way to restore them from the windows CD? (no
> > backup avaliable)
> >
> > "Wesley Vogel" wrote:
> >
> >> Machine should boot fine.
> >>
> >> Windows File Protection should replace a perfmon.exe deleted from
> >> %windir%\system32 with a copy from %windir%\system32\dllcache.
> >>
> >> However if perfmon.exe is deleted from %windir%\system32\dllcache first,
> >> that won't happen.
> >>
> >> On XP Pro CD perfmon.exe is PERFMON.EX_ in the I386 folder.
> >>
> >> I would assume that it is similar in 2003.
> >>
> >> Expand PERFMON.EX_ from I386 folder to %windir%\system32
> >>
> >> Expand PERFMON.EX_ from I386 folder to %windir%\system32\dllcache
> >> or copy perfmon.exe from %windir%\system32 and paste in
> >> %windir%\system32\dllcache
> >>
> >> There is also a perfmon.msc, perfmon.ms_ on CD. Same deal
> >>
> >> Expand PERFMON.EX_ from I386 folder to %windir%\system32
> >>
> >> perfmon.exe should be in %windir%\system32 and %windir%\system32\dllcache
> >>
> >>
> >> --
> >> Hope this helps. Let us know.
> >>
> >> Wes
> >> MS-MVP Windows Shell/User
> >>
> >> In news:062256C9-4ADC-4DE1-8220-21A80BF1A54E@microsoft.com,
> >> Rich <Rich@discussions.microsoft.com> hunted and pecked:
> >>> Is perfmon.exe a critical system file?
> >>> Or would the computer still be able to boot properly if the file has
> >>> been removed from the system (including the registry entries - all of
> >>> them regarding perfmon)
> >>>
> >>> Situation:
> >>> Windows server 2003, had a virus attack, junior administrator deleted
> >>> the virus "perfhmon.exe" from the system and all registry entries, but
> >>> in doing so also deleted the legitimate "perfmon.exe" and its registy
> >>> entries.
> >>> I would like to know how i may be able to re-install the files and their
> >>> corresponding registry entries.
> >>>
> >>> Any help would be greatly appreciated.
>
>
Anonymous
September 13, 2005 9:51:25 PM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

They are CLSIDs and the need to be inside the accolades {inside here}.
Short for Class ID. CLSIDs can identify a lot of things, such as special
folders or processes.

{20D04FE0-3AEA-1069-A2D8-08002B30309D} is My Computer
{85BBD920-42A0-1069-A2E4-08002B30309D} is Briefcase

All kinds of things have a CLSID. They are a Globally Unique IDentifier.

For your Configuration Manager problem...

You need to have the Event ID & the Event Source.

To view Windows XP Events and Errors, type the Source (for example, Print)
and/or the Event code (for example, 20) into the ID field, then click the Go
button. Source and Event codes may be found in the Event Viewer logs.

Windows XP Home/Professional Events and Errors
http://www.microsoft.com/technet/support/ee/search.aspx...


--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In news:D 8C5F86D-3E39-460C-9AF2-7CAC8CB9FC5B@microsoft.com,
Rich <Rich@discussions.microsoft.com> hunted and pecked:
> Thanks for your timely response.. i will try adding those entries to my
> registry and see if it works..
>
> are the ID's similar to this "72967903-68EC-11D0-B729-00AA0062CBB7" SID's?
> or are they the same on every installation?
>
> Event viewer seems to be working fine, and every thing else (including
> perfmon.msc) the problem i am having is with the "Performance Logs and
> Alerts" service. i get the following error when trying to run the
> service... "Configuration Manager: A required entry in the registy is
> missing or an attempt to write to the registry failed" and " The system
> cannot find the file specified"
>
> i ran a search on the system for "perf" these are what i found.
> perfc009.dat
> perfci.h
> perfci.ini
> perfcounter.dll
> perfctrs.dll
> perfd009.dat
> perfdisk.dll
> perffilt.h
> perffilt.ini
> perfh009.dat
> perfi009.dat
> perfmon.exe
> perfmon.msc
> perfnet.dll
> perfnw.dll
> perfos.dll
> perproc.dll
> perfstingbackup.ini
> perfts.dll
> perfwci.ini
>
> all located in the system32 folder.
>
> "Wesley Vogel" wrote:
>
September 16, 2005 11:31:09 AM

Archived from groups: microsoft.public.windowsxp.perform_maintain (More info?)

Solved:
Well luck had it that we had a power outage for a substantial time.
When the systems came back on line the perfmon issues were resolved.
Note: that prior the the power outage, the following CLSID's were re-created
manually (from a seperate Windows 2003 Server Installation):

HKEY_CLASSES_ROOT\Applications\perfmon.exe
HKEY_CLASSES_ROOT\CLSID\{72967903-68EC-11D0-B729-00AA0062CBB7}
HKEY_CLASSES_ROOT\CLSID\{F00B4404-F8F1-11CE-A5B6-00AA00680C3F}
HKEY_CLASSES_ROOT\PerfFile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\perfmon.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72967903-68EC-11D0-B729-00AA0062C
BB7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F00B4404-F8F1-11CE-A5B6-00AA00680
C3F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PerfFile\shell\open\command
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application

The following files were also re-created manually (also from a very old
backup, and again another Windows 2003 Server installation):

perfc009.dat
perfci.h
perfci.ini
perfcounter.dll
perfctrs.dll
perfd009.dat
perfdisk.dll
perffilt.h
perffilt.ini
perfh009.dat
perfi009.dat
perfmon.exe
perfmon.msc
perfnet.dll
perfnw.dll
perfos.dll
perproc.dll
perfstingbackup.ini
perfts.dll
perfwci.ini

The system Obviously re-established the connection to the files, and
automatically re-created certain entries for the service.
Whether or not any of my "tempering" solved the problem is unclear, it could
be that windows will re-create the missing entries as part of the windows
protected files system. (similar to what happens when the WMI entries are
removed)

Thanks Wesley Vogel for all your assistance!!

"Wesley Vogel" wrote:

> They are CLSIDs and the need to be inside the accolades {inside here}.
> Short for Class ID. CLSIDs can identify a lot of things, such as special
> folders or processes.
>
> {20D04FE0-3AEA-1069-A2D8-08002B30309D} is My Computer
> {85BBD920-42A0-1069-A2E4-08002B30309D} is Briefcase
>
> All kinds of things have a CLSID. They are a Globally Unique IDentifier.
>
> For your Configuration Manager problem...
>
> You need to have the Event ID & the Event Source.
>
> To view Windows XP Events and Errors, type the Source (for example, Print)
> and/or the Event code (for example, 20) into the ID field, then click the Go
> button. Source and Event codes may be found in the Event Viewer logs.
>
> Windows XP Home/Professional Events and Errors
> http://www.microsoft.com/technet/support/ee/search.aspx...
>
>
> --
> Hope this helps. Let us know.
>
> Wes
> MS-MVP Windows Shell/User
>
> In news:D 8C5F86D-3E39-460C-9AF2-7CAC8CB9FC5B@microsoft.com,
> Rich <Rich@discussions.microsoft.com> hunted and pecked:
> > Thanks for your timely response.. i will try adding those entries to my
> > registry and see if it works..
> >
> > are the ID's similar to this "72967903-68EC-11D0-B729-00AA0062CBB7" SID's?
> > or are they the same on every installation?
> >
> > Event viewer seems to be working fine, and every thing else (including
> > perfmon.msc) the problem i am having is with the "Performance Logs and
> > Alerts" service. i get the following error when trying to run the
> > service... "Configuration Manager: A required entry in the registy is
> > missing or an attempt to write to the registry failed" and " The system
> > cannot find the file specified"
> >
> > i ran a search on the system for "perf" these are what i found.
> > perfc009.dat
> > perfci.h
> > perfci.ini
> > perfcounter.dll
> > perfctrs.dll
> > perfd009.dat
> > perfdisk.dll
> > perffilt.h
> > perffilt.ini
> > perfh009.dat
> > perfi009.dat
> > perfmon.exe
> > perfmon.msc
> > perfnet.dll
> > perfnw.dll
> > perfos.dll
> > perproc.dll
> > perfstingbackup.ini
> > perfts.dll
> > perfwci.ini
> >
> > all located in the system32 folder.
> >
> > "Wesley Vogel" wrote:
> >
>
>
!