7

I am trying to find out why this process appeared during 2 boot occasions. Autoruns does not show it anywhere. It appeared when I uninstalled google chrome and malwarebytes.

The prefetch file for makecab.exe (makecab is an official microsoft process) showed it was created yesterday, and modified today (it ran once today and yesterday very briefly, no more than 10 seconds at boot. I've uninstalled the 2 programs before at the same time in the past multiple times, and have never seen this process.

However, usually I delete EVERY file associated with those programs including registry when I did uninstall them. Is there any reason why makecab.exe would run? I've used process explorer, but the process starts and ends to quickly for me to see what starts it, however it's only twice I've seen it appear, and thats after uninstalling chrome and mbam; both times I did not have process explorer ready.

Should I be worried about this? Or has it a legit reason for running? It doesn't seem to run unless I've uninstalled anything (however it doesn't happen all the time when I do. )

I haven't made any changes to my pc other than downloading malwarebytes which I have down before find without a problem.

Other areas I posted this say its something that cleans up the msi install package.

I've noticed it begins around the same time as the windows module installer (comparing prefetch file to event viewer).

I haven't added any programs, only saw this after uninstalling these programs, but as I said I usually delete the files manually. Ive uploaded the versions of makecab onto virustotal and they're all clean.

I couldn't find anything in the registry other than a value which listed various system processes, however exporting it as a text file shows it hasn't been edited for years.

How can I find out what is starting it? Ive rebooted various times with process explorer and nothing happened, I installed malwarebytes to scan, I did a full scan and found nothing, and installed chrome again. After the scan, I uninstalled the 2, and then while NOT using process explorer, but the normal task manager, I saw it again after I rebooted.

Is there a way I can make process explorer extend the time it shows kills processes? Is it likely the given explanation above is true?

Improve this question
7
  • If this isn't something you configured to happen. Then you should be worried provided this is a personal machine that nobody has physical access to. I would just remove the entry in the registry that is starting the process if this isn't something you want ran when your user profile is logged into. I can tell you with 100% accuracy that Chrome and Malwarebytes DID NOT add this entry to the registry.
    – Ramhound
    Commented Jul 23, 2014 at 11:52
  • Other areas I posted this say its something that cleans up the msi install package. (Full comment on post)
    – Keyes
    Commented Jul 23, 2014 at 14:00
  • What full comment. You just quote a statement. I have no idea who made that statement and in what context. You asked if you should be worried and I provided an answer to your question. Due to quality problems its not worthy of being published as an answer.
    – Ramhound
    Commented Jul 23, 2014 at 14:05
  • Sorry, What I meant to say is that someone on thw security stacked exchange said it could be that. My "full" comment was just a small edit of info from me.
    – Keyes
    Commented Jul 23, 2014 at 14:29
  • I have done more reboots and it is not beginning. Is it possible that the process is made to remove the installer from the windows/installer folder?
    – Keyes
    Commented Jul 23, 2014 at 15:07

2 Answers 2

Reset to default
13

Windows runs makecab.exe to reduce the size of the old CBS log file. You can find compressed CBS.cab files under C:\Windows\logs\CBS. Windows scans for updates at start, so it detects too large logs and compressed them.

https://i.sstatic.net/oyI3S.png

So nothing is wrong.

Improve this answer
6
  • Okay, but howcome this is the first time ive seen it? Do prefetch files last forever? I Noticed a prefetch file had been created for makecab 30 minutes after the boot, so why did it run on that 3rd occasion so late? Checking event viewer again, I found the windoww module installer service had began aswell. Edit: I had a read through the CBS log, cbs.txt and deepclean.txt all the logged tims are when I recalled the process running. Now I know what was happening. Thank you, however how come this is the first time ive notices this?
    – Keyes
    Commented Jul 23, 2014 at 20:56
  • would you have any comment to make on my comment above towards the topic?
    – Keyes
    Commented Jul 23, 2014 at 23:07
  • I have no idea why you never seen this before.
    – magicandre1981
    Commented Jul 24, 2014 at 4:12
  • Do prefetch files last forever? And is it okay for it to run after boot sometimes? I found the prfetch was modified 20-30 mins after boot, but I may be wrong (im not sure if task manager records time before and after restarts or juat after.)
    – Keyes
    Commented Jul 24, 2014 at 12:25
  • 1
    I just deleted all files from C:\Windows\logs\CBS, because makecab.exe process never end and soon temp files take all free space on system drive. Windows 7 SP1 x64.
    – Zam
    Commented Oct 31, 2016 at 19:35
0

I just noticed the same thing and think I know why I got such a high CPU, memory, and disk i/o for about 5 minutes after doing a few uninstalls. After I uninstalled I rebooted and then ran CCleaner. I had the setting set to delete the windows logs also. After the next reboot I noticed the makecab.exe with all this activity. I believe it was the logs rewriting themselves and setting up new pathways to write logs. You may or may not have done something similar when doing the uninstall and manual removal of files.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .