# Windows Update does it again: Disappearing Desktop Icons



## RoutedScripter (Jul 31, 2012)

Hello

After I updated a ton of security updates with care to only update the certain critical ones no anything else.


The hardcoded icons have disappeared during reboot, those icons that you drag out of start menu and it automatically creates it, and the network icon that you right-click in the start menu and select "show on desktop"

But there was also a freeze during the update process, when rebooted it re-do the stuff that it does at boot so i think it was fine , but the icon thing happend, it always has to be something.

I so hate the windows update, I haven't updated for half a year and now i did a manual careful update and I think i will never do it again for win7 EVER on this PC.

Icons keep disappearing after a certain period of days while several sessions passed. Let's say every 5 days or a week, 3 times now. I want to have my system stuff out like Control panel, add remove programs, all the sys stuff.


EDIT: Exact icons are "network" "sound" and "programs and features"

Found something it can be certain settings for icon cleanup

http://social.technet.microsoft.com.../thread/ada5d392-2af7-43c3-9191-08baf63f0098/

Stupid updates messing with my settings


----------



## GSquadron (Jul 31, 2012)

Do you have a program called "infrarecorder" installed?


----------



## RoutedScripter (Jul 31, 2012)

No


----------



## qubit (Jul 31, 2012)

Couple of things:

Disappearing icons during normal use is not something that Windows tends to do, so there's a problem somewhere on your system.

Leaving Windows Update for so long is asking for problems. Set the updater to download critical updates, but install only when you say so. This way, Windows will be kept up to date and the updates will be a lot smaller, reducing the chance of something going wrong.

So, what's infrarecorder?


----------



## RoutedScripter (Jul 31, 2012)

Icons disappeared after the update, i know it was one of te 80+ updates

The link i found on msdn is to audit the events that accounts do and i will hunt down which process does it. But they say this issue happens on monday, YES today is thursday and I was only logged in yesterday in morning for a short time and not again until today.

Damn you microsoft.

EDIT: I've set up the auditing for deleting and when it happens again it will trace what did it, need to wait a week or so.


----------



## RoutedScripter (Aug 14, 2012)

AHA Found it



> ```
> A handle to an object was requested.
> 
> Subject:
> ...



WmiPrvSe.exe ... definitely from a windows update! What the heck are they messing with my stuff!

I haven't found anything about removing shortcuts but i found some stuff about CPU spikes that's quite popular mainstream problem.



> A quick google search confirmed my assumption that this was the Windows Management Instrumentation (WMI) host process. In short, WMI can be used to query for system information, like processor usage, running processes, who is logged on, and all sorts of other information. The WMI host process runs WMI queries for any other process making them, so WmiPrvSE.exe was not itself the culprit, it was simply an intermediary.



Seems like some stuff can run through this program, still why on earth would windows allow someone else to delete stuff like that.

The site suggest taking a look at Process Explorer from sysinternals to find what's behind wmiprvse.exe

Upd:
Well actually this is Windows Management Instrumentation service (winmgmt) and has one vital service it depends upon that i use for my HDDs not showing as removable drives by using #Intel Rapid Storage Technology" application just to run in background, i will disable the intel service from running and will keep an eye on this for another week to see if it happens, all other services you see in picture such as IpHelper, Security Center are disabled.







If there's someone doing it, it's WmiPrvSe it self, and it's make sense cause of the update. Fuck you microsoft.

I would simply disable this whole service but I don't know what is and i see it has some stuff for other apps that rely on it but that's microsoft's wording, i can find out if i really need this.

UPD:
Aha something about it - looks useless to me but we'll see, hopefully nothing critical will stop working.
http://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx

Also the process that issued this delete was PID: 0x137c  (i've tried to convert from hex to dec in Regedit but it throwed out an unknonw 4988)


----------



## NdMk2o1o (Aug 14, 2012)

RuskiSnajper said:


> AHA Found it
> 
> 
> 
> ...



This may well be some sort of malware that makes it look like it is the WmiPrvSe.exe file, there doesn't seem to be any documented eveidence that this process behaves in the way you have stated (from a quick Google anyway)

Also trojans/viruses and malware can take on the name of Windows services/process/.exe's etc.


----------



## GSquadron (Aug 14, 2012)

~~~Try reformatting the PC~~~


----------



## RoutedScripter (Aug 14, 2012)

NdMk2o1o said:


> This may well be some sort of malware that makes it look like it is the WmiPrvSe.exe file, there doesn't seem to be any documented eveidence that this process behaves in the way you have stated (from a quick Google anyway)
> 
> Also trojans/viruses and malware can take on the name of Windows services/process/.exe's etc.



I will do a scan right now if you want. Malwayrebytes and nod32

But i can tell you that I am right on this one, i've found the msdn thread where the ms guy says about removing shortcuts on particular week day and that's seems to be somewhere in tuesday 20:24 PM is the time it happend now.

The msdn guy said on monday or start of the week so this fits. And it's the msdn guy who said how to track the access, so i had the audit running in event for quite some time now, these audits are seriously tons of them but that's not an issue, i'll delete the log after im done.

The other thing is, it doesn't appear to be virus from my observation, it's at the path location it supposes to be, the processes are double as they should be , one SYSTEM and one NETWORK SERVICE, though the PID i have is in hex so i don't know, there was no 4988 at all just 30 mins after this happend but that's my quick try that probably isn't right, it's probably one of those, i was playing SC2 while it did, alt-tabbing in and out many times for a few hrs.


----------

