What is "custom:45000001"?

Status
Not open for further replies.
#1
While I have searched around for a while, for some reason I cannot find any explanation for the custom:45000001 entry.

Can anyone offer an answer?

My theory... There is an entry being hidden from me either in the BCD or MBR possibly referring to a virtual device or drive.
I have reason to believe a rootkit is hiding on the machine - a targeted hack. When I installed XPUD, (just to gently touch the settings), on the next boot an entry appeared for Windows XP. That Windows XP entry has disappeared after only appearing that one time.

I am including plenty of data below. Detailed entries from EasyBCD and the output from 'BCDEDIT /enum all /v"

Usually just a normal Vista laptop.

EASYBCD Data
====================
Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {dfda5002-671b-11de-99f0-00235adea060}
resumeobject {dfda5003-671b-11de-99f0-00235adea060}
displayorder {dfda5002-671b-11de-99f0-00235adea060}
{9866d120-b87e-11e0-a4c1-b7d5bc228d71}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 10
resume No
custom:45000001 1

Windows Boot Loader
-------------------
identifier {dfda5002-671b-11de-99f0-00235adea060}
device partition=C:
path \Windows\system32\winload.exe
description Microsoft Windows Vista
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {572bcd55-ffa7-11d9-aae0-0007e994107d}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {dfda5003-671b-11de-99f0-00235adea060}
nx OptOut

Real-mode Boot Sector
---------------------
identifier {9866d120-b87e-11e0-a4c1-b7d5bc228d71}
device partition=C:
path \grldr.mbr
description xPUD


====================
Output from BCDEDIT /enum all /v
====================

Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {dfda5002-671b-11de-99f0-00235adea060}
resumeobject {dfda5003-671b-11de-99f0-00235adea060}
displayorder {dfda5002-671b-11de-99f0-00235adea060}
{9866d120-b87e-11e0-a4c1-b7d5bc228d71}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 10
resume No

Windows Boot Loader
-------------------
identifier {572bcd55-ffa7-11d9-aae0-0007e994107d}
device partition=\Device\HarddiskVolume1
path \windows\system32\boot\winload.exe
description Windows Recovery Environment
osdevice partition=\Device\HarddiskVolume1
systemroot \windows
nx OptIn
detecthal Yes
winpe Yes

Windows Boot Loader
-------------------
identifier {dfda5002-671b-11de-99f0-00235adea060}
device partition=C:
path \Windows\system32\winload.exe
description Microsoft Windows Vista
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {572bcd55-ffa7-11d9-aae0-0007e994107d}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {dfda5003-671b-11de-99f0-00235adea060}
nx OptOut

Resume from Hibernate
---------------------
identifier {dfda5003-671b-11de-99f0-00235adea060}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=C:
filepath \hiberfil.sys
pae Yes
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=C:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes

Windows Legacy OS Loader
------------------------
identifier {466f5a88-0af2-4f76-9038-095b170dc21c}
device unknown
path \ntldr
description Earlier Version of Windows

Real-mode Boot Sector
---------------------
identifier {9866d120-b87e-11e0-a4c1-b7d5bc228d71}
device partition=C:
path \grldr.mbr
description xPUD

EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems Yes

Debugger Settings
-----------------
identifier {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings
---------------
identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings
--------------------
identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Resume Loader Settings
----------------------
identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
 

mqudsi

Mostly Harmless
Staff member
#2
This is nothing to worry about. Different versions of bcdedit and other boot utilities had different tags for some of the properties of boot entries. If there's a mismatch between the creation version and the viewing version, you'll see this discrepancy.

Rootkits can't hide in the bcd.
 
#3
You did not answer the question.

Instead you tell me not to worry about it? Really? If you do not know the answer, just say so.
EasyBCD did not include every entry... The one in question only showed up in BCDEDIT. Is there a way to have BCDEDIT gather everything for a comparison.
 

Terry60

Knows where his towel is.
Staff member
#4
I'd suggest you read CG's answer more carefully, and moderate the snarky tone if you expect anyone to bother talking to you.
 

mqudsi

Mostly Harmless
Staff member
#5
Thanks, Terry.

Terance, If you think I didn't answer your question before, do you really think you've motivated me to do so now? Good luck with that, buddy.
 
#6
A simple question, eh?

So let's see if I got this right. I asked a simple question. I did not get an answer. I re-ask the question to the forum, indicating the non-answer. Then the insults begin.

Laughable. Just laughable.

There is no shame in not knowing something. Very curious at the determination not to respond to the simple question.
 

Mak 2.0

Mod...WAFFLES!?!?
Staff member
#7
If it is such a simple question, then why cant you find the answer anywhere upon your searching? Instead you insult the creator of the application you are using saying he doesnt know what he is talking about and then laugh at him for not responding to your insults? Apparently he knows a bit more than expected since he coded this application that you are using, and you are asking here for assistance.

That is something I dont quite understand. Guru answered it by telling you different programs use different terms. It is not unheard of. Just look at word processor applications. Word calls them a .doc or .docx depending on the version you use. Notepad crates a .txt file, Wordpad creates a .rtf file. But they are all still just a document. 4 different terms, 1 same item. That doesnt even include what open source projects call them or other such things like .pdf files. All can bo for the same exact thing, just expressed a different way.

You were the one who threw out the insults first. You get treated how you treat others. You show no respect to us, you are not going to get any in return. It is a 2 way approach. Treat others how you wish to be treated. You showed us how you wanted to be treated by how you treated us. Simple as that.

Topic Closed.
 
Status
Not open for further replies.