Sign in with
Sign up | Sign in
Your question

why got ?? in the path ?

Last response: in Windows XP
Share
April 23, 2005 3:30:35 AM

Archived from groups: microsoft.public.windowsxp.security_admin,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

Hi Experts:

Wrote a small program on XP to get a list of running processes. I used the
GetModuleFileNameEx, EnumProcessModules to go through each process and get
the process path, most of the returned path is ok, but noticed strange one
below:

\??\C:\WINDOWS\system32\csrss.exe (0x4A680000)

Anyone knows why there is \??\ at the front of the path? Does that mean the
csrss.exe is a virus? In task manager, the csrss.exe is running and cannot
be stopped.

Any thought is appriciated.

Thanks In Advance!

Polaris

More about : path

Anonymous
a b 8 Security
April 23, 2005 6:07:27 AM

Archived from groups: microsoft.public.windowsxp.security_admin,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

I don't know offhand the reason but I would download Process Explorer from
SysInternals to see what it shows in the process properties as the path.
Also on my computer XP SP2 Process Explorer shows in the image page of the
process properties that csrss.exe is "verified" from Microsoft Corp. which
means that it is digitally signed and authentic though not all MS files
related to processes are verified/signed. It certainly would not hurt to run
an antivirus program being sure to have the latest virus definitions before
scanning and maybe try the RootkitRevealer from SysInternals. --- Steve

http://www.sysinternals.com/ntw2k/freeware/procexp.shtm...
http://www.sysinternals.com/ntw2k/freeware/rootkitrevea...
http://www.liutilities.com/products/wintaskspro/process... ---
info about csrss.exe

"Polaris" <etpolaris@hotmail.com> wrote in message
news:o FvC238RFHA.3496@TK2MSFTNGP12.phx.gbl...
> Hi Experts:
>
> Wrote a small program on XP to get a list of running processes. I used the
> GetModuleFileNameEx, EnumProcessModules to go through each process and get
> the process path, most of the returned path is ok, but noticed strange one
> below:
>
> \??\C:\WINDOWS\system32\csrss.exe (0x4A680000)
>
> Anyone knows why there is \??\ at the front of the path? Does that mean
> the csrss.exe is a virus? In task manager, the csrss.exe is running and
> cannot be stopped.
>
> Any thought is appriciated.
>
> Thanks In Advance!
>
> Polaris
>
>
April 23, 2005 7:33:02 PM

Archived from groups: microsoft.public.windowsxp.security_admin,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

I appriciate your help.

Polaris

"Polaris" <etpolaris@hotmail.com> wrote in message
news:o FvC238RFHA.3496@TK2MSFTNGP12.phx.gbl...
> Hi Experts:
>
> Wrote a small program on XP to get a list of running processes. I used the
> GetModuleFileNameEx, EnumProcessModules to go through each process and get
> the process path, most of the returned path is ok, but noticed strange one
> below:
>
> \??\C:\WINDOWS\system32\csrss.exe (0x4A680000)
>
> Anyone knows why there is \??\ at the front of the path? Does that mean
> the csrss.exe is a virus? In task manager, the csrss.exe is running and
> cannot be stopped.
>
> Any thought is appriciated.
>
> Thanks In Advance!
>
> Polaris
>
>
Anonymous
a b 8 Security
April 23, 2005 8:16:19 PM

Archived from groups: microsoft.public.windowsxp.security_admin,microsoft.public.security,microsoft.public.security.virus,microsoft.public.win2000.security,microsoft.public.windows.server.security (More info?)

"Polaris" <etpolaris@hotmail.com> a écrit dans le message de news:
OFvC238RFHA.3496@TK2MSFTNGP12.phx.gbl...
>> \??\C:\WINDOWS\system32\csrss.exe (0x4A680000)
>
> Anyone knows why there is \??\ at the front of the path?

It's the full path, as used by the NT kernel. Win32 objects "live" under the
\?? directory in the object manager namespace.

The reason why you're getting an NT path for this particular process is that
csrss.exe is started directly using NtCreateProcess, before the Win32 API
could be used.

> Does that mean the csrss.exe is a virus?

No. Actually, csrss.exe is the Win32 subsystem server, and is a vital part
of an NT system. It's used to implement several parts of the Win32 API,
including console windows and part of the windowing system.

However, several malicious programs try (very hard) to look like csrss.exe,
so you're right to be wary.

> In task manager, the csrss.exe is running and cannot be stopped.

That's normal. If you could stop csrss.exe, your system would become
unusable (no Win32 API...). So, Windows prevents you from shooting yourself
in the foot. (Actually, it goes farther than that. The NT kernel is keeping
a watch on the csrss process, and will go immediately into a blue screen if
csrss.exe stops).
!