|
Running logonsessions creates "剐䍏 |
Post Reply 
|
| Author | |
ashutoshmehra 
Newbie 
Joined: 24 September 2009 Status: Offline Points: 2 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: Running logonsessions creates "剐䍏Posted: 24 September 2009 at 5:17pm |
|
Hello everyone,
I discovered that running the logonsessions utility (as Administrator) results in creation of the file: C:\Windows\SysWow64\Drivers\剐䍏塅ㅐ〰匮卙 When the logonsessions program has finished running, the file still persists. I've been able to replicate this behavior repeatably. The file consists of CJK-looking characters, which is why I think it is possibly a bug in the logonsessions utility. More details: The awkward-named file is apparently signed -- seeing the file-properties in Explorer via shows that signer is Sysinternals. The filesize is 16,384 bytes. I discovered the file while going through the system log, which had an entry: "\??\C:\Windows\SysWow64\Drivers\剐䍏塅ㅐ〰匮卙 has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver." The above entry gets regenerated every time I run logonsessions. I'm on Windows Vista Ultimate SP2 (x64). The version of logonsessions is v1.1 (Copyright 2004). |
|
 |
|
|
molotov
Moderator Group 
Joined: 04 October 2006 Status: Offline Points: 17492 |
Post Options
Thanks(0)
Quote Reply
Posted: 23 October 2009 at 3:15am |
|
Hi Ashutosh,
I didn't realize it, but logonsessions.exe seems to include as a resource a copy of an older version of the 32-bit Process Explorer driver that gets written to disk. I've seen the behavior you report on XP SP3, Vista SP2 x86, and Win7 x64. Obviously, a 32-bit driver can't be loaded on a 64-bit system, so the driver certainly doesn't seem to be required. However, the driver does get loaded on a 32-bit system...
|
|
|
Daily affirmation:
net helpmsg 4006 |
|
|
|
|
ashutoshmehra
Newbie
Joined: 24 September 2009 Status: Offline Points: 2 |
Post Options
Thanks(0)
Quote Reply
Posted: 23 October 2009 at 6:17am |
|
Thanks for your response, molotov. I get it now. But still, the filename for that driver, with all the Chinese characters "剐䍏塅ㅐ〰匮卙", does seem somewhat odd.
|
|
|
|
|
molotov
Moderator Group
Joined: 04 October 2006 Status: Offline Points: 17492 |
Post Options
Thanks(0)
Quote Reply
Posted: 23 October 2009 at 10:57am |
|
Yes, I'm not sure why that filename is used, or really even why it is necessary. The driver remains loaded after logonsessions runs (like Process Explorer's driver does)...
|
|
|
Daily affirmation:
net helpmsg 4006 |
|
|
|
|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
Topic Options