Some Questions About Operations and Results & etc

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   Information: I am currently running Win7, but please answer questions as if this was winxp if applicable or both if you can! Thanks :D

1. What is 
C:\$Directory

2. When a process does the operation "Create File" does this mean it opens a handle with that file name?

3. Is "Reg Query Value" the same as reading a key; and how does it differ from "Reg Open Key" - Desired Operation: Query Value -  Is it that RegQueryValue already targets a specific value to read while RegOpenKey first reads the entire key to detect the right value?

4. Why does a process continue to make operations after the "Exit Process" operation? If remnants of processes are left over even after exiting the process, where do this pieces end up in RAM and how are they managed by Windows?

5. Does csrss.exe manage mapping and information on all running processes?

6. What's the difference between READ and GENERIC READ?

7. "ReadFile" seems to be that the process only checks the size and location of the file on the hard drive, furthermore processes can only read file contents if they know how to convert the binary .. right? How would this kind of read be showed in procmon?

8. Can processes detect that procmon is running without reading any of its files threads dlls or running processes? Also, does procmon work by using a driver or does it connect to a windows file monitoring server managed by a process such as csrss.exe or smss.exe?

Thanks so much for reading this and helping me out! This really means a lot to me!!!
:D

-Alex

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
Alex_Tech Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 19 January 2013 Location: Canada Status: Offline Points: 2	Post Options Post Reply Quote Alex_Tech Report Post Thanks(0) Quote Reply Topic: Some Questions About Operations and Results & etc Posted: 19 January 2013 at 2:31am
	Information: I am currently running Win7, but please answer questions as if this was winxp if applicable or both if you can! Thanks :D 1. What is C:\$Directory 2. When a process does the operation "Create File" does this mean it opens a handle with that file name? 3. Is "Reg Query Value" the same as reading a key; and how does it differ from "Reg Open Key" - Desired Operation: Query Value - Is it that RegQueryValue already targets a specific value to read while RegOpenKey first reads the entire key to detect the right value? 4. Why does a process continue to make operations after the "Exit Process" operation? If remnants of processes are left over even after exiting the process, where do this pieces end up in RAM and how are they managed by Windows? 5. Does csrss.exe manage mapping and information on all running processes? 6. What's the difference between READ and GENERIC READ? 7. "ReadFile" seems to be that the process only checks the size and location of the file on the hard drive, furthermore processes can only read file contents if they know how to convert the binary .. right? How would this kind of read be showed in procmon? 8. Can processes detect that procmon is running without reading any of its files threads dlls or running processes? Also, does procmon work by using a driver or does it connect to a windows file monitoring server managed by a process such as csrss.exe or smss.exe? Thanks so much for reading this and helping me out! This really means a lot to me!!! :D -Alex