Discussion in 'ProcessGuard' started by EGD, Dec 7, 2005.

Thread Status:
Not open for further replies.
  1. EGD

    EGD Guest

    this is in Process Guard but when I click for on line information the result is
    'this item is not in our data base'. It came to my attention following alarms - Thu 08 - 01:17:44 [MODIFY] c:\windows\system32\csrss.exe [468] was blocked from modifying c:\windows\explorer.exe [1244]

    Did a Google search and found: "Note: The Explorer.exe file is located in the c:\windows\System32 folder. In other cases, Explorer.exe is a virus, spyware, trojan or worm"

    put Explorer.exe in find and got several items, only one in system32 dllcache
    two related I think to SPack update the others are 'explorer' with no exe.

    Earlier I added csrss.exe for protection having read a post that sounded sensible on the topic (it was not in Process Guard before this) and now it seems to be at war with explorer.exe. I guess I need to know which one to take out of Process Guard...the new csrss entry or the explorer.exe that loaded with the programme.
    I have several 'alarms' and it's related also in some way to the 'find' system as a new one comes up with each search entry.

    Hope that makes sense, not good at this stuff at all and as it's way past my bedtime at nearly two a.m., I'll go to bed and hope that some kind person can help me overnight.

    Thanks in advance.
  2. beetlejuice69

    beetlejuice69 Registered Member

    Mar 16, 2005
    As long as it`s the original system file then let it have access to do what it needs.

    Mine is authorized to terminate-Modify-Read.
  3. EGD

    EGD Guest

    Thanks for responding beetlejuice69 much appreciated. I'll pop over to the Geeks and see if one of those wise owls will tell me how to verify authenticity.


  4. Mele20

    Mele20 Former Poster

    Apr 29, 2002
    Hilo, Hawaii
    I had to give it access to physical memory also.
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Feb 10, 2002
    Perth, Western Australia
    PhysicalMemory would be due to explorer.exe acting as iexplore.exe.. sometimes it does - you run Internet Explorer and check Task Manager and there's NO iexplore.exe running ! strange ? nope.. its running under explorer.exe :)

    ALLOW modify for CSRSS.EXE as long as it is the one in SYSTEM32 folder. It should have already had allow modify ! Do NOT remove or change the default privileges for programs like SMSS, CSRSS, WINLOGON, SERVICES, SVCHOST. It will result in major problems - you have been warned ;)
Thread Status:
Not open for further replies.