Should this have this 2 ?'s in /??/C:/Windows/System32/csrss.exe

Discussion in 'other security issues & news' started by Blinko555, Jul 6, 2005.

Thread Status:
Not open for further replies.
  1. Blinko555

    Blinko555 Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    7
    Hi,
    I dont no why these two files running on my computer have the question marks. Can any one help with identification?

    /??/C:/Windows/System32/csrss.exe
    /??/C:Windows/system32/winlogon.exe

    Is there a virus or something?
    Thanks,
    Blinko o_O
     
  2. tom772

    tom772 Guest

    Did you see these in task manager or in Spybot S&D,there is a different? The winlogon.exe(task manager), ??/C:Windows/system32/winlogon.exe (Spybot)
     
  3. Blinko555

    Blinko555 Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    7
    I just installed adware se PLUS and it list all running processes, which these are two of the 30 running processes and I never saw any files like this before. Could it be part of Adware se plus?
    Thanks,
    blinko
     
  4. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I absolutley have a clean system with no malware or virus infections and these are in running task's
     
  5. Blinko555

    Blinko555 Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    7
    O. k. that seems to settle this, but it does look funny and caught my eye. Thanks for your help,
    Blinko :D
     
  6. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    It does look funny ;) if I didn't know for sure that my system was clean it would make me wonder also. Just out of curiosity which av do you run?
     
  7. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    I also have the same 2 entries(with the question marks) when checking running processes in Ad-Watch. I have no doubt that my system is clean but iam curious as to why the double ??. :doubt:

    Searched around a little but couldn't come up with anything tangible.



    snowbound
     
  8. Blinko555

    Blinko555 Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    7
    Hi,
    I use Computer Associates, EZ Antivirus, I am on a one year free service with no complaints, it updates every day. I ran it to and it didnt pick up on the 2 strange files.
    I also ran Spybot S&D, and on trial with Trojan Hunter and they didnt find anything wrong.
    I also always run Spyguard and Spyblaster in the background. And finally rely on Windows Firewall. When I used other firewalls I would always shut down windows explorer manually because I read that it allows alot of unwanted traffic to my computer. I dont no how to do it with windows firewall, but obviouslly they would want it left alone. What do you think?
    Also, How do I found out if my computer is running FTP? I also read it is good to shut that down also.
    I dont no a whole lot about computers but I manage in the wide west :) internet world thanks to good websites and boards like yours at WSF.
    Thanks,
    Blinko
     
  9. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    The reason I asked about the av was I was wondering if a mail proxy or network recognition in the av might be the culprit but it doesn't seem so.
     
  10. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    As to your firewall question, u might want to post your concerns over here,

    https://www.wilderssecurity.com/forumdisplay.php?f=31

    I'm sure you'll get lots of opinions and help. ;) :D


    snowbound
     
  11. Matt_Smi

    Matt_Smi Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    359
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Microsoft seems to be an expert in giving names, that look like malware names.

    I had the same problem with the file "DW15.EXE", which is in fact a legitimate file.
    It's kind of reporting tool, when something goes wrong with MSIE.

    During my search of DW15.EXE, I noticed that I wasn't the only one, who had doubts about this file :)
     
  13. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    The processes csrss.exe and winlogon.exe are definitely both legit processes that will exist on all Windows NT/2000/XP systems. The formal name for CSRSS is the Client Server Runtime SubSystem, but really it is the Win32 SubSystem... it is a core piece of what makes the Win32 API work. The original design of Windows NT envisioned multiple subsystems, or at least replaceable subsystems, in case Windows didn't take off and another user interface API did take off. However, Microsoft really only wrote the Win32 one, the POSIX one, and a very basic OS/2 one. Winlogon, of course, is fairly self-explanatory, or at least somewhat descriptive of its role. I suppose it might be possible for malware to somehow compromise those two files, but it would probably be unlikely since those two processes start very early in the initialization of Windows since they are so essential and therefore they probably lock access to the files on disk.

    The reason for the two '??' is sort of a longer story. Basically, there is a whole set of specialized code that runs in ring 0, or "kernel mode" that is collectively referred to as "Executive Services". These executive services range from things like memory management to I/O management to something called the "Object Manager". The object manager is the kernel's method of unifying and organizing the various low-level resources and objects that the kernel needs in order to do its job (ie, things like processes, threads, files, devices, mutexes aka mutants, etc.) Anyway, the object manager can be sort of thought of as imposing some structure on these objects kind of like the filesystem on a drive. There is a "directory" in the object manager called "DosDevices" that ennumerates devices as they were known in DOS (eg, LPT:, COM1:, C:, D: ). That is, the "C:" referrence to the first harddrive that we are all familiar with comes from DOS convention, but isn't necessarily how NT/2000/XP has to refer to the first harddrive. Anyway, the "C:" reference is defined in the object manager under the DosDevices "directory". It turns out that the DosDevices directory is used so much internally, that Microsoft eventually just cryptically renamed it "??" so that it would be first in the search path apparently. It saved a few microseconds per access, I guess.

    The reason those two executables in particular show up with the "??" reference in front of them is likely because they are both what's called "Native" API applications. CSRSS and Winlogon aren't written based upon the Win32 API, since they are in fact each partly responsible for, and run prior to, that API. Rather they are written to a lower-level core Windows NT API. Because of this, they probably somehow make reference to the actual "??" DosDevices object manager entity that causes them to show up in process listings with that on there. You can learn much more on all of this by reading Mark Russinovich (of Sysinternals' fame) & David Solomon's "Windows Internals" book. I'm just sort of reciting what I recall. ;)
     
  14. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    That certainly explains what i was curious about.

    Thanks. :)


    snowbound
     
  15. CardieB

    CardieB Registered Member

    Joined:
    May 13, 2006
    Posts:
    1
    Location:
    Orlando
    Just wanted to say thanks to Alec for that awesome explanation. I found the same 2 questionable entries in Spybot running processes and googling them led me here. Thanks for the peace of mind.:thumb:
     
  16. bpickett50

    bpickett50 Registered Member

    Joined:
    Apr 7, 2007
    Posts:
    1
    Thank you for helping explain the reason why the question marks . I was wondering if you kewn anything about kerio firewall i am getting an error that i can not get to go away, this is what i am getting:


    Technical details about the intrusion attempt:
    Injector application: <unknown>
    Description: <unknown>
    File version:
    Product name:
    Product version:
    Created: N/A
    Modified: N/A
    Accessed: N/A

    Target application: \??\C:\WINDOWS\system32\winlogon.exe
    Description: winlogon
    File version:
    Product name:
    Product version:
    Created: N/A
    Modified: N/A
    Accessed: N/A

    Address of injection: 0x7C801D77

    I am hoping that you might be able to help.
     
  17. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hello,

    I would advise u to post your firewall question(start a new thread) over here for better attention,

    https://www.wilderssecurity.com/forumdisplay.php?f=31



    snowbound
     
Loading...
Thread Status:
Not open for further replies.