Should this have this 2 ?'s in /??/C:/Windows/System32/csrss.exe

Hi,
I dont no why these two files running on my computer have the question marks. Can any one help with identification?

/??/C:/Windows/System32/csrss.exe
/??/C:Windows/system32/winlogon.exe

Is there a virus or something?
Thanks,
Blinko

 

Did you see these in task manager or in Spybot S&D,there is a different? The winlogon.exe(task manager), ??/C:Windows/system32/winlogon.exe (Spybot)

 

I just installed adware se PLUS and it list all running processes, which these are two of the 30 running processes and I never saw any files like this before. Could it be part of Adware se plus?
Thanks,
blinko

 

I absolutley have a clean system with no malware or virus infections and these are in running task's

 

O. k. that seems to settle this, but it does look funny and caught my eye. Thanks for your help,
Blinko

 

It does look funny if I didn't know for sure that my system was clean it would make me wonder also. Just out of curiosity which av do you run?

 

I also have the same 2 entries(with the question marks) when checking running processes in Ad-Watch. I have no doubt that my system is clean but iam curious as to why the double ??.

Searched around a little but couldn't come up with anything tangible.



snowbound

 

Hi,
I use Computer Associates, EZ Antivirus, I am on a one year free service with no complaints, it updates every day. I ran it to and it didnt pick up on the 2 strange files.
I also ran Spybot S&D, and on trial with Trojan Hunter and they didnt find anything wrong.
I also always run Spyguard and Spyblaster in the background. And finally rely on Windows Firewall. When I used other firewalls I would always shut down windows explorer manually because I read that it allows alot of unwanted traffic to my computer. I dont no how to do it with windows firewall, but obviouslly they would want it left alone. What do you think?
Also, How do I found out if my computer is running FTP? I also read it is good to shut that down also.
I dont no a whole lot about computers but I manage in the wide west internet world thanks to good websites and boards like yours at WSF.
Thanks,
Blinko

 

The reason I asked about the av was I was wondering if a mail proxy or network recognition in the av might be the culprit but it doesn't seem so.

 

As to your firewall question, u might want to post your concerns over here,

https://www.wilderssecurity.com/forumdisplay.php?f=31

I'm sure you'll get lots of opinions and help.


snowbound

 

csrss.exe and winlogon.exe are both legit windows system files, look them up here to see what they do http://www.answersthatwork.com/Tasklist_pages/tasklist.htm nothing to worry about

 

Microsoft seems to be an expert in giving names, that look like malware names.

I had the same problem with the file "DW15.EXE", which is in fact a legitimate file.
It's kind of reporting tool, when something goes wrong with MSIE.

During my search of DW15.EXE, I noticed that I wasn't the only one, who had doubts about this file

 

The processes csrss.exe and winlogon.exe are definitely both legit processes that will exist on all Windows NT/2000/XP systems. The formal name for CSRSS is the Client Server Runtime SubSystem, but really it is the Win32 SubSystem... it is a core piece of what makes the Win32 API work. The original design of Windows NT envisioned multiple subsystems, or at least replaceable subsystems, in case Windows didn't take off and another user interface API did take off. However, Microsoft really only wrote the Win32 one, the POSIX one, and a very basic OS/2 one. Winlogon, of course, is fairly self-explanatory, or at least somewhat descriptive of its role. I suppose it might be possible for malware to somehow compromise those two files, but it would probably be unlikely since those two processes start very early in the initialization of Windows since they are so essential and therefore they probably lock access to the files on disk.

The reason for the two '??' is sort of a longer story. Basically, there is a whole set of specialized code that runs in ring 0, or "kernel mode" that is collectively referred to as "Executive Services". These executive services range from things like memory management to I/O management to something called the "Object Manager". The object manager is the kernel's method of unifying and organizing the various low-level resources and objects that the kernel needs in order to do its job (ie, things like processes, threads, files, devices, mutexes aka mutants, etc.) Anyway, the object manager can be sort of thought of as imposing some structure on these objects kind of like the filesystem on a drive. There is a "directory" in the object manager called "DosDevices" that ennumerates devices as they were known in DOS (eg, LPT:, COM1:, C:, D: ). That is, the "C:" referrence to the first harddrive that we are all familiar with comes from DOS convention, but isn't necessarily how NT/2000/XP has to refer to the first harddrive. Anyway, the "C:" reference is defined in the object manager under the DosDevices "directory". It turns out that the DosDevices directory is used so much internally, that Microsoft eventually just cryptically renamed it "??" so that it would be first in the search path apparently. It saved a few microseconds per access, I guess.

The reason those two executables in particular show up with the "??" reference in front of them is likely because they are both what's called "Native" API applications. CSRSS and Winlogon aren't written based upon the Win32 API, since they are in fact each partly responsible for, and run prior to, that API. Rather they are written to a lower-level core Windows NT API. Because of this, they probably somehow make reference to the actual "??" DosDevices object manager entity that causes them to show up in process listings with that on there. You can learn much more on all of this by reading Mark Russinovich (of Sysinternals' fame) & David Solomon's "Windows Internals" book. I'm just sort of reciting what I recall.

 

That certainly explains what i was curious about.

Thanks.


snowbound

 

Just wanted to say thanks to Alec for that awesome explanation. I found the same 2 questionable entries in Spybot running processes and googling them led me here. Thanks for the peace of mind.

 

Thank you for helping explain the reason why the question marks . I was wondering if you kewn anything about kerio firewall i am getting an error that i can not get to go away, this is what i am getting:


Technical details about the intrusion attempt:
Injector application: <unknown>
Description: <unknown>
File version:
Product name:
Product version:
Created: N/A
Modified: N/A
Accessed: N/A

Target application: \??\C:\WINDOWS\system32\winlogon.exe
Description: winlogon
File version:
Product name:
Product version:
Created: N/A
Modified: N/A
Accessed: N/A

Address of injection: 0x7C801D77

I am hoping that you might be able to help.

 

Hello,

I would advise u to post your firewall question(start a new thread) over here for better attention,

https://www.wilderssecurity.com/forumdisplay.php?f=31



snowbound