svchost.exe wants "Unknown Flag" access

Discussion in 'ProcessGuard' started by Disciple, Mar 10, 2004.

Thread Status:
Not open for further replies.
  1. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    This is what the log entry says:

    10 Mar 12:48:38 - [P] c:\windows\system32\svchost.exe [956] tried to gain Unknown Flag [01020450][00020450] access on c:\windows\system32\zonelabs\vsmon.exe [1796]

    I welcome any thoughts, ideas, and comments. But I think this is one for DCS.
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi disciple, svchosts is your system and probably needs to see what ZA's vsmon is doing.
    Is vsmon is listed in pg?
    Svchosts should be listed & have all the allows enabled by default.

    HTH Pilli
     
  3. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    Hi Pilli, thanks for the reply. Yep vsmon is listed in PG and svchost has all of the allows enabled, but none of the Options are enabled or have appeared as blocked in a log entry.

    My reason for posting is to gain insight on what "Unknown Flag" might be about. I don't recall seeing a question/post about it prior to mine.

    After posting this I did a search on "Unknown Flag" that only returned this thread.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Ah the unknown flag :) Hopefully Jason will shed some light on it.
     
  5. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Yes these unknown flags help me pinpoint undocumented Windows flags. They are unknown because there is no documentation describing them.

    Thanks for posting the log, it will be helpful.

    -Jason-
     
Thread Status:
Not open for further replies.