Douglas Brown wrote Wednesday, March 12, 2003 11:55 > 220 winlogon -> 109 TCP \??\C:\WINNT\system32\winlogon.exe This output does not indicate confusion about the path. It just means c:\WINNT\system32\winlogon.exe, and it is the normal path reported for Winlogon by fport and other utilities. As to why it is reported like that, here's a quote from http://msdn.microsoft.com/msdnmag/issues/02/06/debug/default.aspx " For some reason, the path names returned by GetModuleFilenameEx or the TOOLHELP32 module functions are very strange; they don't follow the Win32 standard. For example, smss is retrieved as "\SystemRoot\System32\smss.exe"; "\SystemRoot must be replaced by the actual name of the Windows folder. For winlogon, you get "\??\C:\WINNT\system32\winlogon.exe," which should be translated into "C:\WINNT\system32\winlogon.exe." The \??\ prefix might be a leftover from the Windows NT namespace root, essential in kernel mode, even though it is rarely used at the Win32 programming level. " So don't worry about the path reported by fport. The TCP 109 looks rather odd, though. I don't know the answer to that. ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Thu Mar 13 2003 - 07:53:30 PST