Full Disclosure mailing list archives
Re: Window's O/S
From: Brian Dessent <brian () dessent net>
Date: Thu, 24 Nov 2005 04:19:27 -0800
Greg wrote:
In C:\windows\ the file "nnotepad.exe" remained as I had changed it and a brand new (from the same date as the renamed exe) "notepad.exe" appeared and same under c:\windows\system32 and c:\windows\dllcache as well.
http://www.microsoft.com/whdc/winlogo/drvsign/wfp.mspx
So my question next is "If I have renamed the whole lot that I could find, where did this replacement notepad.exe come from?" and I cant really answer
The WFP thread watches for file changes and replaces files deemed "system" files whenever they are modified or replaced. This is not unique to notepad. I don't know how this daemon works but I'd assume it keeps a private cached copy of all files so that it can replace them when changed. I think this is what "dllcache" is. This means there are always two copies of the file at any given time, and since it's impossible to atomically delete two files simultaneously, the WFP thread can always use one copy of the file to replace the other. If not it could probably grab it from the .cab file that's usually tucked away in %WINDIR% somewhere.
that one excepting to say that because notepad is the default html editor in IE6, perhaps IE6 has notepad somehow protected? BTW, my changed default
No, it has nothing to do with IE or the original subject of this thread. Notepad.exe just happens to be one of a large number of files that WFP has on its list. Brian _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Window's O/S, (continued)
- Re: Window's O/S Stelian Ene (Nov 24)
- Re: Window's O/S Native.Code (Nov 24)
- Re: Window's O/S pagvac (Nov 24)
- Re: Window's O/S Native.Code (Nov 24)
- Re: Window's O/S pagvac (Nov 24)
- Re: Window's O/S Dave Korn (Nov 24)
- RE: Window's O/S Aditya Deshmukh (Nov 24)
- Re: Window's O/S pagvac (Nov 24)
- Re: Window's O/S indianz (Nov 24)
- RE: Window's O/S Cassidy Macfarlane (Nov 24)
- Re: Window's O/S Greg (Nov 24)
- Re: Window's O/S Brian Dessent (Nov 24)
- Re: Window's O/S Brian Dessent (Nov 24)
- Re: Window's O/S Andres Tarasco (Nov 24)
- Re: Window's O/S Greg (Nov 24)
- RE: Window's O/S Haaland, Vegar Linge (Nov 24)
- RE: Window's O/S Fielder, Kevin (GE Consumer Finance) (Nov 24)
- Re: Window's O/S Stuart Dunkeld (Nov 24)
- Re: Window's O/S Marek Isalski (Nov 24)
- Re: Window's O/S Dave Korn (Nov 24)
- Re: Re: Window's O/S Gilles DEMARTY (Nov 24)
- RE: Window's O/S Aditya Deshmukh (Nov 24)
- Re: Window's O/S Dave Korn (Nov 24)
- Window's O/S houser (Nov 24)
(Thread continues...)
- Re: Window's O/S Stelian Ene (Nov 24)