• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Procmon CreateFile C: What File?

Sayth

Gawd
Joined
Oct 7, 2001
Messages
618
So I posted this under networking and security by accident. Asked mod to move it but they didn't so yes this is a repost. I'm sorry.

I'm running procmon to validate some software and am trying to figure out why I have thousands of:

Code:
CreateFile C:
and
Code:
CreateFile C:\
and
Code:
CreateFile C:\ProgramFiles

The disposition is "Open" so I know it has something to do with opening a file but what file? It shouldn't be looking at the root of the C: drive at all.

Most end in "Success"

I've tried looking in the properties and the stack. I can't see any indication of what file.
 
CreateFile creates a file handle, not necessarily a file. You'll see this traversal in ProcMon as a file is opened in a deeper directory, or as files are enumerated with APIs like FindFirstFile.
 
Okay thats what I was wondering. In a sense it's following the steps to the file such as:

Open C: > Open C:\ > Open C:\Program Files > Open C:\Program Files\CoolSoftware > Open C:\Program Files\CoolSoftware\ConfigurationFile.cfg ?

Now i just need to figure out why it's opening and reading the C:\Autoexec.bat file. It's empty, but why does it need to look in there... hmmmmm

Thank for your reply!
 
Back
Top