XPost: alt.comp.os.windows-11

Lately, a mysterious empty folder called “inetpub” has been appearing
on Windows machines after recent Microsoft security updates. Some were
old enough to remember that this folder was part of the installation
of Internet Information Server, which was Microsoft’s attempt to
compete with the open-source heavyweights in the web server world. It
was a product that was infamous for its security vulnerabilities, so
when people saw this familiar name reappear out of the dead past, it
was no surprise that some went “Aieeee! Security hole! Delete!
Delete!”.

But it turns out that this is no bug, it’s a feature! It is somehow a required part of Microsoft’s current security mechanisms for Windows.
(How? Why? Nobody seems able to explain ...) And not only that, if you
delete it (accidentally or otherwise), you cannot simply fix things by recreating a folder in the same location with the same name.

Instead, you have to go through the rigmarole of downloading and
running some PowerShell script that Microsoft helpfully provides <https://www.tomshardware.com/software/windows/if-you-deleted-that-mysterious-windows-file-microsoft-told-you-not-to-theres-a-new-script-to-restore-it>.

Even running the script is not a straightforward process: it requires
the entry of several cumbersome and error-prone shell commands.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Mon, 6/9/2025 7:58 PM, Lawrence D'Oliveiro wrote:

Lately, a mysterious empty folder called “inetpub” has been appearing
on Windows machines after recent Microsoft security updates. Some were
old enough to remember that this folder was part of the installation
of Internet Information Server, which was Microsoft’s attempt to
compete with the open-source heavyweights in the web server world. It
was a product that was infamous for its security vulnerabilities, so
when people saw this familiar name reappear out of the dead past, it
was no surprise that some went “Aieeee! Security hole! Delete!
Delete!”.

But it turns out that this is no bug, it’s a feature! It is somehow a required part of Microsoft’s current security mechanisms for Windows.
(How? Why? Nobody seems able to explain ...) And not only that, if you
delete it (accidentally or otherwise), you cannot simply fix things by recreating a folder in the same location with the same name.

Instead, you have to go through the rigmarole of downloading and
running some PowerShell script that Microsoft helpfully provides <https://www.tomshardware.com/software/windows/if-you-deleted-that-mysterious-windows-file-microsoft-told-you-not-to-theres-a-new-script-to-restore-it>.

Even running the script is not a straightforward process: it requires
the entry of several cumbersome and error-prone shell commands.

dir

Volume in drive C is W11HOME
Volume Serial Number is

Directory of C:\

Mon, 06/12/2023 03:19 AM <DIR> AMD
Thu, 11/24/2022 06:13 PM <DIR> boot
Sun, 07/17/2022 12:33 PM <DIR> cygwin
Mon, 05/23/2022 10:49 PM 12,288 DumpStack.log
Thu, 12/19/2024 07:57 PM <DIR> ESD
Wed, 04/09/2025 02:05 AM <DIR> inetpub <=== very pretty, I saw that...
Sat, 04/23/2022 11:17 PM <DIR> MinGW
Sat, 05/07/2022 01:24 AM <DIR> PerfLogs
Mon, 06/09/2025 11:07 PM <DIR> Program Files
Sat, 05/10/2025 06:40 PM <DIR> Program Files (x86)
Wed, 02/16/2022 11:06 AM 357,548 Reflect_Install.log
Wed, 05/28/2025 09:05 AM 94 rescuepe.log
Wed, 05/28/2025 08:00 AM <DIR> Temp
Thu, 09/22/2022 06:16 AM <DIR> Users
Wed, 05/14/2025 12:40 AM <DIR> Windows

I didn't spend more than about five seconds thinking about that when
I saw it. I just... moved on.

*******

I don't see anyone taking credit for this cheese&cracker spree.

https://www.powershellgallery.com/packages/Set-InetpubFolderAcl/1.0/Content/Set-InetpubFolderAcl.ps1

$sddlInetpub = "O:SYG:SYD:P(A;CIOI;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;CO)"

It's better to print them out stacked. Now, compare to the Security tab on the thing.

$sddlInetpub = "O:SYG:SYD:P
(A;CIOI;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
(A;CIOI;GA;;;SY)
(A;CIOI;GA;;;BA)
(A;CIOI;GRGX;;;BU)
(A;CIOI;GA;;;CO)"

And roughly translated, that means:

"Don't fuck with me, I have the death sentence on twelve planets."

Apparently, that SID is well known (written on the bathroom wall at the pub).

S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 = Trusted Installer's SID

If they would only bring back FAT32, we wouldn't have to do this.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Tue, 10 Jun 2025 01:14:27 -0400, Paul <[email protected]d> wrote in <1028evl$129fb$[email protected]>:

On Mon, 6/9/2025 7:58 PM, Lawrence D'Oliveiro wrote:

Lately, a mysterious empty folder called “inetpub” has been appearing
on Windows machines after recent Microsoft security updates. Some were
old enough to remember that this folder was part of the installation
of Internet Information Server, which was Microsoft’s attempt to
compete with the open-source heavyweights in the web server world. It
was a product that was infamous for its security vulnerabilities, so
when people saw this familiar name reappear out of the dead past, it
was no surprise that some went “Aieeee! Security hole! Delete!
Delete!”.

But it turns out that this is no bug, it’s a feature! It is somehow a
required part of Microsoft’s current security mechanisms for Windows.
(How? Why? Nobody seems able to explain ...) And not only that, if you
delete it (accidentally or otherwise), you cannot simply fix things by
recreating a folder in the same location with the same name.

Instead, you have to go through the rigmarole of downloading and
running some PowerShell script that Microsoft helpfully provides
<https://www.tomshardware.com/software/windows/if-you-deleted-that-mysterious-windows-file-microsoft-told-you-not-to-theres-a-new-script-to-restore-it>.

Even running the script is not a straightforward process: it requires
the entry of several cumbersome and error-prone shell commands.

dir

Volume in drive C is W11HOME
Volume Serial Number is

Directory of C:\

Mon, 06/12/2023 03:19 AM <DIR> AMD
Thu, 11/24/2022 06:13 PM <DIR> boot
Sun, 07/17/2022 12:33 PM <DIR> cygwin
Mon, 05/23/2022 10:49 PM 12,288 DumpStack.log
Thu, 12/19/2024 07:57 PM <DIR> ESD
Wed, 04/09/2025 02:05 AM <DIR> inetpub <=== very pretty, I saw that...
Sat, 04/23/2022 11:17 PM <DIR> MinGW
Sat, 05/07/2022 01:24 AM <DIR> PerfLogs
Mon, 06/09/2025 11:07 PM <DIR> Program Files
Sat, 05/10/2025 06:40 PM <DIR> Program Files (x86)
Wed, 02/16/2022 11:06 AM 357,548 Reflect_Install.log
Wed, 05/28/2025 09:05 AM 94 rescuepe.log
Wed, 05/28/2025 08:00 AM <DIR> Temp
Thu, 09/22/2022 06:16 AM <DIR> Users
Wed, 05/14/2025 12:40 AM <DIR> Windows

I didn't spend more than about five seconds thinking about that when
I saw it. I just... moved on.

*******

I don't see anyone taking credit for this cheese&cracker spree.

https://www.powershellgallery.com/packages/Set-InetpubFolderAcl/1.0/Content/Set-InetpubFolderAcl.ps1

$sddlInetpub = "O:SYG:SYD:P(A;CIOI;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;CO)"

It's better to print them out stacked. Now, compare to the Security tab on the thing.

$sddlInetpub = "O:SYG:SYD:P
(A;CIOI;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
(A;CIOI;GA;;;SY)
(A;CIOI;GA;;;BA)
(A;CIOI;GRGX;;;BU)
(A;CIOI;GA;;;CO)"

And roughly translated, that means:

"Don't fuck with me, I have the death sentence on twelve planets."

Could you translate that into something more technical? (That guy ended up with his buddy's arm on the barroom floor, and I'd like to avoid any
Imperial entanglements.)

Can I remove the ACL for the trusted installer, for example? Hey, wait a second...

Okay, just had a conversation with ChatGPT, which says I can completely remove the ACL and I won't have to worry about anything trying to use the funny directory.

What do you think? Will that prevent scurrilous ruffians from haxoring my Windows virtual machine?

Apparently, that SID is well known (written on the bathroom wall at the pub).

S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 = Trusted Installer's SID

If they would only bring back FAT32, we wouldn't have to do this.

Paul

--
-v System76 Thelio Mega v1.1 x86_64 NVIDIA RTX 3090Ti 24G
OS: Linux 6.14.10 D: Mint 22.1 DE: Xfce 4.18 Mem: 258G
"If you're not confused, you're not paying attention."

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Tue, 6/10/2025 2:08 AM, vallor wrote:

On Tue, 10 Jun 2025 01:14:27 -0400, Paul <[email protected]d> wrote in <1028evl$129fb$[email protected]>:

On Mon, 6/9/2025 7:58 PM, Lawrence D'Oliveiro wrote:

Lately, a mysterious empty folder called “inetpub” has been appearing >>> on Windows machines after recent Microsoft security updates. Some were
old enough to remember that this folder was part of the installation
of Internet Information Server, which was Microsoft’s attempt to
compete with the open-source heavyweights in the web server world. It
was a product that was infamous for its security vulnerabilities, so
when people saw this familiar name reappear out of the dead past, it
was no surprise that some went “Aieeee! Security hole! Delete!
Delete!”.

But it turns out that this is no bug, it’s a feature! It is somehow a
required part of Microsoft’s current security mechanisms for Windows.
(How? Why? Nobody seems able to explain ...) And not only that, if you
delete it (accidentally or otherwise), you cannot simply fix things by
recreating a folder in the same location with the same name.

Instead, you have to go through the rigmarole of downloading and
running some PowerShell script that Microsoft helpfully provides
<https://www.tomshardware.com/software/windows/if-you-deleted-that-mysterious-windows-file-microsoft-told-you-not-to-theres-a-new-script-to-restore-it>.

Even running the script is not a straightforward process: it requires
the entry of several cumbersome and error-prone shell commands.


dir

Volume in drive C is W11HOME
Volume Serial Number is

Directory of C:\

Mon, 06/12/2023 03:19 AM <DIR> AMD
Thu, 11/24/2022 06:13 PM <DIR> boot
Sun, 07/17/2022 12:33 PM <DIR> cygwin
Mon, 05/23/2022 10:49 PM 12,288 DumpStack.log
Thu, 12/19/2024 07:57 PM <DIR> ESD
Wed, 04/09/2025 02:05 AM <DIR> inetpub <=== very pretty, I saw that...
Sat, 04/23/2022 11:17 PM <DIR> MinGW
Sat, 05/07/2022 01:24 AM <DIR> PerfLogs
Mon, 06/09/2025 11:07 PM <DIR> Program Files
Sat, 05/10/2025 06:40 PM <DIR> Program Files (x86)
Wed, 02/16/2022 11:06 AM 357,548 Reflect_Install.log
Wed, 05/28/2025 09:05 AM 94 rescuepe.log
Wed, 05/28/2025 08:00 AM <DIR> Temp
Thu, 09/22/2022 06:16 AM <DIR> Users
Wed, 05/14/2025 12:40 AM <DIR> Windows

I didn't spend more than about five seconds thinking about that when
I saw it. I just... moved on.

*******

I don't see anyone taking credit for this cheese&cracker spree.

https://www.powershellgallery.com/packages/Set-InetpubFolderAcl/1.0/Content/Set-InetpubFolderAcl.ps1

$sddlInetpub = "O:SYG:SYD:P(A;CIOI;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;CIOI;GA;;;SY)(A;CIOI;GA;;;BA)(A;CIOI;GRGX;;;BU)(A;CIOI;GA;;;CO)"

It's better to print them out stacked. Now, compare to the Security tab on the thing.

$sddlInetpub = "O:SYG:SYD:P
(A;CIOI;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
(A;CIOI;GA;;;SY)
(A;CIOI;GA;;;BA)
(A;CIOI;GRGX;;;BU)
(A;CIOI;GA;;;CO)"

And roughly translated, that means:

"Don't fuck with me, I have the death sentence on twelve planets."

Could you translate that into something more technical?

If every time this topic comes up (an ICACLS representation of a security tab), and you see a new pattern and a new feature, exactly how good of an explanation can you give for these things ? I'm no good at parsing these.

I know one of them is for SYSTEM, one for Administrator, one for User,
but the CIOI, I'd have to go look that up.

Ordinary folders are not owned by TrustedInstaller. Typically, only materials to be installed have that ownership ("Program Files"). The TrustedInstaller seems to have
the same permissions in the example, as Administrator and SYSTEM.

What you could do, is plug that into CoPilot and ask for an English description of the permissions :-)

I'm going to run this now, and see what my untarnished folder looks like.

icacls c:\inetpub /save D:\perms.txt /t /c > D:\Err.txt 2>&1

The contents of perms.txt (which can be played back with a /restore) are [two lines]:

inetpub D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;OICIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)(
A;OICIIO;GA;;;CO)S:AINO_ACCESS_CONTROL

Which if stacked so a human could parse them...

inetpub D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
(A;OICIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)
(A;;FA;;;SY)
(A;OICIIO;GA;;;SY)
(A;;FA;;;BA)
(A;OICIIO;GA;;;BA)
(A;;0x1200a9;;;BU)
(A;OICIIO;GXGR;;;BU)
(A;OICIIO;GA;;;CO)S:AINO_ACCESS_CONTROL <=== immutable Creator-Owner ???

The script then, may not be doing the same thing as what is present
at the current time.

In any case, if we use the Security tab, it looks like some sort of
attempt to keep the "Creator Owner" from modifying the folder itself,
while more or less letting other security principles continue to have
the normal level of control. TrustedInstaller, SYSTEM, and Administrator
still have Full Control, the Users (BU) don't have full control, and
the Creator-Owner, the folder looks unmoveable for them. You can't download over top of it or something. But why anything would even be using that
folder, I haven't a clue. I thought IIS was limited to only certain OS
SKUs and the CVE doesn't suggest that is the exposure.

(That guy ended up

with his buddy's arm on the barroom floor, and I'd like to avoid any
Imperial entanglements.)

Can I remove the ACL for the trusted installer, for example? Hey, wait a second...

Okay, just had a conversation with ChatGPT, which says I can completely remove
the ACL and I won't have to worry about anything trying to use the funny directory.

What do you think? Will that prevent scurrilous ruffians from haxoring my Windows virtual machine?

If you are going to remove the security properties, then you might as well
just delete the folder. Then, the Creator-Owner will have control of it,
which is not supposed to be good.

I would think, just the Creator-Owner line could do the job, but if other accounts are not granted permissions, then somehow "normal business" in
the folder could not be carried out. And at this point, we don't know
what this normal business would be. Unless the idea is, to get IIS to try
to read the folder and some contents.

There is an "iissetup.exe" on my machine, implying it can be installed.
I thought the last time I tried that, it didn't work.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Mon, 9 Jun 2025 23:58:35 -0000 (UTC), Lawrence D'Oliveiro
<[email protected]d> wrote

Lately, a mysterious empty folder called inetpub has been appearing
on Windows machines after recent Microsoft security updates.

I have it, where the folder has a date of 3/6/2025 but I have no idea what
it is used for. Mine isn't empty though.

dir /s/a/l/on/b inetpub
c:\inetpub\custerr
c:\inetpub\temp
c:\inetpub\custerr\en-us
c:\inetpub\custerr\en-us\500-100.asp
c:\inetpub\temp\apppools
c:\inetpub\temp\iis temporary compressed files c:\inetpub\temp\apppools\apc1690.tmp
c:\inetpub\temp\apppools\apc17c9.tmp
c:\inetpub\temp\apppools\apc1846.tmp
c:\inetpub\temp\apppools\apc1855.tmp
c:\inetpub\temp\apppools\apc7cb.tmp
c:\inetpub\temp\apppools\apcc4f.tmp
c:\inetpub\temp\apppools\apcef03.tmp
c:\inetpub\temp\apppools\apcf898.tmp
c:\inetpub\temp\apppools\apcfaea.tmp
c:\inetpub\temp\apppools\apcfe26.tmp
c:\inetpub\temp\apppools\bindinginfo.tmp

Can someone just give me the best way to get rid of it safely?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

If you google 'inetpub file on win11' you'll see that it was created by
the April patch update:

"The inetpub folder in Windows 11 is a security measure created by the
April 2025 Patch Tuesday update to address the CVE-2025-21204
vulnerability. This folder is tied to Internet Information Services
(IIS), Microsoft's web server, but it's created regardless of whether
IIS is enabled. Microsoft strongly advises users not to delete this
folder as it's crucial for system security."

Richard

On 6/9/2025 7:58 PM, Lawrence D'Oliveiro wrote:

Lately, a mysterious empty folder called “inetpub” has been appearing
on Windows machines after recent Microsoft security updates. Some were
old enough to remember that this folder was part of the installation
of Internet Information Server, which was Microsoft’s attempt to
compete with the open-source heavyweights in the web server world. It
was a product that was infamous for its security vulnerabilities, so
when people saw this familiar name reappear out of the dead past, it
was no surprise that some went “Aieeee! Security hole! Delete!
Delete!”.

But it turns out that this is no bug, it’s a feature! It is somehow a required part of Microsoft’s current security mechanisms for Windows.
(How? Why? Nobody seems able to explain ...) And not only that, if you
delete it (accidentally or otherwise), you cannot simply fix things by recreating a folder in the same location with the same name.

Instead, you have to go through the rigmarole of downloading and
running some PowerShell script that Microsoft helpfully provides <https://www.tomshardware.com/software/windows/if-you-deleted-that-mysterious-windows-file-microsoft-told-you-not-to-theres-a-new-script-to-restore-it>.

Even running the script is not a straightforward process: it requires
the entry of several cumbersome and error-prone shell commands.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Tue, 6/10/2025 12:11 PM, Oscar wrote:

On Mon, 9 Jun 2025 23:58:35 -0000 (UTC), Lawrence D'Oliveiro
<[email protected]d> wrote

Lately, a mysterious empty folder called inetpub has been appearing
on Windows machines after recent Microsoft security updates.

I have it, where the folder has a date of 3/6/2025 but I have no idea what
it is used for. Mine isn't empty though.

dir /s/a/l/on/b inetpub
c:\inetpub\custerr
c:\inetpub\temp
c:\inetpub\custerr\en-us
c:\inetpub\custerr\en-us\500-100.asp
c:\inetpub\temp\apppools
c:\inetpub\temp\iis temporary compressed files c:\inetpub\temp\apppools\apc1690.tmp
c:\inetpub\temp\apppools\apc17c9.tmp
c:\inetpub\temp\apppools\apc1846.tmp
c:\inetpub\temp\apppools\apc1855.tmp
c:\inetpub\temp\apppools\apc7cb.tmp
c:\inetpub\temp\apppools\apcc4f.tmp
c:\inetpub\temp\apppools\apcef03.tmp
c:\inetpub\temp\apppools\apcf898.tmp
c:\inetpub\temp\apppools\apcfaea.tmp
c:\inetpub\temp\apppools\apcfe26.tmp
c:\inetpub\temp\apppools\bindinginfo.tmp

Can someone just give me the best way to get rid of it safely?

Is IIS running on your machine ?

Run "control.exe", select "Programs and Features", look for "Windows Features'. Look in there for the IIS entry, examine whether tick boxes have been
asserted at some time, to install it.

Turn Windows features on or off

Internet information Services
FTP Server
Web management Tools
World Wide Web Services
Internet information Services Hostable Web Core

You can check in Task Manager, and see if "IIS" process is running.

My machine has an iisSetup but no iis.exe .

*******
# In a deletion attempt of any size, you can scan for junctions first.
# There shouldn't really be any junctions in here.
# We will use the resident "robocopy.exe" program for content deletion.
# We can do this, because the outer permission looks to be "not protecting"
# any inner content, and not attempting to interfere with an actual IIS running.

c:
cd \ # Now at top level C: , will be making a folder.
md oscartemp # Make an empty folder.

robocopy.exe C:\oscartemp\ C:\inetpub /MIR /v # Normally, we'd save the output in a log file, but this run is short.
# Mirroring an empty directory, deletes the contents of the second directory.
rd oscartemp # Remove the empty folder.

For the next part, we can try my first attempt at deleting
an entire OS partition. I cloned a C: partition to make
a K: partition, which would have all the same permissions.
The first part of the recipe in this post, uses Junction from Sysinternals,
to deal with the junctions first. Junctions cause indigestion for
a number of Windows tools. Some of the tools "step over" junctions
and emit a warning for each one avoided.

https://al.howardknight.net/?STYPE=msgid&MSGI=%3C100mia4%243bjrp%241%40dont-email.me%3E

Using what we learned, we can now attack the empty folder C:\inetpub .
We're still cd'ed to the top of C: via "cd \" in an Administrator command Prompt.

rd C:\inetpub\ # First try removing it, without using a mallet
# If the folder is really empty, and perms OK, this should remove the dir.
# Do next steps, if it resists.

takeown /F C:\inetpub\ /r /d y
icacls C:\inetpub\ /grant Administrators:F /t
rd C:\inetpub\ /S /Q # Recursive descent, just in case

That should be enough.

Summary: You shouldn't be removing this at the moment, and hopefully, it should
have some perms at the top level to make the top level folder immutable.

You can easily remove that folder using Linux, but that's not accepted
here as an answer, if you offered it as an answer. We use the mallets at hand.

The "takeown" and "icacls" are part of the "itsmine.cmd" two line script.
I didn't invent this, only copied it.

Removing a C: partition entirely, is normally difficult. That's why I was
surprised an Office path or similar, did not throw a wrench in the works.
Some OS versions have had fairly interesting namespace paths injected,
and those can't even be copied into Thunderbird (which handles UTF-8),
let alone be deleted.

Microsoft has a test philosophy, where they "throw wrenches into everything",
then stand back and observe the user population for "blowback". That's one
of the reasons these things are so tough. When they did the C:\inetpub ,
they weren't half trying. They can apply their extreme difficulty mantra
if they want. When I make a reference to immutable, it isn't really immutable,
merely... inconvenient for end users to do. It takes fifty web pages to
describe the permissions model of Windows. Only the person who invented it,
really understands it, and he may have written a book.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Tue, 10 Jun 2025 12:11:56 -0400, Oscar wrote:

Can someone just give me the best way to get rid of it safely?

You can’t. It’s needed for the Windows security mechanism to work.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Tue, 10 Jun 2025 12:11:56 -0400, Oscar wrote:

Can someone just give me the best way to get rid of it safely?

It's easy!

Just install GNU/Linux and that ridiculous problem, as well
as all the other ridiculous problems that are associated with
that joke OS, will disappear.



--
Systemd: solving all the problems that you never knew you had.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

Lawrence D'Oliveiro <[email protected]d> wrote at 23:35 this Tuesday (GMT):

On Tue, 10 Jun 2025 12:11:56 -0400, Oscar wrote:

Can someone just give me the best way to get rid of it safely?

You can’t. It’s needed for the Windows security mechanism to work.

That seems like a really dumb and insecure bandaid fix.
--
user <candycane> is generated from /dev/urandom

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Thu, 6/12/2025 11:10 AM, candycanearter07 wrote:

Lawrence D'Oliveiro <[email protected]d> wrote at 23:35 this Tuesday (GMT):

On Tue, 10 Jun 2025 12:11:56 -0400, Oscar wrote:

Can someone just give me the best way to get rid of it safely?

You can’t. It’s needed for the Windows security mechanism to work.

That seems like a really dumb and insecure bandaid fix.

I'm surprised they didn't set the Hidden attribute on it.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Thu, 6/12/2025 10:03 PM, Joel wrote:

Joel <[email protected]> wrote:

Is it easy for people who *don't* listen to your bullshit about using
Gentoo and LFS, nimrod?

That should be, "Is it easy for people who listen to [...]"

I actually recommend Gentoo to people too. Just
for the Gentoo Handbook. It's an easy recipe to follow
up to a point.

When I've run Gentoo, it works best if you use it every
day. The fun happens if you don't boot it for six months,
then you attempt to catch up on "changes" over the six months.

The first time I got stuck in a "cant-go-forward",
"cant-go-back" package management issue, there were
comments about using biases to get out of it. I actually
managed to escape, and it was all working again.

But the package manager just kept getting thicker and
thicker. The next time I got caught in one of those
situations, I couldn't figure out how to escape and
keep the package management working.

I even set up a DISTCC server on my second PC that had
more cores (possibly the six core Test Machine), to help
my weaker daily driver do a make world. You need the same
distro state on both, for that to work.

It's fun as a technical challenge, but when something
breaks, it can be past my pay scale to fix. It's still
educational, and will make you more familiar with the
file tree.

I've been hacking things like that for a long time. My group,
working on UNIX boxes, we had sweet fuck all for software to
use at work. We didn't even have a web browser, when web
browsers first came out. Imagine trying to use Lynx to
collect engineering data fro electronics sites. But we used
to build our own novelty softwares in the X11R4/X11R5 era.
One department had their own X11R5 tree. I could have set one
up, but I didn't want too many questions about it. When they
caught me building a browser from source, they made me delete it.
That may have been NCSA Mosaic.

[Picture]

https://i.postimg.cc/s2sSnJS9/xeyes-are-watching.gif

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Fri, 6/13/2025 1:23 AM, Joel wrote:

Paul <[email protected]d> wrote:

Is it easy for people who *don't* listen to your bullshit about using
Gentoo and LFS, nimrod?

That should be, "Is it easy for people who listen to [...]"

I actually recommend Gentoo to people too. Just
for the Gentoo Handbook. It's an easy recipe to follow
up to a point.

When I've run Gentoo, it works best if you use it every
day. The fun happens if you don't boot it for six months,
then you attempt to catch up on "changes" over the six months.

The first time I got stuck in a "cant-go-forward",
"cant-go-back" package management issue, there were
comments about using biases to get out of it. I actually
managed to escape, and it was all working again.

But the package manager just kept getting thicker and
thicker. The next time I got caught in one of those
situations, I couldn't figure out how to escape and
keep the package management working.

I even set up a DISTCC server on my second PC that had
more cores (possibly the six core Test Machine), to help
my weaker daily driver do a make world. You need the same
distro state on both, for that to work.

It's fun as a technical challenge, but when something
breaks, it can be past my pay scale to fix. It's still
educational, and will make you more familiar with the
file tree.

I've been hacking things like that for a long time. My group,
working on UNIX boxes, we had sweet fuck all for software to
use at work. We didn't even have a web browser, when web
browsers first came out. Imagine trying to use Lynx to
collect engineering data fro electronics sites. But we used
to build our own novelty softwares in the X11R4/X11R5 era.
One department had their own X11R5 tree. I could have set one
up, but I didn't want too many questions about it. When they
caught me building a browser from source, they made me delete it.
That may have been NCSA Mosaic.

I just think it's absurd to try to manually set up the OS, if the idea
is to have a modern OS. Larry's system is so rudimentary. It's
impossible to understand why he treasures it, the obsession with
compiling relative to his exact hardware, etc. Debian with Cinnamon
gives one a Windows-like environment in Linux. It's just not
customizable to the Nth degree. He's stupid, retarded, obsessive. He
just needs to get a life.

I prefer people to know something about what they're using.

One thing that really irritates me, is someone may mention a
hard drive is sick, and the damn thing is 30 seconds from death,
and they really think they're getting to keep their files.
These people are oblivious to what's going on under the hood,
and anything you can post to make them more aware about
what they're using, means fewer silly threads about
"so how can I get my files back?" later.

You can be naive, up to a point, but there are some things
you should not ignore. I feel the same way when I spot a car
with under-inflated tires, and any sort of hint to the person
about the dangers of driving that way, it's worth a mention.

One twit in a grocery store parking lot, in the middle of
winter, the entire inside of the car was frosted up.
I told them about the vents in the trunk getting stuck,
and the need to make sure that air is flowing through the
heater. It was a waste of time.

I actually witnessed a crash, on a car in similar shape. Someone
was driving on a four lane main road near me, I was walking up
to the grocery store, they were driving and scraping a completely
frosted windshield with a credit card. They ran into a car
merging into the road from the right. When the parties got out
of their cars (unhurt), I pointed out to the person that was
merging, that the other driver couldn't see a thing. That's
when he called police on his cell. And as I faded into the
distance, the police car was there :-/

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 13/06/2025 3:03 pm, Paul wrote:

<Snip>

I even set up a DISTCC server on my second PC that had
more cores (possibly the six core Test Machine), to help
my weaker daily driver do a make world. You need the same
distro state on both, for that to work.

WHY?? Why do you have your 'Power' machine (possibly the six core Test
Machine) sitting in the Backroom twiddling its thumbs whilst you use
your weaker daily driver do a make world??

Paul wouldn't it be better to have all the power at your finger-tips and
let the 'lessor' machine do all the non-time critical stuff??
--
Daniel70

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Fri, 6/13/2025 6:29 AM, Daniel70 wrote:

On 13/06/2025 3:03 pm, Paul wrote:

<Snip>

I even set up a DISTCC server on my second PC that had
more cores (possibly the six core Test Machine), to help
my weaker daily driver do a make world. You need the same
distro state on both, for that to work.

WHY?? Why do you have your 'Power' machine (possibly the six core Test Machine) sitting in the Backroom twiddling its thumbs whilst you use your weaker daily driver do a make world??

Paul wouldn't it be better to have all the power at your finger-tips and let the 'lessor' machine do all the non-time critical stuff??

You worry too much about details :-)

Small machines are quieter. The really powerful machine
here, has loud fans, and so it doesn't stay on for long
periods of time. The computer I'm typing on, you could
almost run it with the fan unplugged.

The previous small machine, it died. Another has taken its place.
65W processor. My PC currently draws 32W from mains. The Test Machine
(used for the DISTCC application), it draws 100W at idle. It has
the poorest idle performance, of anything in the room. It's off right
now.

My first PC, drew 150W at idle (wot a pig!). Back in those
days, the video cards didn't have any power saving modes.

I didn't plan it that way. It wasn't a conscious effort.
But when I look at what has happened, the machines are
neatly sorted by power/noise, without me being aware I was
doing that. It's just how it worked out. "The more noise
you make, the less often you're ON".

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

Paul <[email protected]d> wrote at 00:27 this Friday (GMT):

On Thu, 6/12/2025 11:10 AM, candycanearter07 wrote:

Lawrence D'Oliveiro <[email protected]d> wrote at 23:35 this Tuesday (GMT):

On Tue, 10 Jun 2025 12:11:56 -0400, Oscar wrote:

Can someone just give me the best way to get rid of it safely?

You can’t. It’s needed for the Windows security mechanism to work.

That seems like a really dumb and insecure bandaid fix.

I'm surprised they didn't set the Hidden attribute on it.

Paul

They DIDN'T?? That seems like a disaster waiting to happen.
--
user <candycane> is generated from /dev/urandom

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Fri, 6/13/2025 4:50 PM, candycanearter07 wrote:

Paul <[email protected]d> wrote at 00:27 this Friday (GMT):

On Thu, 6/12/2025 11:10 AM, candycanearter07 wrote:

Lawrence D'Oliveiro <[email protected]d> wrote at 23:35 this Tuesday (GMT): >>>> On Tue, 10 Jun 2025 12:11:56 -0400, Oscar wrote:

Can someone just give me the best way to get rid of it safely?

You can’t. It’s needed for the Windows security mechanism to work.

That seems like a really dumb and insecure bandaid fix.

I'm surprised they didn't set the Hidden attribute on it.

Paul

They DIDN'T?? That seems like a disaster waiting to happen.

The purpose of hiding it, is so the ordinary users do not remove it.

It has nothing to do with protecting a thing from an exploit.

This is why I like the protections on WinRE.wim file (emergency
boot OS container). It's got all sorts of Hidden and System
attributes set on it. All this does, is annoy the fuck out
of people like me, working on fixing it. And it does nothing
at all to stop a Black Hat.

But still, the Hidden is to hide cosmetic issues, such
as if you are using this trick (temporarily) as a fix.

As an example, the Process Monitor you can download from
Microsoft, it has a boot trace option, where you can trace
execution (ETW events) from T=0. What people don't know
(because they can't see it), is a "procmon23.sys" or similar,
is added to System32, and that module is loaded at boot time.
Since the Hidden bit is set on it, people can't see it, and
the program does not clean up after itself and remove the
file again. When the API changes, the version is bumped
to "procmon24.sys".

How can I spot those ? Using nfi.exe , for NTFS listing.
That parses the $MFT (Master File Table) and avoids a lot of issues.

Let's see if I have a procmon passenger on board.

.\nfi.exe C: > D:\nfi-c-out.txt

File 8170
\Windows\System32\drivers\PROCMON24.SYS <=== passenger!
$STANDARD_INFORMATION (resident)
$FILE_NAME (resident)
$FILE_NAME (resident)
$DATA (nonresident)
logical sectors 287064-287223 (0x46158-0x461f7)
logical sectors 292472-292479 (0x47678-0x4767f)

*******
Command Prompt:

cd /d C:\Windows\System32\drivers\

dir /ah PROCMON2*

Volume in drive C is W11HOME
Volume Serial Number is FA6E-E123

Directory of C:\Windows\System32\drivers

Sat, 05/31/2025 1:23 PM 82,344 PROCMON24.SYS

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Fri, 13 Jun 2025 18:50:22 -0400, Paul wrote:

What people don't know (because they can't see it), is a
"procmon23.sys" or similar, is added to System32, and that module is
loaded at boot time. Since the Hidden bit is set on it, people can't
see it, and the program does not clean up after itself and remove
the file again. When the API changes, the version is bumped to "procmon24.sys".

What a clunky way of versioning shared libraries.

The Linux way is twofold: add a versioning suffix to the name of the
library, and also versioning the individual symbols themselves. This way
the name of the library in the SDK doesn’t need to change.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Fri, 6/13/2025 7:36 PM, Lawrence D'Oliveiro wrote:

On Fri, 13 Jun 2025 18:50:22 -0400, Paul wrote:

What people don't know (because they can't see it), is a
"procmon23.sys" or similar, is added to System32, and that module is
loaded at boot time. Since the Hidden bit is set on it, people can't
see it, and the program does not clean up after itself and remove
the file again. When the API changes, the version is bumped to
"procmon24.sys".

What a clunky way of versioning shared libraries.

The Linux way is twofold: add a versioning suffix to the name of the
library, and also versioning the individual symbols themselves. This way
the name of the library in the SDK doesn’t need to change.

The file was named that way by Russinovich, the developer.
And he does his own file injection. If he finds the procmon23.sys
he removes it and installs the procmon24.sys. It's a private
file just for him, not shared in the conventional sense. It's
not tracked and updated by Windows Side By Side (WinSXS). Windows
is not supposed to know it is there, it's not loaded on boot,
but it is used privately for doing a trace.

If it was a system file, then the version would be managed
with the version string. and various versions could be in WinSXS.
Just as Linux keeps some kernels,and if the latest kernel won't
boot, you can use the menu to select a slightly older one.

ntoskrnl.exe
File Version 6.2.22621.5471
Product Version 10.0.22621.5471 (and it's on Windows 11)
Date June10,2025

There is no Adhoc versioning there.

At one time, Microsoft used to version files, via their byte count.
"Remove the old file with 12346 bytes, replace with the 12345 byte file."
They have traveled some distance, on the versioning topic,
but they still do things that do not impress.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Fri, 13 Jun 2025 22:53:33 -0400, Paul wrote:

The file was named that way by Russinovich, the developer.
And he does his own file injection. If he finds the procmon23.sys he
removes it and installs the procmon24.sys. It's a private file just for
him, not shared in the conventional sense. It's not tracked and updated
by Windows Side By Side (WinSXS). Windows is not supposed to know it is there, it's not loaded on boot, but it is used privately for doing a
trace.

It’s pretty scary to think one lone developer can inject such code into Windows that Windows itself does not know about.

Just as Linux keeps some kernels,and if the latest kernel won't boot,
you can use the menu to select a slightly older one.

The Linux kernel itself knows which version it is, though. Nothing is
being hidden from it.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Sat, 6/14/2025 3:10 AM, Lawrence D'Oliveiro wrote:

On Fri, 13 Jun 2025 22:53:33 -0400, Paul wrote:

The file was named that way by Russinovich, the developer.
And he does his own file injection. If he finds the procmon23.sys he
removes it and installs the procmon24.sys. It's a private file just for
him, not shared in the conventional sense. It's not tracked and updated
by Windows Side By Side (WinSXS). Windows is not supposed to know it is
there, it's not loaded on boot, but it is used privately for doing a
trace.

It’s pretty scary to think one lone developer can inject such code into Windows that Windows itself does not know about.

Just as Linux keeps some kernels,and if the latest kernel won't boot,
you can use the menu to select a slightly older one.

The Linux kernel itself knows which version it is, though. Nothing is
being hidden from it.

Ring 3 is awash in good stuff. Relying on Ring0 as a potential
way to maintain law and order.

Back in the cooperative multitasking days, this is why systems
were crashing all the time. Any time some strange pork like this
loaded, the OS would tip over. It required that everyone
have the highest quality of code (think of all your applications,
being coded with driver techniques).

Preemptive multitasking allows a lot more rubbish to load.
Why, the OS even runs the programs I write :-/ You know,
some commercial AV tools, they would gun down my EXE files
and not allow them to run ("reputation" detection, never
seen the hash before).

And Microsoft is aware of these issues, as they are writing
out third party drivers (Ring0). They are working on improving
the walls of their cardboard fortress in Ring0.

30% of crashes, used to be caused by the NVidia driver. Not, the
NVidia driver on Windows, it is claimed it runs in some kind of
container. It also has some watchdog capability (can be restarted
after the screen "blinks black"). They may not be able
to remove that driver, but the cardboard walls are going up.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 14/06/2025 7:02 pm, Paul wrote:

<Snip>

Preemptive multitasking allows a lot more rubbish to load.
Why, the OS even runs the programs I write :-/ You know,
some commercial AV tools, they would gun down my EXE files
and not allow them to run ("reputation" detection, never
seen the hash before).

And Microsoft is aware of these issues, as they are writing
out third party drivers (Ring0). They are working on improving
the walls of their cardboard fortress in Ring0.

So would this put them in the same boat as Apple?? Nothing would get
onto a Win System without MS approving it??
--
Daniel70

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Sat, 6/14/2025 7:16 AM, Daniel70 wrote:

On 14/06/2025 7:02 pm, Paul wrote:

<Snip>

Preemptive multitasking allows a lot more rubbish to load.
Why, the OS even runs the programs I write :-/ You know,
some commercial AV tools, they would gun down my EXE files
and not allow them to run ("reputation" detection, never
seen the hash before).

And Microsoft is aware of these issues, as they are writing
out third party drivers (Ring0). They are working on improving
the walls of their cardboard fortress in Ring0.

So would this put them in the same boat as Apple?? Nothing would get onto a Win System without MS approving it??

You can see some kind of "intent", in the usage of smartphone apps.

They have a strategic direction to "copy Apples success". But that
does not mean slavishly copying tiny details. Microsoft does
not have a "reality distortion field" and are not likely to get
one any time soon.

It's a bit like trying to bake a pie, when you have no pie filling.
It sorta looks like a pie, but... not quite.

You can see the attempt to escape who they are, in the
shipping of Windows-S. You won't find too many people who voluntarily
run computing equipment that way. Only in Enterprise, might you
attempt that (locked-down environment).

While the Microsoft Store is better than it used to be, I don't look
forward to entering search terms in the interface, because I'll be
shoveling through things I don't want to see. The store used to be
"200,000 copies of Flappy Birds", but they've stopped trying
to overload the eyeballs with 29 color presentations with
no way to distinguish between them. As a user, you know that
underneath that less-cluttered facade, those Birds are
hiding in there... somewhere :-)

If they ever dump Win32, *then* they're in deep trouble. That's why
I have a dual-boot computer.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Sat, 14 Jun 2025 05:02:11 -0400, Paul wrote:

And Microsoft is aware of these issues, as they are writing
out third party drivers (Ring0). They are working on improving
the walls of their cardboard fortress in Ring0.

The Linux world solves the problem by submitting the drivers to open-
source peer review.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Sat, 6/14/2025 7:22 PM, Lawrence D'Oliveiro wrote:

On Sat, 14 Jun 2025 05:02:11 -0400, Paul wrote:

And Microsoft is aware of these issues, as they are writing
out third party drivers (Ring0). They are working on improving
the walls of their cardboard fortress in Ring0.

The Linux world solves the problem by submitting the drivers to open-
source peer review.

Yes, the NVidia binary blob :-) <snicker>

That means, roughly speaking, the NVidia binary blob got
just as much review on Linux as it did on Windows.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Sat, 14 Jun 2025 23:15:21 -0400, Paul wrote:

On Sat, 6/14/2025 7:22 PM, Lawrence D'Oliveiro wrote:

On Sat, 14 Jun 2025 05:02:11 -0400, Paul wrote:

And Microsoft is aware of these issues, as they are writing
out third party drivers (Ring0). They are working on improving
the walls of their cardboard fortress in Ring0.

The Linux world solves the problem by submitting the drivers to open-
source peer review.

Yes, the NVidia binary blob :-) <snicker>

That means, roughly speaking, the NVidia binary blob got
just as much review on Linux as it did on Windows.

Just as well most of us don’t use Nvidia ...

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Sat, 14 Jun 2025 23:15:21 -0400, Paul <[email protected]d> wrote in <102ldsb$m8mk$[email protected]>:

On Sat, 6/14/2025 7:22 PM, Lawrence D'Oliveiro wrote:

On Sat, 14 Jun 2025 05:02:11 -0400, Paul wrote:

And Microsoft is aware of these issues, as they are writing out third
party drivers (Ring0). They are working on improving the walls of
their cardboard fortress in Ring0.

The Linux world solves the problem by submitting the drivers to open-
source peer review.

Yes, the NVidia binary blob :-) <snicker>

Old news -- the newer branch of NVIDIA drivers is MIT/GPL
licensed.

That means, roughly speaking, the NVidia binary blob got just as much
review on Linux as it did on Windows.

Used to be that way. Not any more.

https://github.com/NVIDIA/open-gpu-kernel-modules

In fact, with some of their newer GPU cards, you _must_
use the MIT/GPL branch.

--
-v ASUS TUF DASH F15 x86_64 NVIDIA RTX 3060 Mobile 6G
OS: Linux 6.8.0-60-generic D: Mint 22.1 DE: Xfce 4.18 Mem: 258G
"Always remember you're unique - just like everyone else."

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Mon, 6/16/2025 1:30 AM, vallor wrote:

On Sat, 14 Jun 2025 23:15:21 -0400, Paul <[email protected]d> wrote in <102ldsb$m8mk$[email protected]>:

On Sat, 6/14/2025 7:22 PM, Lawrence D'Oliveiro wrote:

On Sat, 14 Jun 2025 05:02:11 -0400, Paul wrote:

And Microsoft is aware of these issues, as they are writing out third
party drivers (Ring0). They are working on improving the walls of
their cardboard fortress in Ring0.

The Linux world solves the problem by submitting the drivers to open-
source peer review.

Yes, the NVidia binary blob :-) <snicker>

Old news -- the newer branch of NVIDIA drivers is MIT/GPL
licensed.

That means, roughly speaking, the NVidia binary blob got just as much
review on Linux as it did on Windows.

Used to be that way. Not any more.

https://github.com/NVIDIA/open-gpu-kernel-modules

In fact, with some of their newer GPU cards, you _must_
use the MIT/GPL branch.

"When packaged in the NVIDIA .run installation package, the
OS-agnostic component is provided as a binary: it is large
and time-consuming to compile, so pre-built versions are
provided so that the user does not have to compile it during
every driver installation. For the nvidia.ko kernel module,
this component is named "nv-kernel.o_binary". For the
nvidia-modeset.ko kernel module, this component is named
"nv-modeset-kernel.o_binary". Neither nvidia-drm.ko nor
nvidia-uvm.ko have OS-agnostic components."

It's NVidia, and the ball isn't under any of the three cups ?

That's the first thing I check for, is whether it is even remotely
a "driver" as such.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

Paul <[email protected]d> wrote at 22:50 this Friday (GMT):

On Fri, 6/13/2025 4:50 PM, candycanearter07 wrote:

Paul <[email protected]d> wrote at 00:27 this Friday (GMT):

On Thu, 6/12/2025 11:10 AM, candycanearter07 wrote:

Lawrence D'Oliveiro <[email protected]d> wrote at 23:35 this Tuesday (GMT): >>>>> On Tue, 10 Jun 2025 12:11:56 -0400, Oscar wrote:

Can someone just give me the best way to get rid of it safely?

You can’t. It’s needed for the Windows security mechanism to work. >>>>

That seems like a really dumb and insecure bandaid fix.

I'm surprised they didn't set the Hidden attribute on it.

Paul

They DIDN'T?? That seems like a disaster waiting to happen.

The purpose of hiding it, is so the ordinary users do not remove it.

It has nothing to do with protecting a thing from an exploit.

This is why I like the protections on WinRE.wim file (emergency
boot OS container). It's got all sorts of Hidden and System
attributes set on it. All this does, is annoy the fuck out
of people like me, working on fixing it. And it does nothing
at all to stop a Black Hat.

But still, the Hidden is to hide cosmetic issues, such
as if you are using this trick (temporarily) as a fix.

As an example, the Process Monitor you can download from
Microsoft, it has a boot trace option, where you can trace
execution (ETW events) from T=0. What people don't know
(because they can't see it), is a "procmon23.sys" or similar,
is added to System32, and that module is loaded at boot time.
Since the Hidden bit is set on it, people can't see it, and
the program does not clean up after itself and remove the
file again. When the API changes, the version is bumped
to "procmon24.sys".

How can I spot those ? Using nfi.exe , for NTFS listing.
That parses the $MFT (Master File Table) and avoids a lot of issues.

Let's see if I have a procmon passenger on board.

.\nfi.exe C: > D:\nfi-c-out.txt

File 8170
\Windows\System32\drivers\PROCMON24.SYS <=== passenger!
$STANDARD_INFORMATION (resident)
$FILE_NAME (resident)
$FILE_NAME (resident)
$DATA (nonresident)
logical sectors 287064-287223 (0x46158-0x461f7)
logical sectors 292472-292479 (0x47678-0x4767f)

*******
Command Prompt:

cd /d C:\Windows\System32\drivers\

dir /ah PROCMON2*

Volume in drive C is W11HOME
Volume Serial Number is FA6E-E123

Directory of C:\Windows\System32\drivers

Sat, 05/31/2025 1:23 PM 82,344 PROCMON24.SYS

Paul

Yeah so if it was hidden, then people wouldn't have been freaking out.
Maybe they could also provide a script to unhide it for the people who
actually use it..
--
user <candycane> is generated from /dev/urandom

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)