On our samba4 share drive Windows 7 seems to create some strange files. They have the following structure and varies between a few megabytes to over 100 MB:
/path-to-share/t4vc
/path-to-share/t4vc.1
/path-to-share/t4vc.2
/path-to-share/t4f0
/path-to-share/t4f0.1
/path-to-share/t4f0.2
So far I could track down the Windows 7 user which creates the files and searched with the Process Monitor. Some closer look on the share path shows me some CreateFile operations by the svchost.exe.
How can I figure out what does files are for and what the svchost process does?
The Event Properties are showing me the following command:
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
Hast the F-Secure module (fshook64.dll) which is hooked to the process anything to do with it?
EDIT: Here the stack:
0 fltmgr.sys FltAcquirePushLockShared + 0x907 0xfffff88001072067 C:\Windows\system32\drivers\fltmgr.sys
1 fltmgr.sys FltIsCallbackDataDirty + 0x20ba 0xfffff880010749aa C:\Windows\system32\drivers\fltmgr.sys
2 fltmgr.sys FltReadFile + 0x10363 0xfffff880010922a3 C:\Windows\system32\drivers\fltmgr.sys
3 ntoskrnl.exe MmCreateSection + 0x2d2b 0xfffff800035d2afb C:\Windows\system32\ntoskrnl.exe
4 ntoskrnl.exe SeQueryInformationToken + 0xe3e 0xfffff800035ce61e C:\Windows\system32\ntoskrnl.exe
5 ntoskrnl.exe ObOpenObjectByName + 0x306 0xfffff800035cf106 C:\Windows\system32\ntoskrnl.exe
6 ntoskrnl.exe MmCreateSection + 0x112c 0xfffff800035d0efc C:\Windows\system32\ntoskrnl.exe
7 ntoskrnl.exe NtCreateFile + 0x78 0xfffff800035dc574 C:\Windows\system32\ntoskrnl.exe
8 ntoskrnl.exe KeSynchronizeExecution + 0x3a23 0xfffff800032cf693 C:\Windows\system32\ntoskrnl.exe
9 ntdll.dll NtCreateFile + 0xa 0x777ac08a C:\Windows\SYSTEM32\ntdll.dll
10 cscsvc.dll cscsvc.dll + 0x1c53 0x7fefb611c53 c:\windows\system32\cscsvc.dll
11 cscsvc.dll CscServiceMain + 0x17d21 0x7fefb637999 c:\windows\system32\cscsvc.dll
12 cscsvc.dll CscServiceMain + 0x2ecc9 0x7fefb64e941 c:\windows\system32\cscsvc.dll
13 RPCRT4.dll RpcBindingSetAuthInfoW + 0xe5 0x7fefdbce9d5 C:\Windows\system32\RPCRT4.dll
14 RPCRT4.dll Ndr64AsyncServerCallAll + 0x10ce 0x7fefdc7b54e C:\Windows\system32\RPCRT4.dll
15 RPCRT4.dll NdrStubCall3 + 0xc6 0x7fefdbd0e76 C:\Windows\system32\RPCRT4.dll
16 ole32.dll CoGetInstanceFromFile + 0x4f77 0x7fefda10857 C:\Windows\system32\ole32.dll
17 ole32.dll CoGetInstanceFromFile + 0x596d 0x7fefda1124d C:\Windows\system32\ole32.dll
18 ole32.dll CoGetInstanceFromFile + 0x58e3 0x7fefda111c3 C:\Windows\system32\ole32.dll
19 ole32.dll CoSetState + 0x1450 0x7fefd8c9d70 C:\Windows\system32\ole32.dll
20 ole32.dll CoGetInstanceFromFile + 0x5ac6 0x7fefda113a6 C:\Windows\system32\ole32.dll
21 ole32.dll CoGetInstanceFromFile + 0x59b6 0x7fefda11296 C:\Windows\system32\ole32.dll
22 ole32.dll CoGetInstanceFromFile + 0x446d 0x7fefda0fd4d C:\Windows\system32\ole32.dll
23 RPCRT4.dll NdrServerCall2 + 0x1d74 0x7fefdbc25c4 C:\Windows\system32\RPCRT4.dll
24 RPCRT4.dll NdrServerCall2 + 0x1bd6 0x7fefdbc2426 C:\Windows\system32\RPCRT4.dll
25 RPCRT4.dll I_RpcBindingInqTransportType + 0x330 0x7fefdbc4c10 C:\Windows\system32\RPCRT4.dll
26 RPCRT4.dll I_RpcBindingInqTransportType + 0x26b 0x7fefdbc4b4b C:\Windows\system32\RPCRT4.dll
27 RPCRT4.dll I_RpcBindingInqTransportType + 0x202 0x7fefdbc4ae2 C:\Windows\system32\RPCRT4.dll
28 RPCRT4.dll NdrServerCall2 + 0x1fcd 0x7fefdbc281d C:\Windows\system32\RPCRT4.dll
29 RPCRT4.dll I_RpcInitNdrImports + 0x14766 0x7fefdc02dc6 C:\Windows\system32\RPCRT4.dll
30 RPCRT4.dll I_RpcInitNdrImports + 0x14b60 0x7fefdc031c0 C:\Windows\system32\RPCRT4.dll
31 RPCRT4.dll NdrServerCall2 + 0x1dab 0x7fefdbc25fb C:\Windows\system32\RPCRT4.dll
32 RPCRT4.dll RpcBindingCopy + 0x195 0x7fefdbdef85 C:\Windows\system32\RPCRT4.dll
33 ntdll.dll TpAlpcRegisterCompletionList + 0x94a 0x777c290a C:\Windows\SYSTEM32\ntdll.dll
34 ntdll.dll TpIsTimerSet + 0x455 0x77779d85 C:\Windows\SYSTEM32\ntdll.dll
35 kernel32.dll BaseThreadInitThunk + 0xd 0x775559bd C:\Windows\system32\kernel32.dll
36 ntdll.dll RtlUserThreadStart + 0x21 0x7778a2e1 C:\Windows\SYSTEM32\ntdll.dll
No comments:
Post a Comment