Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category, below.

weird output caused by FileMon!?

Hello

I downloaded latest filemon 6.11 and ran it on XP (no SP and SP2).

1. Set a filter to include only: "c:\temp\*".
2. Then go to "My Computer"->"C:"
3. Using the keyboard keep on pressing down till you reach/highlight "temp"
folder. You notice how Filemon will output weird garbage display of the file
name, as:

12:49:17 PM explorer.exe:2004 OPEN
C:\temp\:Docf_CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp\:CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp\:Docf_CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp\:CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp\:Docf_CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN C:\temp\:SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
12:49:17 PM explorer.exe:2004 OPEN C:\temp\:Docf_SummaryInformation:$DATA
FILE NOT FOUND Options: Open Access: All
12:49:17 PM explorer.exe:2004 OPEN C:\temp\:SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
12:49:17 PM explorer.exe:2004 OPEN C:\temp\:Docf_SummaryInformation:$DATA
FILE NOT FOUND Options: Open Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp\:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp\:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp\:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp\:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp\:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp\:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp\:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp\:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp\:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All

About forty of these names!

What is wrong? Explorer.exe or Filemon?

--
Elias

Comments

  • Hi,

    Nothing is wrong that "weird" data is windows trying to open NTFS
    streams.

    Regards

    Ben Curley
    DESlock+ Lead Developer
    Data Encryption Systems Ltd.
    Silver Street House
    Taunton, Somerset
    UK

    Web: www.deslock.com
    Email: xxxxx@des.co.uk

    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of lallous
    Sent: 09 September 2004 11:27
    To: Windows File Systems Devs Interest List
    Subject: [ntfsd] weird output caused by FileMon!?

    Hello

    I downloaded latest filemon 6.11 and ran it on XP (no SP and SP2).

    1. Set a filter to include only: "c:\temp\*".
    2. Then go to "My Computer"->"C:"
    3. Using the keyboard keep on pressing down till you reach/highlight
    "temp"
    folder. You notice how Filemon will output weird garbage display of the
    file name, as:

    12:49:17 PM explorer.exe:2004 OPEN
    C:\temp\:Docf_CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options:
    Open
    Access: All
    12:49:17 PM explorer.exe:2004 OPEN
    C:\temp\:CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options: Open
    Access: All
    12:49:17 PM explorer.exe:2004 OPEN
    C:\temp\:Docf_CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options:
    Open
    Access: All
    12:49:17 PM explorer.exe:2004 OPEN
    C:\temp\:CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options: Open
    Access: All
    12:49:17 PM explorer.exe:2004 OPEN
    C:\temp\:Docf_CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options:
    Open
    Access: All
    12:49:17 PM explorer.exe:2004 OPEN C:\temp\:SummaryInformation:$DATA
    FILE NOT FOUND Options: Open Access: All
    12:49:17 PM explorer.exe:2004 OPEN
    C:\temp\:Docf_SummaryInformation:$DATA
    FILE NOT FOUND Options: Open Access: All
    12:49:17 PM explorer.exe:2004 OPEN C:\temp\:SummaryInformation:$DATA
    FILE NOT FOUND Options: Open Access: All
    12:49:17 PM explorer.exe:2004 OPEN
    C:\temp\:Docf_SummaryInformation:$DATA
    FILE NOT FOUND Options: Open Access: All
    12:49:17 PM explorer.exe:2004 OPEN
    C:\temp\:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
    Access: All
    12:49:17 PM explorer.exe:2004 OPEN
    C:\temp\:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options:
    Open
    Access: All
    12:49:17 PM explorer.exe:2004 OPEN
    C:\temp\:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
    Access: All
    12:49:17 PM explorer.exe:2004 OPEN
    C:\temp\:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options:
    Open
    Access: All
    12:49:17 PM explorer.exe:2004 OPEN
    C:\temp\:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
    Access: All
    12:49:17 PM explorer.exe:2004 OPEN
    C:\temp\:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options:
    Open
    Access: All
    12:49:17 PM explorer.exe:2004 OPEN
    C:\temp\:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
    Access: All
    12:49:17 PM explorer.exe:2004 OPEN
    C:\temp\:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options:
    Open
    Access: All
    12:49:17 PM explorer.exe:2004 OPEN
    C:\temp\:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
    Access: All

    About forty of these names!

    What is wrong? Explorer.exe or Filemon?

    --
    Elias



    ---
    Questions? First check the IFS FAQ at
    https://www.osronline.com/article.cfm?id=17

    You are currently subscribed to ntfsd as: xxxxx@des.co.uk To unsubscribe
    send a blank email to xxxxx@lists.osr.com
  • You say this because you say the ":" ?

    But are file names or stream names w/ "\x5" in their name accepted?

    (notice below that there exist some invalid path characters)

    --
    Elias
    "Ben Curley" wrote in message news:xxxxx@ntfsd...

    Hi,

    Nothing is wrong that "weird" data is windows trying to open NTFS
    streams.

    Regards

    Ben Curley
    DESlock+ Lead Developer
    Data Encryption Systems Ltd.
    Silver Street House
    Taunton, Somerset
    UK

    Web: www.deslock.com
    Email: xxxxx@des.co.uk
  • For NTFS, file names can have any of the 32k possible characters within
    them, with the exception of the separator character ('\'). File names
    can, for example, contain embedded null values (L'\0'). Provided that
    the name meets the restrictions of the file system, it is fine. A name
    with L'\0x5' within it might seem strange but it should be allowed.

    Regards,

    Tony

    Tony Mason
    Consulting Partner
    OSR Open Systems Resources, Inc.
    http://www.osr.com


    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of lallous
    Sent: Thursday, September 09, 2004 7:58 AM
    To: ntfsd redirect
    Subject: Re:[ntfsd] weird output caused by FileMon!?

    You say this because you say the ":" ?

    But are file names or stream names w/ "\x5" in their name accepted?

    (notice below that there exist some invalid path characters)

    --
    Elias
    "Ben Curley" <xxxxx@des.co.uk> wrote in message news:xxxxx@ntfsd...

    Hi,

    Nothing is wrong that "weird" data is windows trying to open NTFS
    streams.

    Regards

    Ben Curley
    DESlock+ Lead Developer
    Data Encryption Systems Ltd.
    Silver Street House
    Taunton, Somerset
    UK

    Web: www.deslock.com
    Email: xxxxx@des.co.uk



    ---
    Questions? First check the IFS FAQ at
    https://www.osronline.com/article.cfm?id=17

    You are currently subscribed to ntfsd as: xxxxx@osr.com
    To unsubscribe send a blank email to xxxxx@lists.osr.com
  • This is something that the windows shell (explorer) does to avoid
    conflicts with streams created by other applications.

    The reason they did this is because there was no "enumerate streams" api
    in win32. This has since been added so hopefully we will stop seeing
    all of these opens in the future.

    Neal Christiansen
    Microsoft File System Filter Group Lead
    This posting is provided "AS IS" with no warranties, and confers no
    rights

    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
    Sent: Thursday, September 09, 2004 5:53 AM
    To: Windows File Systems Devs Interest List
    Subject: RE: [ntfsd] weird output caused by FileMon!?

    For NTFS, file names can have any of the 32k possible characters within
    them, with the exception of the separator character ('\'). File names
    can, for example, contain embedded null values (L'\0'). Provided that
    the name meets the restrictions of the file system, it is fine. A name
    with L'\0x5' within it might seem strange but it should be allowed.

    Regards,

    Tony

    Tony Mason
    Consulting Partner
    OSR Open Systems Resources, Inc.
    http://www.osr.com


    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of lallous
    Sent: Thursday, September 09, 2004 7:58 AM
    To: ntfsd redirect
    Subject: Re:[ntfsd] weird output caused by FileMon!?

    You say this because you say the ":" ?

    But are file names or stream names w/ "\x5" in their name accepted?

    (notice below that there exist some invalid path characters)

    --
    Elias
    "Ben Curley" <xxxxx@des.co.uk> wrote in message news:xxxxx@ntfsd...

    Hi,

    Nothing is wrong that "weird" data is windows trying to open NTFS
    streams.

    Regards

    Ben Curley
    DESlock+ Lead Developer
    Data Encryption Systems Ltd.
    Silver Street House
    Taunton, Somerset
    UK

    Web: www.deslock.com
    Email: xxxxx@des.co.uk



    ---
    Questions? First check the IFS FAQ at
    https://www.osronline.com/article.cfm?id=17

    You are currently subscribed to ntfsd as: xxxxx@osr.com
    To unsubscribe send a blank email to xxxxx@lists.osr.com

    ---
    Questions? First check the IFS FAQ at
    https://www.osronline.com/article.cfm?id=17

    You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
    ''
    To unsubscribe send a blank email to xxxxx@lists.osr.com
  • Neal

    Sorry, stoopid question I think, but what is the win32 "enumreate streams"
    api? Would prefer to use that over other tricks (eg native api) for sure!

    Thanks
    Lyndon

    "Neal Christiansen" wrote in message
    news:xxxxx@ntfsd...
    This is something that the windows shell (explorer) does to avoid
    conflicts with streams created by other applications.

    The reason they did this is because there was no "enumerate streams" api
    in win32. This has since been added so hopefully we will stop seeing
    all of these opens in the future.

    Neal Christiansen
    Microsoft File System Filter Group Lead
    This posting is provided "AS IS" with no warranties, and confers no
    rights

    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
    Sent: Thursday, September 09, 2004 5:53 AM
    To: Windows File Systems Devs Interest List
    Subject: RE: [ntfsd] weird output caused by FileMon!?

    For NTFS, file names can have any of the 32k possible characters within
    them, with the exception of the separator character ('\'). File names
    can, for example, contain embedded null values (L'\0'). Provided that
    the name meets the restrictions of the file system, it is fine. A name
    with L'\0x5' within it might seem strange but it should be allowed.

    Regards,

    Tony

    Tony Mason
    Consulting Partner
    OSR Open Systems Resources, Inc.
    http://www.osr.com


    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of lallous
    Sent: Thursday, September 09, 2004 7:58 AM
    To: ntfsd redirect
    Subject: Re:[ntfsd] weird output caused by FileMon!?

    You say this because you say the ":" ?

    But are file names or stream names w/ "\x5" in their name accepted?

    (notice below that there exist some invalid path characters)

    --
    Elias
    "Ben Curley" wrote in message news:xxxxx@ntfsd...

    Hi,

    Nothing is wrong that "weird" data is windows trying to open NTFS
    streams.

    Regards

    Ben Curley
    DESlock+ Lead Developer
    Data Encryption Systems Ltd.
    Silver Street House
    Taunton, Somerset
    UK

    Web: www.deslock.com
    Email: xxxxx@des.co.uk



    ---
    Questions? First check the IFS FAQ at
    https://www.osronline.com/article.cfm?id=17

    You are currently subscribed to ntfsd as: xxxxx@osr.com
    To unsubscribe send a blank email to xxxxx@lists.osr.com

    ---
    Questions? First check the IFS FAQ at
    https://www.osronline.com/article.cfm?id=17

    You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
    ''
    To unsubscribe send a blank email to xxxxx@lists.osr.com
  • FindFirstStreamW/FindNextStreamW were added in Server 2003 and are
    documented in the platform SDK.

    Thanks,
    Molly Brown
    Microsoft Corporation

    This posting is provided "AS IS" with no warranties and confers no
    rights.


    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
    Sent: Thursday, September 23, 2004 9:50 AM
    To: Windows File Systems Devs Interest List
    Subject: Re:[ntfsd] weird output caused by FileMon!?

    Neal

    Sorry, stoopid question I think, but what is the win32 "enumreate
    streams"
    api? Would prefer to use that over other tricks (eg native api) for
    sure!

    Thanks
    Lyndon

    "Neal Christiansen" <xxxxx@windows.microsoft.com> wrote in message
    news:xxxxx@ntfsd...
    This is something that the windows shell (explorer) does to avoid
    conflicts with streams created by other applications.

    The reason they did this is because there was no "enumerate streams" api
    in win32. This has since been added so hopefully we will stop seeing
    all of these opens in the future.

    Neal Christiansen
    Microsoft File System Filter Group Lead
    This posting is provided "AS IS" with no warranties, and confers no
    rights

    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
    Sent: Thursday, September 09, 2004 5:53 AM
    To: Windows File Systems Devs Interest List
    Subject: RE: [ntfsd] weird output caused by FileMon!?

    For NTFS, file names can have any of the 32k possible characters within
    them, with the exception of the separator character ('\'). File names
    can, for example, contain embedded null values (L'\0'). Provided that
    the name meets the restrictions of the file system, it is fine. A name
    with L'\0x5' within it might seem strange but it should be allowed.

    Regards,

    Tony

    Tony Mason
    Consulting Partner
    OSR Open Systems Resources, Inc.
    http://www.osr.com


    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of lallous
    Sent: Thursday, September 09, 2004 7:58 AM
    To: ntfsd redirect
    Subject: Re:[ntfsd] weird output caused by FileMon!?

    You say this because you say the ":" ?

    But are file names or stream names w/ "\x5" in their name accepted?

    (notice below that there exist some invalid path characters)

    --
    Elias
    "Ben Curley" <xxxxx@des.co.uk> wrote in message news:xxxxx@ntfsd...

    Hi,

    Nothing is wrong that "weird" data is windows trying to open NTFS
    streams.

    Regards

    Ben Curley
    DESlock+ Lead Developer
    Data Encryption Systems Ltd.
    Silver Street House
    Taunton, Somerset
    UK

    Web: www.deslock.com
    Email: xxxxx@des.co.uk



    ---
    Questions? First check the IFS FAQ at
    https://www.osronline.com/article.cfm?id=17

    You are currently subscribed to ntfsd as: xxxxx@osr.com To unsubscribe
    send a blank email to xxxxx@lists.osr.com

    ---
    Questions? First check the IFS FAQ at
    https://www.osronline.com/article.cfm?id=17

    You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
    ''
    To unsubscribe send a blank email to xxxxx@lists.osr.com




    ---
    Questions? First check the IFS FAQ at
    https://www.osronline.com/article.cfm?id=17

    You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
    To unsubscribe send a blank email to xxxxx@lists.osr.com
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!