weird output caused by FileMon!?

lallous-2 · September 9, 2004, 6:30am

Hello

I downloaded latest filemon 6.11 and ran it on XP (no SP and SP2).

Set a filter to include only: “c:\temp*”.
Then go to “My Computer”->“C:”
Using the keyboard keep on pressing down till you reach/highlight “temp”
folder. You notice how Filemon will output weird garbage display of the file
name, as:

12:49:17 PM explorer.exe:2004 OPEN
C:\temp:Docf_CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:Docf_CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:Docf_CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN C:\temp:SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
12:49:17 PM explorer.exe:2004 OPEN C:\temp:Docf_SummaryInformation:$DATA
FILE NOT FOUND Options: Open Access: All
12:49:17 PM explorer.exe:2004 OPEN C:\temp:SummaryInformation:$DATA FILE
NOT FOUND Options: Open Access: All
12:49:17 PM explorer.exe:2004 OPEN C:\temp:Docf_SummaryInformation:$DATA
FILE NOT FOUND Options: Open Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All

About forty of these names!

What is wrong? Explorer.exe or Filemon?

–
Elias

OSR_Community_User · September 9, 2004, 7:06am

Hi,

Nothing is wrong that “weird” data is windows trying to open NTFS
streams.

Regards

Ben Curley
DESlock+ Lead Developer
Data Encryption Systems Ltd.
Silver Street House
Taunton, Somerset
UK

Web: www.deslock.com
Email: xxxxx@des.co.uk

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of lallous
Sent: 09 September 2004 11:27
To: Windows File Systems Devs Interest List
Subject: [ntfsd] weird output caused by FileMon!?

Hello

I downloaded latest filemon 6.11 and ran it on XP (no SP and SP2).

Set a filter to include only: “c:\temp*”.
Then go to “My Computer”->“C:”
Using the keyboard keep on pressing down till you reach/highlight
“temp”
folder. You notice how Filemon will output weird garbage display of the
file name, as:

12:49:17 PM explorer.exe:2004 OPEN
C:\temp:Docf_CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options:
Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:Docf_CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options:
Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:Docf_CpdjxwbhN2qzewcmQpca1lvyXc:$DATA FILE NOT FOUND Options:
Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN C:\temp:SummaryInformation:$DATA
FILE NOT FOUND Options: Open Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:Docf_SummaryInformation:$DATA
FILE NOT FOUND Options: Open Access: All
12:49:17 PM explorer.exe:2004 OPEN C:\temp:SummaryInformation:$DATA
FILE NOT FOUND Options: Open Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:Docf_SummaryInformation:$DATA
FILE NOT FOUND Options: Open Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options:
Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options:
Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options:
Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:Docf_QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options:
Open
Access: All
12:49:17 PM explorer.exe:2004 OPEN
C:\temp:QebiesnrMkudrfcoIaamtykdDa:$DATA FILE NOT FOUND Options: Open
Access: All

About forty of these names!

What is wrong? Explorer.exe or Filemon?

–
Elias

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@des.co.uk To unsubscribe
send a blank email to xxxxx@lists.osr.com

lallous-2 · September 9, 2004, 8:00am

You say this because you say the “:” ?

But are file names or stream names w/ “\x5” in their name accepted?

(notice below that there exist some invalid path characters)

–
Elias
“Ben Curley” wrote in message news:xxxxx@ntfsd…

Hi,

Nothing is wrong that “weird” data is windows trying to open NTFS
streams.

Regards

Ben Curley
DESlock+ Lead Developer
Data Encryption Systems Ltd.
Silver Street House
Taunton, Somerset
UK

Web: www.deslock.com
Email: xxxxx@des.co.uk

OSR_Community_User · September 9, 2004, 8:54am

For NTFS, file names can have any of the 32k possible characters within
them, with the exception of the separator character (‘'). File names
can, for example, contain embedded null values (L’\0’). Provided that
the name meets the restrictions of the file system, it is fine. A name
with L’\0x5’ within it might seem strange but it should be allowed.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of lallous
Sent: Thursday, September 09, 2004 7:58 AM
To: ntfsd redirect
Subject: Re:[ntfsd] weird output caused by FileMon!?

You say this because you say the “:” ?

But are file names or stream names w/ “\x5” in their name accepted?

(notice below that there exist some invalid path characters)

–
Elias
“Ben Curley” wrote in message news:xxxxx@ntfsd…

Hi,

Nothing is wrong that “weird” data is windows trying to open NTFS
streams.

Regards

Ben Curley
DESlock+ Lead Developer
Data Encryption Systems Ltd.
Silver Street House
Taunton, Somerset
UK

Web: www.deslock.com
Email: xxxxx@des.co.uk

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · September 16, 2004, 11:41pm

This is something that the windows shell (explorer) does to avoid
conflicts with streams created by other applications.

The reason they did this is because there was no “enumerate streams” api
in win32. This has since been added so hopefully we will stop seeing
all of these opens in the future.

Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
rights

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Thursday, September 09, 2004 5:53 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] weird output caused by FileMon!?

For NTFS, file names can have any of the 32k possible characters within
them, with the exception of the separator character (‘'). File names
can, for example, contain embedded null values (L’\0’). Provided that
the name meets the restrictions of the file system, it is fine. A name
with L’\0x5’ within it might seem strange but it should be allowed.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of lallous
Sent: Thursday, September 09, 2004 7:58 AM
To: ntfsd redirect
Subject: Re:[ntfsd] weird output caused by FileMon!?

You say this because you say the “:” ?

But are file names or stream names w/ “\x5” in their name accepted?

(notice below that there exist some invalid path characters)

–
Elias
“Ben Curley” wrote in message news:xxxxx@ntfsd…

Hi,

Nothing is wrong that “weird” data is windows trying to open NTFS
streams.

Regards

Ben Curley
DESlock+ Lead Developer
Data Encryption Systems Ltd.
Silver Street House
Taunton, Somerset
UK

Web: www.deslock.com
Email: xxxxx@des.co.uk

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Lyndon_J_Clarke-2 · September 23, 2004, 12:51pm

Neal

Sorry, stoopid question I think, but what is the win32 “enumreate streams”
api? Would prefer to use that over other tricks (eg native api) for sure!

Thanks
Lyndon

“Neal Christiansen” wrote in message
news:xxxxx@ntfsd…
This is something that the windows shell (explorer) does to avoid
conflicts with streams created by other applications.

The reason they did this is because there was no “enumerate streams” api
in win32. This has since been added so hopefully we will stop seeing
all of these opens in the future.

Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
rights

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Thursday, September 09, 2004 5:53 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] weird output caused by FileMon!?

For NTFS, file names can have any of the 32k possible characters within
them, with the exception of the separator character (‘'). File names
can, for example, contain embedded null values (L’\0’). Provided that
the name meets the restrictions of the file system, it is fine. A name
with L’\0x5’ within it might seem strange but it should be allowed.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of lallous
Sent: Thursday, September 09, 2004 7:58 AM
To: ntfsd redirect
Subject: Re:[ntfsd] weird output caused by FileMon!?

You say this because you say the “:” ?

But are file names or stream names w/ “\x5” in their name accepted?

(notice below that there exist some invalid path characters)

–
Elias
“Ben Curley” wrote in message news:xxxxx@ntfsd…

Hi,

Nothing is wrong that “weird” data is windows trying to open NTFS
streams.

Regards

Ben Curley
DESlock+ Lead Developer
Data Encryption Systems Ltd.
Silver Street House
Taunton, Somerset
UK

Web: www.deslock.com
Email: xxxxx@des.co.uk

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · September 23, 2004, 1:31pm

FindFirstStreamW/FindNextStreamW were added in Server 2003 and are
documented in the platform SDK.

Thanks,
Molly Brown
Microsoft Corporation

This posting is provided “AS IS” with no warranties and confers no
rights.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lyndon J Clarke
Sent: Thursday, September 23, 2004 9:50 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] weird output caused by FileMon!?

Neal

Sorry, stoopid question I think, but what is the win32 “enumreate
streams”
api? Would prefer to use that over other tricks (eg native api) for
sure!

Thanks
Lyndon

“Neal Christiansen” wrote in message
news:xxxxx@ntfsd…
This is something that the windows shell (explorer) does to avoid
conflicts with streams created by other applications.

The reason they did this is because there was no “enumerate streams” api
in win32. This has since been added so hopefully we will stop seeing
all of these opens in the future.

Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
rights

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Thursday, September 09, 2004 5:53 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] weird output caused by FileMon!?

For NTFS, file names can have any of the 32k possible characters within
them, with the exception of the separator character (‘'). File names
can, for example, contain embedded null values (L’\0’). Provided that
the name meets the restrictions of the file system, it is fine. A name
with L’\0x5’ within it might seem strange but it should be allowed.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of lallous
Sent: Thursday, September 09, 2004 7:58 AM
To: ntfsd redirect
Subject: Re:[ntfsd] weird output caused by FileMon!?

You say this because you say the “:” ?

But are file names or stream names w/ “\x5” in their name accepted?

(notice below that there exist some invalid path characters)

–
Elias
“Ben Curley” wrote in message news:xxxxx@ntfsd…

Hi,

Nothing is wrong that “weird” data is windows trying to open NTFS
streams.

Regards

Ben Curley
DESlock+ Lead Developer
Data Encryption Systems Ltd.
Silver Street House
Taunton, Somerset
UK

Web: www.deslock.com
Email: xxxxx@des.co.uk

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com To unsubscribe
send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com