Hi all,
Recently,I am puzzled about Vista Updating patch.I analyzed the KB920296 Patch.I found that it replace ‘c:\windows\system32\COMDLG32.dll’ without any IRPs Write or Create.I observed ‘COMDLG32.dll’ modified date has been changed and HASH value(SHA-1) also has been changed.So I am sure that the file has been updated.But my filter driver and FileMon just intercept some SET_INFORMATION,QUERY INFORMATION and READ operations.There is a new process ‘TrustedInstalle’ responsible for create athe file (C:\Windows\WinSxS\Temp\2023b153b1c0c6010f00000040056c0e\
2023b153b1c0c6011000000040056c0e_comdlg32.dll).I had no idea.Could you give me any tips?Any idea how it update ‘COMDLG32.dll’?
Thanks
Best Regards
Ken
Stay in the know. Pulse on the new Yahoo.com. Check it out.
Isn’t it updated using PendingRenameOperations in the registry ?
Try to update Vista, then check this variable out
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
PendingRenameOperations
** OR ***
Maybe the existing COMDCTL32.dll is just renamed (you wrote about
IRP_MJ_SET_INFORMATION, right ?)
L.
Hi Ladislav,
Thank you for your relpy.I checked the value PendingRenameOperations,it’s not exist.But I found a new string value has been created that is ‘SetExecute’.Its value is ‘poqexec.exe \systemroot\winsxs\pending.xml’.It’s will be emptied after reboot.By the way,you’re right.The SET_INFORMATION operation is a FileRenameInformation operation.FileMon shows that '42056 14:25:27 TrustedInstalle:1344 SET INFORMATION C:\Windows\WinSxS\Temp\2023b153b1c0c6010f00000040056c0e\2023b153b1c0c6011000000040056c0e_comdlg32.dll SUCCESS FileRenameInformation ’
Thanks in advance
Ken
Ladislav Zezula wrote:
Isn’t it updated using PendingRenameOperations in the registry ?
Try to update Vista, then check this variable out
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
PendingRenameOperations
OR*
Maybe the existing COMDCTL32.dll is just renamed (you wrote about
IRP_MJ_SET_INFORMATION, right ?)
L.
—
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
---------------------------------
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail Beta.
Hi all,
According to my observe my driver couldn’t record when the file(system32\comdlg32.dll) replaced with \WinSxS\x86_microsoft-windows-comdlg32_31bf3856ad364e35_6.0.5384.23_none_b60986af6acc6dd8\comdlg32.dll.First of all, I am sure that my filter driver works fine and exactly.So I don’t know why my driver cann’t capture the RENAME or MOVE operation.Maybe Vista Update is different from previous version of Windows.e.g. Windows XP,isn’t it?
Hey Peter,Could you give me a advice?Thanks for any idea.
Thanks
Ken
ken wong wrote:
Hi Ladislav,
Thank you for your relpy.I checked the value PendingRenameOperations,it’s not exist.But I found a new string value has been created that is ‘SetExecute’.Its value is ‘poqexec.exe \systemroot\winsxs\pending.xml’.It’s will be emptied after reboot.By the way,you’re right.The SET_INFORMATION operation is a FileRenameInformation operation.FileMon shows that '42056 14:25:27 TrustedInstalle:1344 SET INFORMATION C:\Windows\WinSxS\Temp\2023b153b1c0c6010f00000040056c0e\2023b153b1c0c6011000000040056c0e_comdlg32.dll SUCCESS FileRenameInformation '
Thanks in advance
Ken
Ladislav Zezula wrote:
Isn’t it updated using PendingRenameOperations in the registry ?
Try to update Vista, then check this variable out
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
PendingRenameOperations
OR*
Maybe the existing COMDCTL32.dll is just renamed (you wrote about
IRP_MJ_SET_INFORMATION, right ?)
L.
—
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
---------------------------------
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail Beta. — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@yahoo.com To unsubscribe send a blank email to xxxxx@lists.osr.com
Best Regards
Ken
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Hi all,
According to my observe my driver couldn’t record when the file(system32\comdlg32.dll) replaced with \WinSxS\x86_microsoft-windows-comdlg32_31bf3856ad364e35_6.0.5384.23_none_b60986af6acc6dd8\comdlg32.dll.First of all, I am sure that my filter driver works fine and exactly.So I don’t know why my driver cann’t capture the RENAME or MOVE operation.Maybe Vista Update is different from previous version of Windows.e.g. Windows XP,isn’t it?
Hey Peter,Could you give me a advice?Thanks for any idea.
Thanks
Ken
ken wong wrote:
Hi Ladislav,
Thank you for your relpy.I checked the value PendingRenameOperations,it’s not exist.But I found a new string value has been created that is ‘SetExecute’.Its value is ‘poqexec.exe \systemroot\winsxs\pending.xml’.It’s will be emptied after reboot.By the way,you’re right.The SET_INFORMATION operation is a FileRenameInformation operation.FileMon shows that '42056 14:25:27 TrustedInstalle:1344 SET INFORMATION C:\Windows\WinSxS\Temp\2023b153b1c0c6010f00000040056c0e\2023b153b1c0c6011000000040056c0e_comdlg32.dll SUCCESS FileRenameInformation '
Thanks in advance
Ken
Ladislav Zezula wrote:
Isn’t it updated using PendingRenameOperations in the registry ?
Try to update Vista, then check this variable out
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
PendingRenameOperations
OR*
Maybe the existing COMDCTL32.dll is just renamed (you wrote about
IRP_MJ_SET_INFORMATION, right ?)
L.
—
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com
---------------------------------
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail Beta. — Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: xxxxx@yahoo.com To unsubscribe send a blank email to xxxxx@lists.osr.com
Best Regards
Ken
---------------------------------
Do you Yahoo!?
Next-gen email? Have it all with the all-new Yahoo! Mail Beta.