Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Csrss.exe And Winlogon.exe With "\?\" At Beginning Of Path


  • Please log in to reply
4 replies to this topic

#1 brillo

brillo

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Location:Terrebonne, Oregon
  • Local time:06:36 PM

Posted 22 May 2006 - 03:45 PM

SpybotS&D Process List (see below, referenced issues in red) shows csrss.exe and winlogon.exe with "\??\" (without quotes) at beginning of path.

A program I use to shutdown programs and services before playing a game, shows csrss.exe as a program with a folder icon, without a file path, and in the i386 folder. SS&D (shown) and Runalyzer give same results. Csrss.exe is a file, not a folder. Csrss.exe is a service , not a program. Looking in windows\system 32, csrss.exe is there, where it is supposed to be and it is not supposed to be anywhere else (according to Google search). Looking in i386, csrss.exe is, in fact, also there, where it is not supposed to be. Same description for both, Microsoft Corp., blah-blah, same size.

When I start up the program (to shut down programs and services before playing the game), that program gives red warning that csrss.exe has no file path and then computer completely stops responding. I have to shutdown and reboot. Not even task manager works nor does start-> Turn off computer. Google says csrss.exe can be a cloaked virus. I have scanned csrss.exe (both of them) 3-4 different ways. No malware found. I believe this is not malware.

I think the problem is the missing file path (caused by duplicate files?). How do I fix that? I know just enough about this stuff to make a big mistake if I go about it on my own. You all know a lot here and I'm assuming this is a fairly easy fix, if I just knew how to do it without messing up more.

BTW, this problem apparently occurs fairly commonly with the program (for shutting down programs and services before playing the game). I posted on several of the game's forums and the forum of the program (for shutting down programs and services before playing the game), even had the program writer respond, "Don't understand, shouldn't happen", and had a number of responses telling of similar problems, but no solutions, except to run the game without using the program (for shutting down programs and services before playing the game), but that dramatically reduces frame rate -> get stutters or worse.

The program (for shutting down programs and services before playing the game) is freeware used by many thousands of gamers, almost all are adults who like to fly airplanes; I think that fixing this problem could help a lot of people.

The problem I'm having started about a week ago. Before that, the program (for shutting down programs and services before playing the game) and the game itself ran flawlessly. Some game forum respondents reported having this problem > year.

Thanks for any assistance you provide.

Regards,
Rob

SS&D Process List:

PID: 0 ( 0) [System]
PID: 2640 ( 872) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 520 ( 460) \??\C:\WINDOWS\system32\csrss.exe
PID: 3496 (3744) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
PID: 2336 ( 872) C:\WINDOWS\system32\dllhost.exe
size: 5120
MD5: DD87DB7387B9EB441C5674888A0D840C
PID: 2084 ( 872) C:\WINDOWS\System32\dmadmin.exe
size: 224768
MD5: 554C7CB178FE3BD12450B81AD63ADBC3
PID: 3584 (1052) C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
size: 397381
MD5: 27B4B481074F625EDC26219DCC6FFE52
PID: 3484 (3744) C:\Program Files\Dell Support\DSAgnt.exe
size: 332800
MD5: A40D952C0355C85867517AA529A06741
PID: 124 (1052) C:\WINDOWS\eHome\ehmsas.exe
size: 46592
MD5: 03A905FBA1D62317087DB5C21C0F8F62
PID: 1928 ( 872) C:\WINDOWS\eHome\ehRecvr.exe
size: 237568
MD5: D039A0C347632622934906BD59A4E1EA
PID: 1948 ( 872) C:\WINDOWS\eHome\ehSched.exe
size: 102912
MD5: A53243709439AC2A4C216B817F8D7411
PID: 4076 (3744) C:\WINDOWS\ehome\ehtray.exe
size: 67584
MD5: 7E48B4958C131E9643DDCD2E7CA3FE9F
PID: 1340 ( 872) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
size: 114753
MD5: 96A55CC44A967A5F9761E25B1F03BB02
PID: 3744 (3664) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 232 (3744) C:\WINDOWS\system32\hkcmd.exe
size: 77824
MD5: 82ADC58B63E069AC4641A33EA9841E54
PID: 3292 (3744) C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
size: 602182
MD5: B2C7424892DDC8A53B3F13AECA268BD2
PID: 328 (3744) C:\WINDOWS\system32\igfxpers.exe
size: 114688
MD5: A0E2FFB7B0FCE82AA3BCC3105306C45C
PID: 168 ( 872) C:\WINDOWS\system32\inetsrv\inetinfo.exe
size: 15872
MD5: 74B9FA2AFAF60B7F4E2A952E77B9DC6C
PID: 372 (3744) C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
size: 36975
MD5: 61A3A9D5D98BF0331DF5B716144A8100
PID: 196 ( 872) C:\WINDOWS\system32\drivers\KodakCCS.exe
size: 322104
MD5: 4E1060D2F3B745931CF83B3649BE8A57
PID: 1308 ( 872) C:\WINDOWS\system32\locator.exe
size: 75264
MD5: 793F04A09B15E7C6C11DBDFFAF06C0AB
PID: 884 ( 828) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 576 (3744) C:\PROGRA~1\mcafee.com\agent\mcagent.exe
size: 303104
MD5: E8D2DCECE015F4558AA3853514664F15
PID: 224 ( 872) c:\program files\mcafee.com\agent\mcdetect.exe
size: 126976
MD5: F73B0F3EBD90B1C87A3B93BE94E831C7
PID: 388 ( 872) c:\PROGRA~1\mcafee.com\vso\mcshield.exe
size: 221184
MD5: FAE84A2F9C11B7C532950BF0AE1EC26A
PID: 492 ( 872) c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
size: 122368
MD5: A214E217784D1002411DCA8E9793D4A4
PID: 2492 (1624) c:\progra~1\mcafee.com\vso\mcvsescn.exe
size: 483328
MD5: 3B1A1BAA8D7444DEFCE4093611212ED6
PID: 1624 (3744) C:\Program Files\McAfee.com\VSO\mcvsshld.exe
size: 163840
MD5: B154AC6DBD82F96476003E58E1625BD8
PID: 3300 (1052) C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
size: 524288
MD5: EFFC4B0F270FC1A6EDF49A274BF5CDF8
PID: 556 ( 872) C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
size: 548864
MD5: 316535E69181703D4CE4623DEA29FECB
PID: 2548 (3744) C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
size: 1005096
MD5: D76DCBA1BCE72093E00A4EFA114A4E98
PID: 1212 (3744) C:\Program Files\Windows Defender\MSASCui.exe
size: 1420560
MD5: 81AA8BA06A824E637E2BA290D4FA9E3E
PID: 2740 (3744) C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
size: 296488
MD5: 98BA8F513CB0DDA119C99D33F758A416
PID: 2584 (3744) C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
size: 110592
MD5: CB760ADD3CA741DFD499E289DC682F02
PID: 596 ( 872) C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
size: 963072
MD5: 4DB8F824F17B8D9CC5826FBDF0205870
PID: 1224 ( 872) C:\Program Files\Windows Defender\MsMpEng.exe
size: 45840
MD5: 948D315495195662BA2A683A7A156BEA
PID: 1332 ( 872) C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
size: 356352
MD5: 23EEB337BF684589D261F2359E19C72C
PID: 1860 (3744) C:\Program Files\McAfee.com\VSO\oasclnt.exe
size: 53248
MD5: 76E033F33912BFACA4A05BE8D1F3A740
PID: 1096 (3744) C:\Program Files\Microsoft IntelliPoint\point32.exe
size: 217088
MD5: 5D11CA6AF7A30878C58AA1DB12BCA082
PID: 2376 (3744) C:\PROGRA~1\Dell\QuickSet\quickset.exe
size: 684032
MD5: 918BC1E0D5C85CA3E3FF85A428AE3844
PID: 3416 (3744) C:\PROGRA~1\REGIST~1\rbcs.exe
size: 299520
MD5: 6225588594711A0FBF275BC828061FD0
PID: 1004 ( 872) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
size: 217164
MD5: 5E9847165E4FE202ADA891DD6EE2FA24
PID: 1388 ( 872) C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
size: 540745
MD5: FEBC1C664C0F99CDCB0BC122F69E4A92
PID: 872 ( 828) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 460 ( 4) \SystemRoot\System32\smss.exe
PID: 1800 ( 872) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 2396 (3580) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 2928 (3744) C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
size: 3407360
MD5: 882B3BDDE5A00AA327609B64B66BE6F5
PID: 1052 ( 872) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1156 ( 872) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 2060 ( 872) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 2976 ( 872) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1688 ( 872) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1496 ( 872) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1264 ( 872) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 4 ( 0) System
PID: 3580 (3744) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 8F1862AFC3C79C0EA37621E87CC2FE6E
PID: 2032 ( 872) C:\Program Files\UPHClean\uphclean.exe
size: 241725
MD5: 3F9A3232E5F942874488981F3242C989
PID: 828 ( 460) \??\C:\WINDOWS\system32\winlogon.exe
PID: 2952 (3744) C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
size: 222784
MD5: 29154F28BBCE76CD20D0E00113C1CB85
PID: 1152 (3744) C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
size: 50688
MD5: 9B7137623E5DD682D5E4A5F9BC326584
PID: 1436 ( 872) C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
size: 262217
MD5: 611489CE9672E2C602B7D798418E86F3
PID: 2616 (1052) C:\WINDOWS\system32\wbem\wmiprvse.exe
size: 218112
MD5: 075EA6C849AB0FE416A3D6DD65C3CF41
PID: 1716 ( 872) C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
size: 2161152
MD5: 5DB41BF6535AB2B6462042189D488441
PID: 3156 (3744) C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
size: 667718
MD5: 8F396853BB7BD7FE341AF40C01DFEDFE
PID: 3780 (3744) C:\Program Files\MSN\MSNCoreFiles\msn.exe
size: 93696
MD5: 7D24308EA278202B1FB92541DBF3EC84
PID: 3632 (1052) C:\Program Files\MSN\MSNIA\msniasvc.exe
size: 2339328
MD5: EDB9F124B3096A5881688FBBF4B1F5DF
PID: 724 (3632) C:\Program Files\MSN\MSNIA\WA\ClientSideProxy.exe
size: 1015808
MD5: 503F03381EEE391739C72EDF8FF78CDE
PID: 2140 (1052) C:\Program Files\MSN Messenger\msnmsgr.exe
size: 7086080
MD5: 55406C4B910C174CDF36F66AFCA1A18C
PID: 968 (1052) c:\progra~1\mcafee.com\vso\mcvsftsn.exe
size: 299008
MD5: FBB63395BDE6DBE39D4D469A046D5311
PID: 4316 (1052) C:\Program Files\Internet Explorer\iexplore.exe
size: 93184
MD5: E7484514C0464642BE7B4DC2689354C8

Edited by brillo, 22 May 2006 - 03:48 PM.


BC AdBot (Login to Remove)

 


#2 IMM

IMM

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 22 May 2006 - 04:17 PM

The prepend of \??\ is normal for those 2 (new form of DosDevices)
Is the i386 folder you refer to something like the following ?
\WINDOWS\system32\ReinstallBackups\000#\DriverFiles\i386

Which version of the operating system are you using ? For most situations the only other place you should have csrss.exe is in \Windows\System32\dllcache

I think perhaps you should post a HijackThis log in another section of this board.

Edited by IMM, 22 May 2006 - 04:23 PM.


#3 brillo

brillo
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Location:Terrebonne, Oregon
  • Local time:06:36 PM

Posted 22 May 2006 - 04:31 PM

Thanks for responding, IMM. OS is XP MCE 05 sp2. The i386 folder path is C:\i386.

You said, "The prepend of \??\ is normal for those 2 (new form of DosDevices)." Never seen the \??\ before a week ago, and I do look at that stuff, although may have missed it.

Why is csrss.exe in two places at once\??\ Same question for winlogon.exe. (I didn't mention it before, but it also has an identical twin in i386.

Thanks

#4 IMM

IMM

  • Members
  • 134 posts
  • OFFLINE
  •  
  • Local time:08:36 PM

Posted 22 May 2006 - 05:01 PM

Thanks for responding, IMM. OS is XP MCE 05 sp2. The i386 folder path is C:\i386.
Why is csrss.exe in two places at once\??\ Same question for winlogon.exe. (I didn't mention it before, but it also has an identical twin in i386.

With regard to why 2 places - in the case of a normal xp and the dllcache folder it represents a backup for rolling back system changes (file protection).
In your case - I'm not familiar with MCE - perhaps that folder has the same function? Does the folder content look like it consists of files that are important to windows or does it look like the source for the install of the OS?

#5 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:08:36 PM

Posted 22 May 2006 - 08:14 PM

If you know when the problem began ("The problem I'm having started about a week ago"), use Windows System Restore to restore your system state to a date before the problem began.

start>programs>accessories>system tools>system restore




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users