Arquivos estranhos no drive de compartilhamento samba4 criado pelo Windows 7 (svchost.exe)

Navegue suas respostas
0

Em nosso disco de compartilhamento samba4, o Windows 7 parece criar alguns arquivos estranhos. Eles têm a seguinte estrutura e variam entre alguns megabytes e mais de 100 MB: 

/path-to-share/t4vc
/path-to-share/t4vc.1
/path-to-share/t4vc.2
/path-to-share/t4f0
/path-to-share/t4f0.1
/path-to-share/t4f0.2

Até agora, consegui rastrear o usuário do Windows 7, que cria os arquivos e pesquisou com o Process Monitor. Uma olhada mais de perto no caminho do compartilhamento mostra algumas CreateFile das operações pelo svchost.exe .

Como posso descobrir para que servem os arquivos e o que o processo svchost faz?

As propriedades do evento estão me mostrando o seguinte comando: 

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

Você tem o módulo F-Secure (fshook64.dll) que está ligado ao processo com relação a isso?

EDITAR : aqui a pilha: 

0   fltmgr.sys  FltAcquirePushLockShared + 0x907    0xfffff88001072067  C:\Windows\system32\drivers\fltmgr.sys
1   fltmgr.sys  FltIsCallbackDataDirty + 0x20ba 0xfffff880010749aa  C:\Windows\system32\drivers\fltmgr.sys
2   fltmgr.sys  FltReadFile + 0x10363   0xfffff880010922a3  C:\Windows\system32\drivers\fltmgr.sys
3   ntoskrnl.exe    MmCreateSection + 0x2d2b    0xfffff800035d2afb  C:\Windows\system32\ntoskrnl.exe
4   ntoskrnl.exe    SeQueryInformationToken + 0xe3e 0xfffff800035ce61e  C:\Windows\system32\ntoskrnl.exe
5   ntoskrnl.exe    ObOpenObjectByName + 0x306  0xfffff800035cf106  C:\Windows\system32\ntoskrnl.exe
6   ntoskrnl.exe    MmCreateSection + 0x112c    0xfffff800035d0efc  C:\Windows\system32\ntoskrnl.exe
7   ntoskrnl.exe    NtCreateFile + 0x78 0xfffff800035dc574  C:\Windows\system32\ntoskrnl.exe
8   ntoskrnl.exe    KeSynchronizeExecution + 0x3a23 0xfffff800032cf693  C:\Windows\system32\ntoskrnl.exe
9   ntdll.dll   NtCreateFile + 0xa  0x777ac08a  C:\Windows\SYSTEM32\ntdll.dll
10  cscsvc.dll  cscsvc.dll + 0x1c53 0x7fefb611c53   c:\windows\system32\cscsvc.dll
11  cscsvc.dll  CscServiceMain + 0x17d21    0x7fefb637999   c:\windows\system32\cscsvc.dll
12  cscsvc.dll  CscServiceMain + 0x2ecc9    0x7fefb64e941   c:\windows\system32\cscsvc.dll
13  RPCRT4.dll  RpcBindingSetAuthInfoW + 0xe5   0x7fefdbce9d5   C:\Windows\system32\RPCRT4.dll
14  RPCRT4.dll  Ndr64AsyncServerCallAll + 0x10ce    0x7fefdc7b54e   C:\Windows\system32\RPCRT4.dll
15  RPCRT4.dll  NdrStubCall3 + 0xc6 0x7fefdbd0e76   C:\Windows\system32\RPCRT4.dll
16  ole32.dll   CoGetInstanceFromFile + 0x4f77  0x7fefda10857   C:\Windows\system32\ole32.dll
17  ole32.dll   CoGetInstanceFromFile + 0x596d  0x7fefda1124d   C:\Windows\system32\ole32.dll
18  ole32.dll   CoGetInstanceFromFile + 0x58e3  0x7fefda111c3   C:\Windows\system32\ole32.dll
19  ole32.dll   CoSetState + 0x1450 0x7fefd8c9d70   C:\Windows\system32\ole32.dll
20  ole32.dll   CoGetInstanceFromFile + 0x5ac6  0x7fefda113a6   C:\Windows\system32\ole32.dll
21  ole32.dll   CoGetInstanceFromFile + 0x59b6  0x7fefda11296   C:\Windows\system32\ole32.dll
22  ole32.dll   CoGetInstanceFromFile + 0x446d  0x7fefda0fd4d   C:\Windows\system32\ole32.dll
23  RPCRT4.dll  NdrServerCall2 + 0x1d74 0x7fefdbc25c4   C:\Windows\system32\RPCRT4.dll
24  RPCRT4.dll  NdrServerCall2 + 0x1bd6 0x7fefdbc2426   C:\Windows\system32\RPCRT4.dll
25  RPCRT4.dll  I_RpcBindingInqTransportType + 0x330    0x7fefdbc4c10   C:\Windows\system32\RPCRT4.dll
26  RPCRT4.dll  I_RpcBindingInqTransportType + 0x26b    0x7fefdbc4b4b   C:\Windows\system32\RPCRT4.dll
27  RPCRT4.dll  I_RpcBindingInqTransportType + 0x202    0x7fefdbc4ae2   C:\Windows\system32\RPCRT4.dll
28  RPCRT4.dll  NdrServerCall2 + 0x1fcd 0x7fefdbc281d   C:\Windows\system32\RPCRT4.dll
29  RPCRT4.dll  I_RpcInitNdrImports + 0x14766   0x7fefdc02dc6   C:\Windows\system32\RPCRT4.dll
30  RPCRT4.dll  I_RpcInitNdrImports + 0x14b60   0x7fefdc031c0   C:\Windows\system32\RPCRT4.dll
31  RPCRT4.dll  NdrServerCall2 + 0x1dab 0x7fefdbc25fb   C:\Windows\system32\RPCRT4.dll
32  RPCRT4.dll  RpcBindingCopy + 0x195  0x7fefdbdef85   C:\Windows\system32\RPCRT4.dll
33  ntdll.dll   TpAlpcRegisterCompletionList + 0x94a    0x777c290a  C:\Windows\SYSTEM32\ntdll.dll
34  ntdll.dll   TpIsTimerSet + 0x455    0x77779d85  C:\Windows\SYSTEM32\ntdll.dll
35  kernel32.dll    BaseThreadInitThunk + 0xd   0x775559bd  C:\Windows\system32\kernel32.dll
36  ntdll.dll   RtlUserThreadStart + 0x21   0x7778a2e1  C:\Windows\SYSTEM32\ntdll.dll
    
por wittich 25.05.2016 / 14:30

0 respostas

Tags

Remover partições que aparecem após o formato GPT Excluir subpastas e dados, mas deixar pastas raiz