Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Two System32 Folder

04 Jan 2013   #1

Windows 7 ultimate 32bit
Two System32 Folder

Hello all, a newbie here

I just download and run Svchost Analyzer from Neuber, and saw that some of the processes come from 2 kinds of System32, first is C:\Windows\System32 and the other is C:\Windows\system32 (notice the capital "S" on the first one).

Is this normal?

On the "Display Name" Svchost Analyzer puts a check sign and said that a certain process is from Windows or not. Is it possible for malware files to disguise itself as Windows' (Microsoft) file?

Thanks in advance

Oh, just in case it doesn't show, I am using Windows 7 Ultimate.

My System SpecsSystem Spec

04 Jan 2013   #2

Windows 7 Pro. 64/SP-1

I have checked my computer and when using Windows Explore Search using upper case or lower case doesn't mater. I end up in the same place.
To answer your question; yes a infection can get into your C:\Windows\System32 and C:\Windows\system 32 and many do like to hide there.
Is their any thing that is not working correctly?
My System SpecsSystem Spec
04 Jan 2013   #3

Windows 7 ultimate 32bit

Hello, thanks for your answer. I'm not sure.. but all of my applications and Windows features works normally. I just downloaded the new Gmer (used it before when it was not compatible with Windows 7 -I know :P) and 1-2 minutes after scanning I got blue sceen and restarted. A scan after that did not revealing anything suspicious though (I am not an expert but no warning whatsoever). Probably just me being paranoid.
My System SpecsSystem Spec

04 Jan 2013   #4

Windows 7 Pro. 64/SP-1

Being paranoid is just another layer of security protection.
Other scans that I know work with Windows 7.
Windows Defender Offline

Free Online Virus Scanner | ESET
My System SpecsSystem Spec
05 Jan 2013   #5

W7 Pro SP1 64bit

I do not think that you have anything to worry about. The program is doing just what I suspected it would do. It queries the registry for the info being displayed and that info varies depending on who typed the code for the service that Svchost launched.

Here is the output of the software tool that you mentioned when run on a clean Windows 7 Pro SP1 64bit virtual machine.
Two System32 Folder-details.png

Here is Process Monitor watching what that software is doing during a scan:
Two System32 Folder-process-mon.png

Even Windows' own Task Manager gets different info for stuff like this:
Name:  taskmanager.png
Views: 69
Size:  7.3 KB

My System SpecsSystem Spec
05 Jan 2013   #6

Windows 7 Professional x64 Linux Mint 16

I agree, as long as you only have 1 system32 in C:windows, you have nothing to worry about.
My System SpecsSystem Spec
05 Jan 2013   #7

W7 Pro SP1 64bit

...and to be more specific:

Here is the path to Svchost as typed by some programmer
Two System32 Folder-reg1.png

The scanner looks for the DLL or EXE for a service associated with Svchost...
Two System32 Folder-reg2.png

...and then looks to see where the Svchost path image is
Two System32 Folder-details2.png

Edit: actually, the scanner does not just look at the image path info to determine where Svchost is running from for a give set of services... it looks elsewhere (I'm not sure where) but I think that the premise is sound: the upper and lowercase is just differences in a human's typing/coding somewhere. I was able to test this by changing the path in 3 places in the registry for the service shown/highlighted in the lower pane of the 1st screenshot in this post of the scanner. Then I restarted the computer (VM) and repeated the scan. The path to the appinfo DLL was still correct. And I could not find any logic that held true for the upper/lower case S in the path to the Scvhost.exe. I thought maybe the scanner just used the path as identified by the first or last service scanned for a given group of services - but that did not pan out. Oh well, maybe the folks at Neuber can stop by and tell us :-)

If I knew more about how Svchost launches services, I might be able to tell you if that "security scanner" is doing anything worth while. Just reading what is written in the registry might not be all that smart... I wonder if a black hat could just write any path image that they wished.

Hmmm, I have a frozen virtual machine...
...time to mess up a few path images in the registry.
Do not try this at home. :-)

My System SpecsSystem Spec
05 Jan 2013   #8

Windows 7 Professional x64 Linux Mint 16

Type C:/Windows/System32 in search and you will see, only 1 result will come up. And notice it does have a capitol S, just like it should.
My System SpecsSystem Spec
05 Jan 2013   #9

W7 Pro SP1 64bit

@AddRAM - I'm just digging into how that scanner works to see what value it is. I understand that the file system uses an uppercase S. The scanner does not seem to provide much more info than Task Manager (if you turn on certain columns).

@OP, My apologies for filling your thread with so much stuff as I think out loud (so to speak). Task Manager shows the same upper and lowercase S in the Command Line column. Sort the Processes tab by the Command Line column and then sort the scan results upper pane by the Group column and the info should match.

Two System32 Folder-taskmanager2.png

I was able to change some entries in the registry to get them all show an uppercase S... however, the scanner uses a slightly different spot in the registry than Task Manager does. In other words, I was able to get all uppercase Ss in Task Manager and I still had some lowercase Ss in the scanner. Eventually, I found all of the places to change stuff. Again, do not mess with the registry on a live system. I did this in a virtual machine.

Two System32 Folder-taskmanager3.png

My System SpecsSystem Spec
05 Jan 2013   #10

Windows 7 Pro. 64/SP-1

If the scans you did and if you did the scans I recommended come clean I would not worry abut upper and lower case. That being said you could do this to make sure Windows System Files are okay.
SFC /SCANNOW Command - System File Checker
My System SpecsSystem Spec

 Two System32 Folder

Thread Tools

Similar help and support threads for2: Two System32 Folder
Thread Forum
User folder in System32 General Discussion
System32 Folder -- msimg32.dll General Discussion
How to copy a file into System32 folder...? General Discussion
write to system32 folder General Discussion
Can't Create Folder in System32 System Security
How to access the System32 folder? General Discussion
Access to System32 Folder Installation & Setup

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 02:08 AM.
Twitter Facebook Google+

Windows 7 Forums

Seven Forums Android App Seven Forums IOS App

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33