Two System32 Folder

Page 1 of 2 12 LastLast

  1. svc
    Posts : 3
    Windows 7 ultimate 32bit
       #1

    Two System32 Folder


    Hello all, a newbie here :)

    I just download and run Svchost Analyzer from Neuber, and saw that some of the processes come from 2 kinds of System32, first is C:\Windows\System32 and the other is C:\Windows\system32 (notice the capital "S" on the first one).

    Is this normal?

    On the "Display Name" Svchost Analyzer puts a check sign and said that a certain process is from Windows or not. Is it possible for malware files to disguise itself as Windows' (Microsoft) file?

    Thanks in advance :)

    Oh, just in case it doesn't show, I am using Windows 7 Ultimate.
      My Computer


  2. Posts : 25,847
    Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
       #2

    I have checked my computer and when using Windows Explore Search using upper case or lower case doesn't mater. I end up in the same place.
    To answer your question; yes a infection can get into your C:\Windows\System32 and C:\Windows\system 32 and many do like to hide there.
    Is their any thing that is not working correctly?
    Last edited by Layback Bear; 05 Jan 2013 at 10:46. Reason: added info.
      My Computer


  3. svc
    Posts : 3
    Windows 7 ultimate 32bit
    Thread Starter
       #3

    Hello, thanks for your answer. I'm not sure.. but all of my applications and Windows features works normally. I just downloaded the new Gmer (used it before when it was not compatible with Windows 7 -I know :P) and 1-2 minutes after scanning I got blue sceen and restarted. A scan after that did not revealing anything suspicious though (I am not an expert but no warning whatsoever). Probably just me being paranoid.
      My Computer


  4. Posts : 25,847
    Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
       #4

    Being paranoid is just another layer of security protection.
    Other scans that I know work with Windows 7.
    Windows Defender Offline


    Free Online Virus Scanner | ESET
      My Computer


  5. Posts : 10,485
    W7 Pro SP1 64bit
       #5

    I do not think that you have anything to worry about. The program is doing just what I suspected it would do. It queries the registry for the info being displayed and that info varies depending on who typed the code for the service that Svchost launched.

    Here is the output of the software tool that you mentioned when run on a clean W7 Pro SP1 64bit virtual machine.
    Two System32 Folder-details.png

    Here is Process Monitor watching what that software is doing during a scan:
    Two System32 Folder-process-mon.png

    Even Windows' own Task Manager gets different info for stuff like this:
    Two System32 Folder-taskmanager.png
      My Computer


  6. Posts : 13,576
    Windows 10 Pro x64
       #6

    I agree, as long as you only have 1 system32 in C:windows, you have nothing to worry about.
      My Computer


  7. Posts : 10,485
    W7 Pro SP1 64bit
       #7

    ...and to be more specific:

    Here is the path to Svchost as typed by some programmer
    Two System32 Folder-reg1.png

    The scanner looks for the DLL or EXE for a service associated with Svchost...
    Two System32 Folder-reg2.png

    ...and then looks to see where the Svchost path image is
    Two System32 Folder-details2.png

    Edit: actually, the scanner does not just look at the image path info to determine where Svchost is running from for a give set of services... it looks elsewhere (I'm not sure where) but I think that the premise is sound: the upper and lowercase is just differences in a human's typing/coding somewhere. I was able to test this by changing the path in 3 places in the registry for the service shown/highlighted in the lower pane of the 1st screenshot in this post of the scanner. Then I restarted the computer (VM) and repeated the scan. The path to the appinfo DLL was still correct. And I could not find any logic that held true for the upper/lower case S in the path to the Scvhost.exe. I thought maybe the scanner just used the path as identified by the first or last service scanned for a given group of services - but that did not pan out. Oh well, maybe the folks at Neuber can stop by and tell us

    If I knew more about how Svchost launches services, I might be able to tell you if that "security scanner" is doing anything worth while. Just reading what is written in the registry might not be all that smart... I wonder if a black hat could just write any path image that they wished.

    Hmmm, I have a frozen virtual machine...
    ...time to mess up a few path images in the registry.
    Do not try this at home.
    Last edited by UsernameIssues; 05 Jan 2013 at 07:10.
      My Computer


  8. Posts : 13,576
    Windows 10 Pro x64
       #8

    Type C:/Windows/System32 in search and you will see, only 1 result will come up. And notice it does have a capitol S, just like it should.
      My Computer


  9. Posts : 10,485
    W7 Pro SP1 64bit
       #9

    @AddRAM - I'm just digging into how that scanner works to see what value it is. I understand that the file system uses an uppercase S. The scanner does not seem to provide much more info than Task Manager (if you turn on certain columns).

    @OP, My apologies for filling your thread with so much stuff as I think out loud (so to speak). Task Manager shows the same upper and lowercase S in the Command Line column. Sort the Processes tab by the Command Line column and then sort the scan results upper pane by the Group column and the info should match.

    Two System32 Folder-taskmanager2.png

    I was able to change some entries in the registry to get them all show an uppercase S... however, the scanner uses a slightly different spot in the registry than Task Manager does. In other words, I was able to get all uppercase Ss in Task Manager and I still had some lowercase Ss in the scanner. Eventually, I found all of the places to change stuff. Again, do not mess with the registry on a live system. I did this in a virtual machine.

    Two System32 Folder-taskmanager3.png
      My Computer


  10. Posts : 25,847
    Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
       #10

    If the scans you did and if you did the scans I recommended come clean I would not worry abut upper and lower case. That being said you could do this to make sure Windows System Files are okay.
    SFC /SCANNOW Command - System File Checker
      My Computer


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 18:34.
Find Us