Two System32 Folder

[svc]

Hello all, a newbie here

I just download and run Svchost Analyzer from Neuber, and saw that some of the processes come from 2 kinds of System32, first is C:\Windows\System32 and the other is C:\Windows\system32 (notice the capital "S" on the first one).

Is this normal?

On the "Display Name" Svchost Analyzer puts a check sign and said that a certain process is from Windows or not. Is it possible for malware files to disguise itself as Windows' (Microsoft) file?

Thanks in advance

Oh, just in case it doesn't show, I am using Windows 7 Ultimate.

 

[Layback Bear]

I have checked my computer and when using Windows Explore Search using upper case or lower case doesn't mater. I end up in the same place.
To answer your question; yes a infection can get into your C:\Windows\System32 and C:\Windows\system 32 and many do like to hide there.
Is their any thing that is not working correctly?

 

[svc]

Hello, thanks for your answer. I'm not sure.. but all of my applications and Windows features works normally. I just downloaded the new Gmer (used it before when it was not compatible with Windows 7 -I know ) and 1-2 minutes after scanning I got blue sceen and restarted. A scan after that did not revealing anything suspicious though (I am not an expert but no warning whatsoever). Probably just me being paranoid.

 

[Layback Bear]

Being paranoid is just another layer of security protection.
Other scans that I know work with Windows 7.
http://www.sevenforums.com/tutorials/166445-windows-defender-offline.html

Free Online Virus Scanner | ESET

 

[UsernameIssues]

I do not think that you have anything to worry about. The program is doing just what I suspected it would do. It queries the registry for the info being displayed and that info varies depending on who typed the code for the service that Svchost launched.

Here is the output of the software tool that you mentioned when run on a clean W7 Pro SP1 64bit virtual machine.


Here is Process Monitor watching what that software is doing during a scan:


Even Windows' own Task Manager gets different info for stuff like this:

 

[AddRAM]

I agree, as long as you only have 1 system32 in C:windows, you have nothing to worry about.

 

[UsernameIssues]

...and to be more specific:

Here is the path to Svchost as typed by some programmer


The scanner looks for the DLL or EXE for a service associated with Svchost...


...and then looks to see where the Svchost path image is


Edit: actually, the scanner does not just look at the image path info to determine where Svchost is running from for a give set of services... it looks elsewhere (I'm not sure where) but I think that the premise is sound: the upper and lowercase is just differences in a human's typing/coding somewhere. I was able to test this by changing the path in 3 places in the registry for the service shown/highlighted in the lower pane of the 1st screenshot in this post of the scanner. Then I restarted the computer (VM) and repeated the scan. The path to the appinfo DLL was still correct. And I could not find any logic that held true for the upper/lower case S in the path to the Scvhost.exe. I thought maybe the scanner just used the path as identified by the first or last service scanned for a given group of services - but that did not pan out. Oh well, maybe the folks at Neuber can stop by and tell us

If I knew more about how Svchost launches services, I might be able to tell you if that "security scanner" is doing anything worth while. Just reading what is written in the registry might not be all that smart... I wonder if a black hat could just write any path image that they wished.

Hmmm, I have a frozen virtual machine...
...time to mess up a few path images in the registry.
Do not try this at home.

 

[AddRAM]

Type C:/Windows/System32 in search and you will see, only 1 result will come up. And notice it does have a capitol S, just like it should.

 

[UsernameIssues]

@AddRAM - I'm just digging into how that scanner works to see what value it is. I understand that the file system uses an uppercase S. The scanner does not seem to provide much more info than Task Manager (if you turn on certain columns).

@OP, My apologies for filling your thread with so much stuff as I think out loud (so to speak). Task Manager shows the same upper and lowercase S in the Command Line column. Sort the Processes tab by the Command Line column and then sort the scan results upper pane by the Group column and the info should match.



I was able to change some entries in the registry to get them all show an uppercase S... however, the scanner uses a slightly different spot in the registry than Task Manager does. In other words, I was able to get all uppercase Ss in Task Manager and I still had some lowercase Ss in the scanner. Eventually, I found all of the places to change stuff. Again, do not mess with the registry on a live system. I did this in a virtual machine.

 

[Layback Bear]

If the scans you did and if you did the scans I recommended come clean I would not worry abut upper and lower case. That being said you could do this to make sure Windows System Files are okay.
http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html

 

[svc]

Hi guys, wow.. thank you all for your replies and information, I appreciate your times and efforts! I probably a little confuse of who said what so.. my apologize if I did.

@Layback Bear: I agree, being paranoid is another layer of security protection. While I think I am OK from random attack / virus but after reading / hearing a lot about security.. well, there are always something to be afraid of. Every time we can hear about new malwares, zero days vulnerabilities, new way to exploit etc etc. Can't help but thinking (and agree) that (online) security is just illusion. Thanks for the scanners, just spent a lot of times with Eset's.

@UserNameIssues: No need to apologize, I'm glad you did and I like your methodologies. I am not trying them (definitely beyond my capability) but I think there is something we (I) can learn from them. I know a little programming and I'm a little surprised that it is not case sensitive.

@AddRam: Yes, I only have 1 System32 folder in C ("Show hidden file and folder" option is checked)

Well, glad that it was nothing to be aware of.