1. #1

    Join Date
    Feb 2012
    Posts
    2,086
    Blog Entries
    7

    Looking for input on Dynamic Driver listings in the DRT

    Recently there have been instances of a temporary driver showing up in some memory dumps. The temp driver is most likely from either a program using the WinRing libraries (most often it's seen with RealTemp) or it's a driver used with the LoL game.

    It's labelled tmp????.tmp - with the ?'s being either lower case or upper case letters or numbers. Both of the tmp's are lower case.

    My question here is how should we address this driver in the DRT?
    I don't want to add all possible combinations of letters/numbers to the DRT, but would like to achieve consistency in the way that we list dynamic drivers.

    For those that have been around for a while, they've seen the problems with the dynamic drivers used by Daemon Tools/Alcohol % software (both the a???????.SYS drivers and the sp??.sys drivers) along with the Microsoft Security Essentials drivers (MpKsl????????.sys)

    I suggest that we use ?'s to take the place of the variable characters. And that the pattern be noted in the Information column

    This brings up another question - should we then trim out all the other random drivers that have been listed?

    This would leave us with 4 entries:
    - tmp????.tmp
    - a???????.SYS
    - sp??.sys
    - MpKsl????????.sys


    • Ad Bot

      advertising
      Beep.

        
       

  2. #2
    jcgriff2's Avatar
    Join Date
    Feb 2012
    Location
    New Jersey Shore
    Posts
    16,445
    • specs System Specs
      • Manufacturer:
        HP
      • Model Number:
        HP ENVY TouchSmart 17-j130us Notebook - E8A04UA
      • Motherboard:
        HP Insyde 720265-501 6050A2549501-MB-A02
      • CPU:
        Intel Core i7-4700MQ Processor with Turbo Boost up to 3.4GHz.
      • Memory:
        12GB DDR3L SDRAM (2 DIMM)
      • Graphics:
        Intel HD graphics 4600 with up to 1792MB total graphics memory
      • Sound Card:
        Beats Audio quad speakers and two subwoofers
      • Hard Drives:
        1TB 5400RPM hard drive with HP ProtectSmart Hard Drive Protection
      • Disk Drives:
        Hitachi 500 GB SSD; 7 TB USB External
      • Power Supply:
        90w
      • Case:
        Laptop
      • Display:
        17.3-inch diagonal HD+ BrightView LED-backlit touchscreen display (1600 x 900)
      • Operating System:
        Windows 8.1

    Re: Looking for input on Dynamic Driver listings in the DRT

    I agree with not adding all dynamically allocated drivers. We sure had a time [fun...? :)] when adding Daemon Tools a*.SYS drivers for a while only to end up stopping after we realized what was happening.

    I like the use of question marks as they signify 1 character each (in DOS, anyway; not sure if those of today use the same or even know about it).

    But what about drivers like - Driver Reference Table - a2util32.sys -- an AČ driver?

    I guess my point is simply that a???????.SYS would cover that one but I'm not sure it really matters because the AČ driver and other exceptions would be listed.

    I think we should go ahead and implement the use of ???? to cover dynamic drivers and delete those we can ID as same in the current DRT.
    Last edited by jcgriff2; 10-22-2014 at 04:30 PM. Reason: typo

  3. #3
    blueelvis's Avatar
    Join Date
    Apr 2014
    Location
    India
    Posts
    969
    • specs System Specs
      • Manufacturer:
        Toshiba
      • CPU:
        Intel Core i5 @ 2.4 GHz 2nd Generation
      • Memory:
        8 GB @ 1600MHz Dual Channel B)
      • Graphics:
        Intel HD 3000 B)
      • Hard Drives:
        Hitachi 1TB 7200 RPM & WD 500 GB
      • Cooling:
        There is some fan inside but it keeps whirring <_<
      • Display:
        1366x768
      • Operating System:
        Windows 8.1 Embedded Industry Pro

    Re: Looking for input on Dynamic Driver listings in the DRT

    I would also suggest using the ???? for the dynamic entries. It just signifies one character like jcgriff mentioned and furthermore it generates curiosity (at least in me) as to what these drivers are

    But, my point would be that it would be causing extra trouble? Usasma do you just have to select and then delete the entries or is it something different? Though you must add the TMP Driver along with a proper description which means to list all the facts that we know about it. You would need to like Underline the fact that the WinRing service is only visible in the Event Log and not anywhere in the loaded modules list (Except for these temporary drivers) or the MSINFO32 Report as well.

    We were just plain lucky that the Event Log contained the program which is being associated with this as in almost every other Event Log which was scanned, there was only this service and no information as to what is executing this one.

    @jcgriff2 - If you look at the Emsisoft Drivers (All of them in the DRT), you would notice the thing that the last 2 digits before ".sys" are 32,86 / 64 which depict the Product Version which is installed. Like either it is 64bit or 32bit which is installed on the system. This is not valid in the case of Alcohol/Daemon Tools. But, your point is 120% valid as well. This might confuse us as well in some cases. But, a note in the description as in which conditions this is valid can be done in bold or some other colors to highlight such kind of tmp????.tmp driver.

    @usasma - There is a driver over here - Driver Reference Table - mchInjDrv.sys which is considered likely to be a part of Emsisoft A Squared. But, I think it is part of other software as well. You can check the driver's name in the strings which are extracted from a different software over here -
    Malware scan of Modviewer.exe e99c3c08c5ca999656edb465a58b41d8d0bc4073 - herdProtect
    &
    https://forums.comodo.com/virusmalwa...67465#msg67465

    As far as I can see in the DRT, there are loads of errors which are now coming up because of the fact that links change.
    Ever wanted to learn to debug BSODs? PM me now!

    Feel free to PM me in case I haven't replied within 48 Hours ^_^. Anything else? Still feel free to PM me :thumbsup2:

  4. #4
    jcgriff2's Avatar
    Join Date
    Feb 2012
    Location
    New Jersey Shore
    Posts
    16,445
    • specs System Specs
      • Manufacturer:
        HP
      • Model Number:
        HP ENVY TouchSmart 17-j130us Notebook - E8A04UA
      • Motherboard:
        HP Insyde 720265-501 6050A2549501-MB-A02
      • CPU:
        Intel Core i7-4700MQ Processor with Turbo Boost up to 3.4GHz.
      • Memory:
        12GB DDR3L SDRAM (2 DIMM)
      • Graphics:
        Intel HD graphics 4600 with up to 1792MB total graphics memory
      • Sound Card:
        Beats Audio quad speakers and two subwoofers
      • Hard Drives:
        1TB 5400RPM hard drive with HP ProtectSmart Hard Drive Protection
      • Disk Drives:
        Hitachi 500 GB SSD; 7 TB USB External
      • Power Supply:
        90w
      • Case:
        Laptop
      • Display:
        17.3-inch diagonal HD+ BrightView LED-backlit touchscreen display (1600 x 900)
      • Operating System:
        Windows 8.1

    Re: Looking for input on Dynamic Driver listings in the DRT

    Quote Originally Posted by blueelvis View Post
    As far as I can see in the DRT, there are loads of errors which are now coming up because of the fact that links change.
    If you come upon any of these (invalid URLs), please post them in this thread - http://www.sysnative.com/forums/carr...corrected.html

  5. #5
    jcgriff2's Avatar
    Join Date
    Feb 2012
    Location
    New Jersey Shore
    Posts
    16,445
    • specs System Specs
      • Manufacturer:
        HP
      • Model Number:
        HP ENVY TouchSmart 17-j130us Notebook - E8A04UA
      • Motherboard:
        HP Insyde 720265-501 6050A2549501-MB-A02
      • CPU:
        Intel Core i7-4700MQ Processor with Turbo Boost up to 3.4GHz.
      • Memory:
        12GB DDR3L SDRAM (2 DIMM)
      • Graphics:
        Intel HD graphics 4600 with up to 1792MB total graphics memory
      • Sound Card:
        Beats Audio quad speakers and two subwoofers
      • Hard Drives:
        1TB 5400RPM hard drive with HP ProtectSmart Hard Drive Protection
      • Disk Drives:
        Hitachi 500 GB SSD; 7 TB USB External
      • Power Supply:
        90w
      • Case:
        Laptop
      • Display:
        17.3-inch diagonal HD+ BrightView LED-backlit touchscreen display (1600 x 900)
      • Operating System:
        Windows 8.1

    Re: Looking for input on Dynamic Driver listings in the DRT

    The posts related to the TMP* drivers (& dumps attached) + WinRing Services + Corsair have been moved to BSOD Tutorial/Information forum.

    New thread - TMP????.sys Drivers

Similar Threads

  1. [SOLVED] [C#] Simple question regarding user input
    By Cookieman in forum Programming
    Replies: 3
    Last Post: 12-09-2013, 04:18 PM
  2. Getting user input (C#)
    By Cookieman in forum Programming
    Replies: 5
    Last Post: 11-04-2012, 09:34 AM
  3. Modernizing input in Windows 8
    By JMH in forum Microsoft News
    Replies: 0
    Last Post: 07-02-2012, 03:56 PM

Log in

Log in