Recently there have been instances of a temporary driver showing up in some memory dumps. The temp driver is most likely from either a program using the WinRing libraries (most often it's seen with RealTemp) or it's a driver used with the LoL game.
It's labelled tmp????.tmp - with the ?'s being either lower case or upper case letters or numbers. Both of the tmp's are lower case.
My question here is how should we address this driver in the DRT?
I don't want to add all possible combinations of letters/numbers to the DRT, but would like to achieve consistency in the way that we list dynamic drivers.
For those that have been around for a while, they've seen the problems with the dynamic drivers used by Daemon Tools/Alcohol % software (both the a???????.SYS drivers and the sp??.sys drivers) along with the Microsoft Security Essentials drivers (MpKsl????????.sys)
I suggest that we use ?'s to take the place of the variable characters. And that the pattern be noted in the Information column
This brings up another question - should we then trim out all the other random drivers that have been listed?
This would leave us with 4 entries:
- tmp????.tmp
- a???????.SYS
- sp??.sys
- MpKsl????????.sys
It's labelled tmp????.tmp - with the ?'s being either lower case or upper case letters or numbers. Both of the tmp's are lower case.
My question here is how should we address this driver in the DRT?
I don't want to add all possible combinations of letters/numbers to the DRT, but would like to achieve consistency in the way that we list dynamic drivers.
For those that have been around for a while, they've seen the problems with the dynamic drivers used by Daemon Tools/Alcohol % software (both the a???????.SYS drivers and the sp??.sys drivers) along with the Microsoft Security Essentials drivers (MpKsl????????.sys)
I suggest that we use ?'s to take the place of the variable characters. And that the pattern be noted in the Information column
This brings up another question - should we then trim out all the other random drivers that have been listed?
This would leave us with 4 entries:
- tmp????.tmp
- a???????.SYS
- sp??.sys
- MpKsl????????.sys