Total Commander tries to read file C:\xyz$$$.exe

[AndrewCreator]

Here is a procmon log for a fresh TC 9.0a without any plugins on a clean virtual machine.

Code: Select all

3:19:10,9624026	TOTALCMD.EXE	544	CreateFile	C:\xyz$$$.exe	NAME NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
3:19:10,9629081	TOTALCMD.EXE	544	CreateFile	C:\xyz.exe	NAME NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
3:19:10,9678420	TOTALCMD.EXE	544	CreateFile	C:\xyz$$$.exe	NAME NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
3:19:11,4815047	TOTALCMD.EXE	544	CreateFile	C:\xyz$$$.exe	NAME NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
3:19:11,4817691	TOTALCMD.EXE	544	CreateFile	C:\xyz.exe	NAME NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
3:19:11,4823261	TOTALCMD.EXE	544	CreateFile	C:\xyz$$$.exe	NAME NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
3:19:16,8326515	TOTALCMD64.EXE	788	CreateFile	C:\xyz$$$.exe	NAME NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
3:19:16,8329606	TOTALCMD64.EXE	788	CreateFile	C:\xyz.exe	NAME NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
3:19:16,8362530	TOTALCMD64.EXE	788	CreateFile	C:\xyz$$$.exe	NAME NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
3:19:17,3456412	TOTALCMD64.EXE	788	CreateFile	C:\xyz$$$.exe	NAME NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
3:19:17,3459016	TOTALCMD64.EXE	788	CreateFile	C:\xyz.exe	NAME NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a
3:19:17,3462500	TOTALCMD64.EXE	788	CreateFile	C:\xyz$$$.exe	NAME NOT FOUND	Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a

[Dalai]

Huh. These strings can indeed be found in totalcmd.exe and totalcmd64.exe. They go back to version 7.0x.

I don't know why they're there, but I'm sure there's a reason. Maybe it's some test code Ghisler included in the compilation by accident, but maybe it's there on purpose.

Regards
Dalai

[Hacker]

Total Commander uses the file name c: \ xyz $$$. Exe and the folder name C: \ xyz to get information about system icons for * .exe files without icons and for folders. The information is obtained with the SHGetFileInfo function, which is also passed the SHGFI_USEFILEATTRIBUTES flag, which means that the system should not crawl into the c: \ xyz $$. Exe file itself or c: \ xyz folder, but should think that such a file and folder exists and Return icons for them by default. Therefore, this file and folder may not actually exist. And if they exist, they are not used. The function is called 4 times - 2 times for a file and folder for large and small icons.

http://forum.ru-board.com/topic.cgi?forum=5&topic=28837&start=878
Google Translate

HTH
Roman

[AndrewCreator]

2Hacker
Yep, I found this post a bit later. It would be nice if Christian confirms that.

[ghisler(Author)]

Yes, this is correct! This is done to get default icons, e.g. for exe files in archives or on ftp servers where the true file icon isn't available. I'm using SHGFI_USEFILEATTRIBUTES flag to get the default icon. The names are used because it's unlikely that they exist.
c:\xyz is used for default folder icon
c:\xyz.exe and c:\xyz$$$.exe is used for default EXE icon
c:\xyz.tcnoicon is used for default icon for files with no extension

[Lefteous]

On Vista and newer there is also
SHGetStockIconInfo

[AndrewCreator]

2ghisler(Author), thanks.

May be change the names to

C:\TC_FolderIcon
C:\TC_ExeIcon.exe
C:\TC_NoIcon.tcnoicon

This will not look like a malware in Process Monitor =)

[ghisler(Author)]

I will consider it, thanks!

[TCNewUser]

2ghisler(Author)

On the same note: why does TC try to open "speedfan.exe"?

Here is a capture from Procmon for TC 9.0a (clean tc install, no plugins, no speedfan):

Code: Select all

"TOTALCMD64.EXE","4932","QueryOpen","C:\Program Files\speedfan\speedfan.exe","FAST IO DISALLOWED",""
"TOTALCMD64.EXE","4932","CreateFile","C:\Program Files\speedfan\speedfan.exe","PATH NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"

Thanks

[ghisler(Author)]

It doesn't, at least not out of the box. You may have a button in the button bar, or a file association with speedfan which causes TC to look for the program.

[TCNewUser]

No custom button bar, no file association, never had speedfan installed.
But, indeed, it doesn't seem to be caused by TC.
The same event is also fired by Windows Explorer, on a fresh system without TC installed on it.

Code: Select all

"Explorer.EXE","2252","FASTIO_NETWORK_QUERY_OPEN","C:\Program Files\speedfan\speedfan.exe","FAST IO DISALLOWED",""
"Explorer.EXE","2252","IRP_MJ_CREATE","C:\Program Files\speedfan\speedfan.exe","PATH NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"

Strange, but it seems that the event is fired every time a file system operation (like list dirs, create new file, etc ...) is performed in the folder where Procmon.exe resides, but only if the Autologon.exe (from the Sysinternals Suite) resides in the same folder.
Behavior is the same with older as well as with the latest Sysinternals Suite.

[Dalai]

2TCNewUser
This is caused by the Application Compatibility Database of the system. See this picture.

If a file "Au*.exe" is executed the system checks whether or not there's a file "%ProgramFiles%\speedfan\speedfan.exe" present. Why does it do this? Because "Au*.exe" is part of the SpeedFan installer (or rather uninstaller) and the system tries to apply some compatibility settings to this particular file (likely because the executable has known compatibility issues).

How do I know this? Years ago I wrote a tool called Automatisierung.exe, which determines the current Windows version to do automated stuff. Some day I wondered why my tool detects Windows Vista on a Windows 7 system. After some digging I found that as soon as SpeedFan is present on the system my tool detected Vista. If I renamed my tool to MyAutomatisierung.exe it detected Win7. So I did quite a lot of digging, and - with the help of the Compatibility Administrator (part of the Application Compatibility Toolkit, ACT) - found out that it was caused by the system's compatibility database. This took me some weeks to figure out, IIRC.

What did I do about it? I recompiled my tool with a newer compiler/linker because the system's AppCompat database also limits its settings to "Au*.exe" with an old linker date, as you can also see on the picture linked above.

Quite possible that you could see similar things happening, because as you can guess from the picture there are a lot of entries in that database...

Regards
Dalai

[TCNewUser]

2Dalai

Great. Thank you for the explanation