viewer9 documentation | Index Home |
Procmon Bug: Garbage after \Device\HarddiskVolume path
For "\Device\HarddiskVolume" paths, the length specified in the PML data is sometimes too long resulting in garbage characters at the end of it which Procmon displays. Here is an example shown in Procmon 3.89:
In viewer9 a workaround was implemented to suppress any characters other than 0-9 at the end, but you can still look at the binary data at the end of the path to make your own conclusion (see PML Binary Data and Results Offsets). Here is the same event in viewer9 and hovering over the character after the 5 shows the same character displayed in Procmon.
This problem has been observed in many operations, including CreateFileMapping, FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION, IRP_MJ_CLOSE, QueryOpen, and QueryStandardInformationFile, and so does not seem to be linked to any particular operation.
In the PML format, Path can be supplied in either wide character UTF-16 or ASCII. All the \Device paths observed with a wide char path had the bug, and all the ones with ASCII did not. While there were many variations of \Device paths such as \Device\Mup, \Device\Harddisk0\DR0, and \Device\HarddiskVolume5\Windows\Registration\R000000000001.clb, the only ones seen utilizing wide char ended with HarddiskVolumeN.
See also
- On YouTube: Procmon bug on \Device\HarddiskVolume paths
- CreateFileMapping PML Operation
- FASTIO PML Operations
- IRP_MJ_CLOSE PML Operation
- QueryInformationFile PML Operations
- PML Binary Data and Results Offsets
- Procmon Bug: CreateFileMapping PageProtection
- Procmon Bug: Garbage in Registry Data
- Procmon Bug: QueryDirectory Missing Filename
- Procmon Bug: QueryStreamInformationFile Alternate Data Stream
- Procmon Bug: RegQueryKey QueryKeyType Name
- Procmon Bug: RegRestoreKey/RegSaveKey Path and HivePath
Posted 4 Jul 2022 last updated 22 Nov 2022 As viewer9 is just starting out, discussion is invited via email. Please send questions and comments to forum@viewer9.com directly. Threads that might be valuable to other users will be posted as part of the documentation. Posted messages will not include your address or your full name, and might be shortened for brevity.
Copyright 2022, bryantlite, Inc.