Re: About That “inetpub” Folder ...

On Fri, 6/13/2025 7:36 PM, Lawrence D'Oliveiro wrote:

On Fri, 13 Jun 2025 18:50:22 -0400, Paul wrote:
 

What people don't know (because they can't see it), is a
"procmon23.sys" or similar, is added to System32, and that module is
loaded at boot time. Since the Hidden bit is set on it, people can't
see it, and the program does not clean up after itself and remove
the file again. When the API changes, the version is bumped to
"procmon24.sys".

 
What a clunky way of versioning shared libraries.
 
The Linux way is twofold: add a versioning suffix to the name of the
library, and also versioning the individual symbols themselves. This way
the name of the library in the SDK doesn’t need to change.
 

The file was named that way by Russinovich, the developer.
And he does his own file injection. If he finds the procmon23.sys
he removes it and installs the procmon24.sys. It's a private
file just for him, not shared in the conventional sense. It's
not tracked and updated by Windows Side By Side (WinSXS). Windows
is not supposed to know it is there, it's not loaded on boot,
but it is used privately for doing a trace.

If it was a system file, then the version would be managed
with the version string. and various versions could be in WinSXS.
Just as Linux keeps some kernels,and if the latest kernel won't
boot, you can use the menu to select a slightly older one.

   ntoskrnl.exe
   File Version     6.2.22621.5471
   Product Version 10.0.22621.5471  (and it's on Windows 11)
   Date              June10,2025

There is no Adhoc versioning there.

At one time, Microsoft used to version files, via their byte count.
"Remove the old file with 12346 bytes, replace with the 12345 byte file."
They have traveled some distance, on the versioning topic,
but they still do things that do not impress.

   Paul