Re: About That “inetpub” Folder ...

On Sat, 6/14/2025 3:10 AM, Lawrence D'Oliveiro wrote:

On Fri, 13 Jun 2025 22:53:33 -0400, Paul wrote:
 

The file was named that way by Russinovich, the developer.
And he does his own file injection. If he finds the procmon23.sys he
removes it and installs the procmon24.sys. It's a private file just for
him, not shared in the conventional sense. It's not tracked and updated
by Windows Side By Side (WinSXS). Windows is not supposed to know it is
there, it's not loaded on boot, but it is used privately for doing a
trace.

 
It’s pretty scary to think one lone developer can inject such code into
Windows that Windows itself does not know about.
 

Just as Linux keeps some kernels,and if the latest kernel won't boot,
you can use the menu to select a slightly older one.

 
The Linux kernel itself knows which version it is, though. Nothing is
being hidden from it.
 

Ring 3 is awash in good stuff. Relying on Ring0 as a potential
way to maintain law and order.

Back in the cooperative multitasking days, this is why systems
were crashing all the time. Any time some strange pork like this
loaded, the OS would tip over. It required that everyone
have the highest quality of code (think of all your applications,
being coded with driver techniques).

Preemptive multitasking allows a lot more rubbish to load.
Why, the OS even runs the programs I write :-/ You know,
some commercial AV tools, they would gun down my EXE files
and not allow them to run ("reputation" detection, never
seen the hash before).

And Microsoft is aware of these issues, as they are writing
out third party drivers (Ring0). They are working on improving
the walls of their cardboard fortress in Ring0.

30% of crashes, used to be caused by the NVidia driver. Not, the
NVidia driver on Windows, it is claimed it runs in some kind of
container. It also has some watchdog capability (can be restarted
after the screen "blinks black"). They may not be able
to remove that driver, but the cardboard walls are going up.

   Paul