CSA 6.0 Problem with \??\ preceding a file.

Unanswered Question
Aug 12th, 2009
User Badges:
  • Silver, 250 points or more

We have a message in the Event Log about a Kernel functionality being modified by the module:


\\??\Windows\system32\drivers\mkbd.sys is monitoring the keyboard.

Any idea what the "??" mean? We can't use the wizard to tune it.

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jan.nielsen Fri, 08/14/2009 - 14:36
User Badges:
  • Gold, 750 points or more

Could be vmware workstation virtual keyboard driver. You should be able to whitelist as an option in the wizard.

pmccubbin Sun, 08/16/2009 - 08:52
User Badges:
  • Silver, 250 points or more

Hi Jan,

Thanks for the reply.

When we try to whitelist via the Wizard the CSAMC throws an error and doesn't allow this operation to procede.

I am opening a TAC case and will post results.

jan.nielsen Mon, 08/17/2009 - 04:31
User Badges:
  • Gold, 750 points or more

What is the error that it throws ?

pmccubbin Wed, 08/26/2009 - 09:26
User Badges:
  • Silver, 250 points or more

Just wanted to offer an update. We have a TAC case open and the Business Unit is looking into the case.

Attached is the error message.

As a bit of background we are running the CSAMC on a VMWare machine.

When I hear more I will post it. Thanks.

deshaw Fri, 08/28/2009 - 01:34
User Badges:

We have also faced similar issues with CSA 6.0 and this known issue is fixed in and later versions.

daneilhudson Fri, 09/11/2009 - 04:13
User Badges:

You could manually write a rule using **\Windows\system32\drivers\mkbd.sys as a definition for the application. I suspect that @system would work as well. Just create an application class and add that as an exception to the triggering rule.


This Discussion