CSA 6.0 Problem with \??\ preceding a file.

Unanswered Question
Aug 12th, 2009

We have a message in the Event Log about a Kernel functionality being modified by the module:

\\??\Windows\system32\drivers\mkbd.sys

\\??\Windows\system32\drivers\mkbd.sys is monitoring the keyboard.

Any idea what the "??" mean? We can't use the wizard to tune it.

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jan.nielsen Fri, 08/14/2009 - 14:36

Could be vmware workstation virtual keyboard driver. You should be able to whitelist as an option in the wizard.

pmccubbin Sun, 08/16/2009 - 08:52

Hi Jan,

Thanks for the reply.

When we try to whitelist via the Wizard the CSAMC throws an error and doesn't allow this operation to procede.

I am opening a TAC case and will post results.

pmccubbin Wed, 08/26/2009 - 09:26

Just wanted to offer an update. We have a TAC case open and the Business Unit is looking into the case.

Attached is the error message.

As a bit of background we are running the CSAMC on a VMWare machine.

When I hear more I will post it. Thanks.

deshaw Fri, 08/28/2009 - 01:34

We have also faced similar issues with CSA 6.0 and this known issue is fixed in 6.0.0.220 and later versions.

daneilhudson Fri, 09/11/2009 - 04:13

You could manually write a rule using **\Windows\system32\drivers\mkbd.sys as a definition for the application. I suspect that @system would work as well. Just create an application class and add that as an exception to the triggering rule.

Actions

This Discussion