I'm seeing a ton of events triggered on one laptop in our CSA deployment. The events are all pertaining to a rule to query the user when any system function is accessed from a buffer by MS explorer. The events seem to focus on function CreateFileW and the file it is attempting to create is "\\.\csacenter50"
Has anyone seen this before? It's only happening on this one laptop, which leads me to believe the user has some other software installed that could be affecting this. These events seem to occur when they right-click jpeg files.
Also, the user has gotten events on the same rule with CreateFileW, but creating file \\.\HCD0 when they open folders.