Unanswered Question
Dec 4th, 2006
User Badges:

I'm seeing a ton of events triggered on one laptop in our CSA deployment. The events are all pertaining to a rule to query the user when any system function is accessed from a buffer by MS explorer. The events seem to focus on function CreateFileW and the file it is attempting to create is "\\.\csacenter50"

Has anyone seen this before? It's only happening on this one laptop, which leads me to believe the user has some other software installed that could be affecting this. These events seem to occur when they right-click jpeg files.

Also, the user has gotten events on the same rule with CreateFileW, but creating file \\.\HCD0 when they open folders.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tsteger1 Mon, 12/04/2006 - 09:02
User Badges:
  • Red, 2250 points or more

"csacenter50" is the rule engine driver and HCD0 could be a share name.

Does this laptop have file and print sharing enabled and is it sharing something on the network?

It could also have a persistent drive mapping that is failing by trying to authenticate with the wrong credentials.

Check the app and system event logs.


This Discussion