Windows XP PRO SP3- stop changes to security software registry key(s) set by unknown program

Question

I have searched the site and the web for an answer to my problem without any luck.

Not sure if this is possible but an unknown, hidden program/script/malware/rootkit keeps adding \??\ to the image paths in the registry for security programs/firewall/antivirus I have running running on my computer. For example:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ksapi\ImagePath

\??\C:\WINDOWS\system32\drivers\ksapi.sys (Kingsoft ksapi module.)

This in effect disables without the user's knowledge whatever Kingsoft's Antivirus ksapi.sys does. So for instance a program might show that its real active protection is enabled but in fact is not since the \??\ alters the image path thereby nullifying it's execution and effectiveness while rendering it totally ineffective and most importantly it fools one into a false sense of security. I keep deleting the \??\s particularly annoying annoying since it needs a reboot for the changes to take effect in the registry but they keeps coming back.

This rogue program also does the same to antirootkit programs which neutralizes their detection capacity and also sometimes actually deletes their drivers (sys files).

Would anyone know if there a script (or program) that can loop the registry and the keep track of image path keys, find out what program is making the changes, intercept it, perhaps lock the keys so that they cannot be changed and or if they have changed to delete the \??\ and refresh the registry without having to reboot so that the keys become active immediately.

It would be great if a script could be run at log off and log on and report its findings and results to a log or text file.

I am using Tiny Watcher which originally and continues to alert me to these changes but it only reports them after they have been made and the free version of Registrar Registry Manager to delete the \??\s

Thanking you in advance for any assistance or in pointing to resources that may be of help.

Answer 1

I found this in a cached post on wugnet.com

BIG WARNING Do not go to the original wugnet domain. The Google search I performed and that led me there is a contaminated link leading through another URL to a third displaying an AdultFriendFinder advertisement

-Quote-

It's a namespace subdirectory created by the NT Object Manager during the boot process. The named objects in this subdirectory are symbolic links to Object Manager resources accessible by the Win32 API. For example, C: might be a symbolic link to \Device\HardiskVolume1, when a Win32 call is made for a file on C: the Win32 subsystem converts it to \??\C: and the the Object Manager locates the symbolic link in the \?? subdirectory and finds the device object where the file is located.

You can get a better idea of how the Object namespaces are organized with SysInternals' WinObj utility:
http://technet.microsoft.com/en-us/sysinternals/bb896657.aspx

My guess is that the full path to the Object Manager's \?? subdirectory is used in the registry values because when those registry entries are processed during the boot process the Win32 subsystem may not yet be fully initialized and as such without the \?? portion of the path the boot process would not be able to resolve the paths referenced in those registry values. Most of these \?? paths are in the HKEY_LOCAL_MACHINE\SYSTEM key and without the full path the machine would probably not boot, or if it did it would boot in a severely crippled state.

-end quote-

If this is true, your statement "This in effect disables..." is dubious. Did you actually observe that the software related to those registry keys does not function correctly?
If not, you should change your question title to something like Mysterious double question marks preceeding file paths in registry keys?

---

Additional remark 1
Wugnet is a strange site anyway, that page appears to be scraped from pcreview.co.uk

Additional remark 2
This issue is not to be confused with another floating around the web about single question marks replacing colons in paths. I'm including this, although it does not seem related (but I may be wrong). Here's a user who got strange C?\ values in his registry keys which might have been a MS bug, and after manually fixing them the issue was gone (long thread, several pages). The post mentions importing/exporting the keys to get them fixed quickly (but that would not be required in your case, because there's nothing wrong there). The OP writes there: New "corrupted" registry keys continue to be created when new apps are installed, but the corrected registry keys seem to remain unchanged.

Answer 2

Thanks for your replies.

MBu I'll give Process monitor a go but would not know how to track changes to the image paths in the registry with it.

Jan yes, no dubiousness, they are observable and provable instances, too many too mention where the image paths preceded with the \??\ affect the proper functioning of the "security programs" in question. They are added to image paths not only to items on my C: drive but to the actual driver program locations. Most of my programs are installed in D:/Program Files.

It cannot be mere coincidence that it's the image paths of services drivers (sys files) which perform important security related functions that are targeted and altered.

It just happened now when the computer has been on for a few hours(so the system must be fully initialized), that the value was changed after I had deleted the \??\ at the beginning of the session, to:

\??\C:\WINDOWS\system32\drivers\ksapi.sys

Odd that when searching for \??\ in Google it says - Your search - \??\ - did not match any documents. Anyway I'll investigate the WinObj utility and see if offers any help.

As to C?\ entries I have found those too and have manually changed them to C:\ but thanks for the post which offers it would seem a more efficacious solution - hope in works in XP.

Cheers and thanks again. The search continues.