I just finished using the Sysinternals tool called procmon.exe to determine which files were being used during a program’s installation. I used the procmon filters to show me only file events in a certain folder.
When the installer completed I started looking through the events and found that smartscreen.exe was trying to create files that I’ve never had on my computer let alone have never existed within the folder I’m monitoring.
Here are some sample events:
12:43:14.7269348 PM smartscreen.exe 10356 CreateFile C:\BCTEMP\Connectix Virtual PC.msi NAME NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a 12:43:14.7272922 PM smartscreen.exe 10356 CreateFile C:\BCTEMP\Rail Simulator_uninst.exe NAME NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a 12:43:14.7274143 PM smartscreen.exe 10356 CreateFile C:\BCTEMP\Firewall\TVdriverSetup.exe PATH NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a 12:43:14.7274937 PM smartscreen.exe 10356 CreateFile C:\BCTEMP\Firewall\FwInstall.exe PATH NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a 12:43:14.7338800 PM smartscreen.exe 10356 CreateFile C:\BCTEMP\camware\camware.exe PATH NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a 12:43:14.7339694 PM smartscreen.exe 10356 CreateFile C:\BCTEMP\camware\camware.exe PATH NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a 12:43:14.7340549 PM smartscreen.exe 10356 CreateFile C:\BCTEMP\QuickCam\camware.exe PATH NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a 12:43:14.7341375 PM smartscreen.exe 10356 CreateFile C:\BCTEMP\QuickCam\QuickCam.exe PATH NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a 12:43:14.7342453 PM smartscreen.exe 10356 CreateFile C:\BCTEMP\QuickCam\Temp\LVIHlp.dll PATH NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a 12:43:14.7343412 PM smartscreen.exe 10356 CreateFile C:\BCTEMP\QCDriver\qcinsenu.dll PATH NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a 12:43:14.7344183 PM smartscreen.exe 10356 CreateFile C:\BCTEMP\QCDriver\qcinsenu.dll PATH NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a 12:43:14.7344925 PM smartscreen.exe 10356 CreateFile C:\BCTEMP\QuickCam\QuickCam.exe PATH NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a 12:43:14.7345752 PM smartscreen.exe 10356 CreateFile C:\BCTEMP\program files\Logitech\QuickCam\QuickCam.exe PATH NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a 12:43:14.7467868 PM smartscreen.exe 10356 CreateFile C:\BCTEMP\Fur Fighters PC.msi NAME NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a 12:43:14.7450914 PM smartscreen.exe 10356 CreateFile C:\BCTEMP\Bob the Builder - Bob Builds a Park.exe NAME NOT FOUND Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Delete, AllocationSize: n/a
