Port 109 Mystery

James C Slora Jr Jim.Slora at phra.com
Thu Mar 13 03:52:36 GMT 2003


Douglas Brown wrote Wednesday, March 12, 2003 11:55

> 220   winlogon       ->  109   TCP   \??\C:\WINNT\system32\winlogon.exe

This output does not indicate confusion about the path. It just means
c:\WINNT\system32\winlogon.exe, and it is the normal path reported for
Winlogon by fport and other utilities.

As to why it is reported like that, here's a quote from
http://msdn.microsoft.com/msdnmag/issues/02/06/debug/default.aspx
" For some reason, the path names returned by GetModuleFilenameEx or the
TOOLHELP32 module functions are very strange; they don't follow the Win32
standard. For example, smss is retrieved as "\SystemRoot\System32\smss.exe";
"\SystemRoot must be replaced by the actual name of the Windows folder. For
winlogon, you get "\??\C:\WINNT\system32\winlogon.exe," which should be
translated into "C:\WINNT\system32\winlogon.exe." The \??\ prefix might be a
leftover from the Windows NT namespace root, essential in kernel mode, even
though it is rarely used at the Win32 programming level. "

So don't worry about the path reported by fport. The TCP 109 looks rather odd,
though. I don't know the answer to that.



More information about the unisog mailing list