What does \??\ mean in \??\C:\Windows\System32\conhost.exe?
I noticed this when trying to find an answer to this question.
It seems to be exclusively associated with conhost.exe
only appearing in the command-line parameters for conhost.exe
Also the parameter seems to be the same (on my computer) for all conhost.exe
processes:
\??\C:\WINDOWS\system32\conhost.exe 0x4
My question is what does the \??\
signify? Is that some sort of physical device address?
The only place I've seen this before is in this image, which came from this article.
Solution 1:
Since I was curious as well, I collected some information; it is the original name of "\DosDevices" and usually used by modules which need to access kernel mode object names. e.g. device drivers, subsystem modules, .. Please note that, "\DosDevices" seems to be a symbolic link to "\??", so "\??" is the real name. It was believed that they tried to minimise the search time with this cryptic name.
This is why you saw that on the driver property. And, conhost.exe is usually invoked by csrss.exe which is also one of those modules which need to use kernel mode names. Please read the references below for further understanding.
References:
- http://msdn.microsoft.com/en-us/library/windows/hardware/ff557762(v=vs.85).aspx
- http://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem
- http://www.wilderssecurity.com/threads/should-this-have-this-2-s-in-c-windows-system32-csrss-exe.87980/
- http://www.angusrobertson.com.au/books/cd-cracking-uncovered-kris-kaspersky/p/9781931769334