[cnm]

I use mbrCheck a lot at SpywareInfo Forum but generally just look at the bottom line to see if the MBR is standard or not. I've become curious about how to understand the rest of its log.

In particular, I see this near the end of a recent log:

2936 C:\Windows\System32\audiodg.exe
396 C:\Windows\System32\wbem\WMIADAP.exe
4132 WmiPrvSE.exe
6920 WmiPrvSE.exe
4788 C:\Windows\System32\SearchProtocolHost.exe
4660 C:\Windows\System32\SearchFilterHost.exe
7068 C:\Users\v388291\Desktop\MBRCheck.exe
3200 C:\Windows\System32\conhost.exe
3160 C:\Windows\System32\dllhost.exe

Questions:

• What are the numbers in the first column?
• WmiPrvSE.exe has no path. Where is it located?

Thanks, folks.

[EP_X0FF]

Numbers are Process ID's, WmiPrvSE is WMI Provider Host and usually it located in Windows\System32\wbem folder.

[cnm]

Thank you, EP_X0FF.
I knew where it is usually located but wondered why it had no path in the log. Could it be that it was in the MBR? which would be sinister.

[EP_X0FF]

Thank you, EP_X0FF.
I knew where it is usually located but wondered why it had no path in the log. Could it be that it was in the MBR? which would be sinister.

No it's actually result of how this tool gathers information regarding running processes. Looks like MBRCheck does not adjust required debug privileges to get a full path for system processes. That's all story :)

[cnm]

Thanks again. All puzzles solved. :D