Home > General > Windows.exe.


The base of resource data is pointed to by the IMAGE_DIRECTORY_ENTRY_RESOURCE entry of the data directory, and at that location there is an IMAGE_RESOURCE_DIRECTORY structure: struct IMAGE_RESOURCE_DIRECTORY { long Characteristics; long An In-Depth Look into the Win32 Portable Executable File Format by Matt Pietrek (MSDN Magazine, February 2002) Part II. Rate this product: 2. Here is the PE Optional Header presented as a C data structure: struct PEOptHeader { /* char is 1 byte short is 2 bytes long is 4 bytes */ short signature; http://tenten10.com/general/c-windows-mrofinu572-exe.php

share|improve this answer edited May 18 '16 at 14:13 Peter Mortensen 10.6k1373108 answered Feb 21 '15 at 7:03 mozey 880915 add a comment| Your Answer draft saved draft discarded Sign This permits the module to address any imported value, wherever it turns up in memory. To help you analyze the windows.exe process on your computer, the following programs have proven to be helpful: Security Task Manager displays all running Windows tasks, including embedded hidden processes, such The array continues until an entry where all the values are zero. http://www.file.net/process/windows.exe.html

Also please specify which certificate kind is the correct one. It is not a Windows core file. SizeOfImage The size of the image, in bytes, including all headers. What is this?

Even for serious problems, rather than reinstalling Windows, you are better off repairing of your installation or, for Windows 8 and later versions, executing the DISM.exe /Online /Cleanup-image /Restorehealth command. The value of "ForwarderChain" is an index into the FirstThunk and OriginalFirstThunk arrays. We strongly recommend that you run a FREE registry scan to identify windows.exe related errors.Other instances of WINDOWS.EXE:1) windows.exe could also be added to the system as a result of W32.Feldor.A Each entry describes a location and size.

Privacy policy About Wikibooks Disclaimers Developers Cookie statement Mobile view current community chat Stack Overflow Meta Stack Overflow your communities Sign up or log in to customize your list. Mel Green's answer took me further, but signtool wants me to specify what certificate to use in any case. These can only be run by OS/2 2.0 and higher.[1] They are also used by some DOS extenders. https://en.wikipedia.org/wiki/.exe PE files are broken down into various sections which can be examined.

Your message has been reported and will be reviewed by our staff. Some of these may or may not be the legitimate versions.Scan for WINDOWS.EXE related errors Recommendation DISABLE AND REMOVE windows.exe IMMEDIATELY. Added by the RBOT-RB WORM! delete it if you have it anonymous Summary: Average user rating of windows.exe: based on 23 votes with 10 user comments. 6users think windows.exe is essential for Windows or

The arrays are terminated with an entry that is equal to zero. http://www.threatexpert.com/files/windows.exe.html The import table solves this by creating an array of pointers at runtime, each one pointing to the memory location of an imported value. For various reasons, you cannot declare that "The function in this dynamic library will always exist in memory here". Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization.

This is extremely useful for backward compatibility with operating systems. check my blog In these cases, the non-forwarded imports can be bound, but the values which get forwarded must be identified so the loader can resolve them. If windows.exe is located in a subfolder of C:\Windows\System32, the security rating is 58% dangerous. SizeOfUninitializedData The size of the uninitialized data section, in bytes, or the sum of all such sections if there are multiple uninitialized data sections.

Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. Executable files may, in some cases, harm your computer. For this purpose, the "Data" value of resource entries points at another IMAGE_RESOURCE_DIRECTORY structure, forming a tree-diagram like organisation of resources. http://tenten10.com/general/c-windows-shell-exe.php In most cases, code can be written to simply work as either a 32 or 64-bit PE file.[7] Other[edit] This section needs additional citations for verification.

The file size is 24,064bytes (40% of all occurrences), 83,072bytes, 230,912bytes or 204,800bytes. This is possible due to the segmented memory model of the early x86 line. Description: Windows.exe is not essential for Windows and will often cause problems.

Win32VersionValue This member is reserved and must be 0.

The following files are validated at load time: all drivers, any DLL loaded at boot time, and any DLL loaded into a critical system process. DLL imports need to be prototyped in the following manner, for the compiler and linker to recognize that the function is coming from an external library: __declspec(dllimport) void MyFunction(); Identifying DLL The reason for this will become apparent shortly. If windows.exe is located in a subfolder of Windows folder for temporary files, the security rating is 86% dangerous.

SizeOfInitializedData The size of the initialized data section, in bytes, or the sum of all such sections if there are multiple initialized data sections. The DLL flag set in the PE header. By using this site, you agree to the Terms of Use and Privacy Policy. http://tenten10.com/general/windows-cfgmgr52.php Thus, the file is most likely dangerous.

In order to check a file, please submit it to ThreatExpert. Microsoft Windows, 3rd party product, etc.). If you'd like to get a hold of certificate that you can use to test your process of signing the executable you can use the .NET tool Makecert. The size of this array is in the value NumberOfFunctions.

This is done through the use of the "Export Directory", which is used to translate between the name of an export (or "Ordinal", see below), and a location in memory where The windows.exe file is not a Windows system file. This is then added to the preferred address to come up with the new address of the memory location. At that location, there should be a zero terminated ASCII string of format "LibraryName.ExportName" for the appropriate place to forward this export to.

Forwarding[edit] As well as being able to export functions and values in a module, the export directory can forward an export to another library. Instead, the coder need only declare one call to the subroutine, and the linker will decide what happens next. A library is a module containing a series of functions or values that can be exported. Below is an example hex from a program I am writing: 2E746578_74000000_00100000_00100000_A8050000 .text 00040000_00000000_00000000_00000000_20000000 2E646174_61000000_00100000_00200000_86050000 .data 000A0000_00000000_00000000_00000000_40000000 2E627373_00000000_00200000_00300000_00000000 .bss 00000000_00000000_00000000_00000000_80000000 The structure of the section descriptor is as follows: Offset Length

Formatting text into columns How much was R2-D2 damaged by Darth Vader during the battle of Yavin? (Re)newDocumentCommand interferes with the layout Time taken to print numbers Did Michelle Obama create The Starman's Realm. The Name value is an RVA to an ASCII string, naming the library to import. Names and Ordinals[edit] Each exported value has both a name and an "ordinal" (a kind of index).

If windows.exe is located in the Windows folder for temporary files, the security rating is 72% dangerous. The data where AddressOfNames points to is an array of RVAs, of the size NumberOfNames. For example, PE/COFF headers still include an MS-DOS executable program, which is by default a stub that displays a message like "This program cannot be run in DOS mode" (or similar), So, PE files describe the location of data in memory as an offset from the base address, wherever that may be in memory.

NumberOfRvaAndSizes The number of directory entries in the remainder of the optional header. When looking at an EXE file, one has to decide which memory model was used to build that file. Such determination can only be made by observing its dynamic behaviour.