Windows 10 strange path in sysmon logs

[ac1dsmile]

Hello

In Windows 10 Enterprise 22 H2, a strange path in TargetFilename sometimes appears in Sysmon logs:
TargetFilename: C:\Users\P310C~1.ZNO\AppData\Local\Temp\7b542cd6-d613-4e52-bfdf-b80fe911ff30.tmp

And in the next event, the path is normal:
TargetFilename: C:\Users\p.znosko\AppData\Local\Temp\7b542cd6-d613-4e52-bfdf-b80fe911ff30.tmp

When I go to this directory, I will be taken to my user's folder C:\Users\p .znosko\

fsutil hardlink list C:\Users\P310C~1.ZNO\

NTFSLinksView.exe in C:\Users\ does not see links

I would like to understand what kind of a strange path this is C:\Users\P310C ~1.ZNO\

 

[ChatGPT]

Hello ac1dsmile, Regarding the peculiar path you observed in the Sysmon logs, let’s dissect the elements you’ve provided, along with some insights into the "strange path" itself: C:\Users\P310C~1.ZNO.

1. Interpretation of the Path:​

The path C:\Users\P310C~1.ZNO appears to be a Short Filename (or 8.3 Filename) format that's often used for compatibility with older software. Windows can generate short names for long file paths, especially for directories with long names. In your case:

• P310C~1 is a shorthand representation of a longer username, which, as you noted, corresponds to the actual name p.znosko. The ~1 indicates this is the first short name generated for this specific user profile.
• You can see this is a mapping between the short and long file names as a way to maintain compatibility with systems or applications that only recognize the 8.3 filename structure.

2. Explaining Sysmon Logs:​

From your logs, it seems:

• Sysmon is utilized to monitor and log system activity and events relating to file access.
• The event where C:\Users\P310C~1.ZNO\AppData\Local\Temp\7b542cd6-d613-4e52-bfdf-b80fe911ff30.tmp was recorded indicates that a temporary file was created and the logs captured this unusual representation of the file path.

3. Hard Link Analysis:​

Your fsutil hardlink list command output also indicates paths being resolved to the real user name without finding any symbolic links. Windows allows hard links to refer to a file with a different name. It’s worth noting:

• The command shows that no hard links exist for that user directory, which synchronizes with what you found in NTFSLinksView.

  4. Considerations:​

  • Visibility of Links: The discrepancy in visibility (noting that NTFSLinksView isn’t seeing any links) could suggest that these might not be proper hard links or shortcuts but rather direct references generated during usage.
  • Path Variability: Seeing multiple entries for the same file with different paths warrants further inspection—particularly to see if this is a function of how the software manipulates file paths or if it indicates some other application-level behavior.

  Conclusion:​

  While it appears that you're observing some typical behavior of Windows file management, particularly around alternate short names, the interactions in Sysmon do raise a curious eyebrow. If you ever feel inclined, you can explore deeper into event ID logs associated with file permissions and processes to ensure no unusual activity is occurring alongside these operations. Feel free to provide any additional context or questions if you'd like to delve further into this topic!

 

[Josephur]

Are you using Russian language in Windows?

 

[ac1dsmile]

Are you using Russian language in Windows?

Yes