7

The following entries show up in DriverView on my PC:

  • C:\Windows\System32\Drivers\dump_dumpata.sys
  • C:\Windows\System32\Drivers\dump_dumpfve.sys
  • C:\Windows\System32\Drivers\dump_msahci.sys

These files do not exist or are hidden.

I didn't find anything specific on the net about these files. Anyone knows if they are legit?

The OS is Windows 7 professional.

Thanks.

user56312
  • 183
  • 1
  • 1
  • 5

3 Answers3

6
C:\Windows\System32\Drivers\dump_dumpata.sys
C:\Windows\System32\Drivers\dump_dumpfve.sys
C:\Windows\System32\Drivers\dump_msahci.sys

I was looking for an answer concerning these same drivers that were shown in nirsoft DriverView

according to the Driver Reference Table found at John Carrona website, Microsoft MVP http://www.carrona.org/dvrref.php

dump_dumpata.sys 

%SysDir%\Drivers\DUMP_DUMPATA.SYS is related to Microsoft Windows Vista.
DUMP_DUMPATA.SYS is a system driver for managing ATA devices.

dump_dumpfve.sys 

%SysDir%\Drivers\DUMP_DUMPFVE.SYS is related to Microsoft Windows Vista.
DUMP_DUMPFVE.SYS is a Full Volume Encryption Crashdump Hibernate Filter Driver.
DUMPFVE.SYS is a part of Microsoft® Windows® Vista Operating System.

dump_msahci.sys 

DUMP_MSAHCI.SYS is related to MS AHCI 1.0 Standard Driver.
DUMP_MSAHCI.SYS is a part of Microsoft® Windows® Operating System.
Manufacturer: Microsoft Corp.

seems to be they are all related to dump files and legit,but I don't know for certain myself,it might be helpful to another

windows 7 SP1

Sathyajith Bhat
  • 62,374
Vagablonde
  • 61
6

No, you don't have a rootkit. This is how a freshly installed Win 7 SP1 looks like for me:

enter image description here

  • dump_dumpfve.sys is part of Win 7
  • dump_iaStor.sys is part of a driver I installed. Intel Storage something something

In your case additionally:

  • dump_msahci.sys has to do with AHCI driver.
  • dump_dumpata.sys has to do with PATA, otherwise known as Parallel ATA, I'd hazard a guess that the dum before pata in dumpata stands for dummy, but I dunno.

In short, no, you don't have a rootkit.

Grumpy ol' Bear
  • 6,667
0

According to MS Explanation

These are virtual drivers that are used for creating crash dumps.¹

Creating a crash dump is a bit of a catch-22: When the crash occurs, the system is in an unknown state, which means that you can’t trust anything, not even the file system or block device drivers. After all, the crash may have been in one of those drivers!

When the system starts up, it preallocates space on the hard drive to record crash dump information, in case that becomes necessary. It also clones the drivers needed to write to the disk. If a crash occurs, the kernel doesn’t trust the drivers that were running the show. Instead, it asks these clones to step in and write the crash data. The theory here is that these clone drivers have been kept in a state of suspended animation immediately after they’ve been initialized, in order to minimize the chance that they have gotten into a corrupted state that would prevent them from doing their job.²

These virtual drivers show up in Process Explorer with no description or other metadata because Process Explorer takes the reported path and extracts the metadata from that path. But these drivers weren’t loaded from a file, so there is nothing to show.

Community
  • 1
user1719332
  • 111
  • 2