c:\windows\system32 .DLL files "modified date" newer than most recent security update

After sorting my c:\windows\system32 files by date, I noticed several .DLL files have a "Modified" date that is newer than the most recent security update from MS (Aug. 9, 2005, I think).

For example:

kerberos.dll
Location: C:\WINDOWS\system32
Size: 289 KB (295,936 bytes)
Created: Monday, March 31, 2003, 8:00:00 AM
Modified: Tuesday, August 23, 2005, 4:39:34 AM
Version: 5.1.2600.2698 (xpsp_sp2_gdr.050614-1522)

I thought kerberos.dll is protected by Windows XP such that it can't be modified.

Is this "Modified" date something I should be concerned about or is this expected?

The modified date is not different from above after running sfc /scannow and no changes appear in Event Viewer. Is sfc /scannow a valid test to use to decide whether I have anything to worry about?

Can anyone explain why modified dates on these .DLL files can be changed?

 

Did you change a password or create a new user account on that date?

http://freespace.virgin.net/john.cletheroe/pc_int/glossary/k.htm

 

Hi, oshwyn5.

Thanks for responding.

I didn't change my XP login password on that date but I may have changed my user name on that date. I also may have changed my administrator access password for my router's control panel on that date.

I have been messing with computer-related things so much lately that I'm fuzzy about what I did (and when I did it) even just a few days ago.

THANKS for the definition and URL (yet another resource added to my bookmarks). I expect I will refer to it often.

Now I'm hypothesizing that kerberos.dll stores encrypted user login credential information (probably among other things). I wasn't aware that DLL files, instead of just being subroutine "procedure" files, may be used to store changing data as well.

Maybe that's why they're called dynamic link libraries.

It seemed odd that a Windows XP DLL file that is part Windows XP security would be changed via some method other than a Microsoft patch/update. I had the (apparently incorrect) notion a central "protected" Windows XP file couldn't be changed. After reading the definition you cited as well as the definition for DLL on that site, I have a better understanding.

John Cletheroe's Definition of DLL:

I assume Windows XP is smart enough to prevent a virus from infecting a core Windows XP component such as kerberos.dll.

Thanks to your informative reply, I will experiment with user name changes and router admistrator password changes when I get some more time to mess with them, and document my changes, sometime next week.

Thanks again.

 

At that point, I would consider this normal and nothing to get worried about.


Remember, that you should think of a DLL or Dynamic Link Library as a tiny program which cannot run on its own. It contains not only the program , but associated data.
The windows update actually replaces the file with a new version . Kind of like uninstalling MS Word2000 , and installing MS Word 2002 but deciding to keep the folders and data intact. (Note that Word is and APPLICATION, meaning that it is a collection of programs and files which can do many things and run on its own ) .

Normally, a DLL file is accessed by a program. Many different programs may access (share) the same dll file and any one of them can modify its data. Likewise, there are programs (rundll32.exe and svchost.exe ) which are designed to allow the dll programs to "run independently" when that is needed.


So what you see is not really that the file itself was altered or replace, only that it was accessed and the data it stored was modified.

 

While I can't be 100% certain, I'd have to say that on one of my PCs, if sfc /scannow didn't see problems then all system files are fine.

 

Hi, oshwyn5 and Newt.

oshwyn5: Thanks for the mini-tutorial to help me understand even better. The analogy you made makes sense.

Kerberos.dll may not actually store PW data in itself; it may just keep a new date, time, and pointer record for the storage of the new user/password information elsewhere (perhaps in one of the zillion associated DLL files shown with Steve Miller's/Microsoft's' freeware Dependency Walker utility).

This hypothesis seems to make the most sense if the file size doesn't change...although I can't compare my kerberos.dll file size (295,936 bytes) and version to MS KB info yet. (It appears MS hasn't updated their Windows XP SP2 kerberos.dll details page with the newer version's info.) Is your Windows XP SP2 kerberos.dll file size 295,936 bytes?

I think kerberos.dll was replaced with the early August 2005 set of security patches from MS. I seem to recall noticing that filename while I was applying the patches. (That's probably why I have been paying attention to kerberos.dll lately.)

Newt: Thanks. Good to know from a WBBS staff member I can use sfc /scannow (and chkdsk /r) whenever I have doubts about my system files, registry, etc. Windows XP has been virtually trouble-free for me, especially since I have used many troubleshooting methods, utilities, and information resources suggested on this BBS. My faith in Windows BBS (and my Windows PC) has grown substantially, thanks to you (well over 11,000 posts...WOW!) and everyone else who actively participates.

The almost daily random BSOD shutdowns I had a couple months ago have virtually stopped. I'm not sure what I did (or what Windows Updates did) to make the BSOD's virtually disappear but I am confident I can leave this machine on for hours or even days with no ill effects.

I'll probably still give Vista a year or so after its initial release before I upgrade though. That should be enough time for you gurus to gain enough experience with it to help me troubleshoot.

 

Yes, I am used to having to explain things at "a third grade level" where getting the concept across is often more important than being 100% technically accurate; since once you get the other person to visualize what you are talking about you can clear up the technical details. You are correct in your interpretation. Also yes, that is the size and version number I have.

Remember, when you get a BSOD, or stop error, they do mean something and you should write down the error in full for later reference and to be able to check it out. And you are correct that the vast majority of them are solved by an update either of drivers or software.

 

Hi, oshwyn5.

I agree with you about your "concept-before-technical-details" method of assistance. Analogies are often great for that. Your above example is an excellent case.

I also keep my BSOD error dumps for a period of time for further analysis, especially if they become annoyingly frequent. Lately, things are pretty smooth in that regard.

You appear pretty familiar with computer stuff. I'm grateful you offer assistance on Windows BBS.

Thanks!