Understanding Surrogate Pairs: Why Some Windows Filenames Can't Be Read

This time I am going to write about some odd behavior by Windows. The behavior is by design and there is no obvious security impact. Therefore, this article is written just for the sake of sharing some geeky content. What do you see? You checked the Task Manager and saw these. Many executables are relatively small, with a square in the name. What is your initial assumption? You would assume that it is not directly malicious but still suspicious. You checked the event logs for Event ID 4688. It’s not very helpful. You see another substitute character. You assume it is a possible encoding issue. Could the executable name use a non-Latin alphabet? Probably. Let’s check the Details tab. This executable name is so broken that it manages to break the Details view in both Friendly and XML views. Encoding, but what and how? At least we know the location of the executable. We have a broken name and a substitute character. We know it is not a huge issue until now. We can find the path and ... Read full article.