Situation: RootAlyzer detects various rootkit methods.

Expected: detection of reserved name filenames.

Experienced: files with names like "lpt1" cannot be handled by standard user applications; Windows Explorer for example shows them, but is unable to open them. The only way to actually create them is using Nt*/Zw* native methods.

This method can be used to hide contents.