Confused about registry activity

James (Wez) Weatherall jnw22 "at" cam.ac.uk
Thu, 13 Jan 2000 10:57:46 +0000 

> I installed regmon (www.sysinternals.com) and found out the registry is
> quite a busy place to be :)
> Most of the activity can be traced back to "usefull" or "standard MS
> behavior" (two very distinct categories :) but I also note vnc does some
> things I wouldn't expect :
>
> (I've CSV'd the relevant output, using ';' as separator)
>
>
OpenKey;HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes;N
> OTFOUND;
>
OpenKey;HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes;N
> OTFOUND;
> OpenKey;HKLM\System\CurrentControlSet\Services\VxD\MSTCP;SUCCESS;hKey:
> 0xC1216BFC
>
QueryValueEx;HKLM\System\CurrentControlSet\Services\VxD\MSTCP\HostName;SUCCE
> SS;ROBYVH
> CloseKey;HKLM\System\CurrentControlSet\Services\VxD\MSTCP;SUCCESS;
> OpenKey;HKLM\System\CurrentControlSet\Services\VxD\MSTCP;SUCCESS;hKey:
> 0xC1216BFC
>
QueryValueEx;HKLM\System\CurrentControlSet\Services\VxD\MSTCP\Domain;SUCCESS
;
> CloseKey;HKLM\System\CurrentControlSet\Services\VxD\MSTCP;SUCCESS;
> OpenKey;HKLM\System\CurrentControlSet\Control\CommAlias;NOTFOUND;
> QueryValueEx;0xC1190F80\PORTNAME;SUCCESS;COM1
> QueryValueEx;0xC1190F80\FRIENDLYNAME;SUCCESS;Communications Port (COM1)
> QueryValueEx;0xC1183A2C\PORTNAME;SUCCESS;LPT1
> QueryValueEx;0xC1183A2C\FRIENDLYNAME;SUCCESS;Printer Port (LPT1)
> QueryValueEx;0xC122D2E4\PORTNAME;SUCCESS;COM2
> QueryValueEx;0xC122D2E4\FRIENDLYNAME;SUCCESS;Generic Ir Serial Port (COM2)
>
OpenKey;HKLM\System\CurrentControlSet\Control\SessionManager\KnownVxDs;NOTFO
> UND;
> OpenKey;HKCU\RemoteAccess\Addresses;SUCCESS;hKey: 0xC1216BFC
> QueryKey;HKCU\RemoteAccess\Addresses;SUCCESS;
> QueryValueEx;HKCU\RemoteAccess\Addresses\Direct Cable Connection Host
> Logon;NOTFOUND;
> CloseKey;HKCU\RemoteAccess\Addresses;SUCCESS;
> OpenKey;HKCU\RemoteAccess\Addresses;SUCCESS;hKey: 0xC1216BFC
> QueryKey;HKCU\RemoteAccess\Addresses;SUCCESS;
> QueryValueEx;HKCU\RemoteAccess\Addresses\Direct Cable Connection Host
> Logon;NOTFOUND;
> EnumValue;HKCU\RemoteAccess\Addresses;SUCCESS;
> EnumValue;HKCU\RemoteAccess\Addresses;NOMORE;
> CloseKey;HKCU\RemoteAccess\Addresses;SUCCESS;
> QueryValueEx;0xC20A93A0\EnableAutodial;SUCCESS;0 0 0 0
>
> what's the use of scanning/reading all these values ? Normally I'd just
> ignore but some little voice inside started dreaming about generic/direct
> connections using the lpt port and stuff without the TCP protocol
installed...

The TCP stuff will be networking starting up.  When does WinVNC produce all
the serial-related output?  Again, the Remote Access stuff will be a
networking thing, I assume.  Is it possible to find out which DLL is causing
the serial reads?

The above doesn't really explain the original problem of WinVNC allegedly
continually acessing the disk, of course..

Cheers,

James "Wez" Weatherall
--
          "Xenophobes should go back to Xenophobia"
Laboratory for Communications Engineering, Cambridge - Tel : 766513
AT&T Labs Cambridge, UK                              - Tel : 343000




---------------------------------------------------------------------
The VNC mailing list - see http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------