Confused about registry activity

Roby Van Hoye deroby "at" mail.dma.be
Fri, 14 Jan 2000 12:39:42 +0000 

At 10:52 13/01/00 -0000, James \(Wez\) Weatherall wrote:
>> I installed regmon (www.sysinternals.com) and found out the registry is
>> quite a busy place to be :)
>> Most of the activity can be traced back to "usefull" or "standard MS
>> behavior" (two very distinct categories :) but I also note vnc does some
>> things I wouldn't expect :
>>
>> (I've CSV'd the relevant output, using ';' as separator)
>>
>>
>OpenKey;HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes;N
>> OTFOUND;
>>
>OpenKey;HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes;N
>> OTFOUND;
>> OpenKey;HKLM\System\CurrentControlSet\Services\VxD\MSTCP;SUCCESS;hKey:
>> 0xC1216BFC
>>
>QueryValueEx;HKLM\System\CurrentControlSet\Services\VxD\MSTCP\HostName;SUCCE
>> SS;ROBYVH
>> CloseKey;HKLM\System\CurrentControlSet\Services\VxD\MSTCP;SUCCESS;
>> OpenKey;HKLM\System\CurrentControlSet\Services\VxD\MSTCP;SUCCESS;hKey:
>> 0xC1216BFC
>>
>QueryValueEx;HKLM\System\CurrentControlSet\Services\VxD\MSTCP\Domain;SUCCESS
>;
>> CloseKey;HKLM\System\CurrentControlSet\Services\VxD\MSTCP;SUCCESS;
>> OpenKey;HKLM\System\CurrentControlSet\Control\CommAlias;NOTFOUND;
>> QueryValueEx;0xC1190F80\PORTNAME;SUCCESS;COM1
>> QueryValueEx;0xC1190F80\FRIENDLYNAME;SUCCESS;Communications Port (COM1)
>> QueryValueEx;0xC1183A2C\PORTNAME;SUCCESS;LPT1
>> QueryValueEx;0xC1183A2C\FRIENDLYNAME;SUCCESS;Printer Port (LPT1)
>> QueryValueEx;0xC122D2E4\PORTNAME;SUCCESS;COM2
>> QueryValueEx;0xC122D2E4\FRIENDLYNAME;SUCCESS;Generic Ir Serial Port (COM2)
>>
>OpenKey;HKLM\System\CurrentControlSet\Control\SessionManager\KnownVxDs;NOTFO
>> UND;
>> OpenKey;HKCU\RemoteAccess\Addresses;SUCCESS;hKey: 0xC1216BFC
>> QueryKey;HKCU\RemoteAccess\Addresses;SUCCESS;
>> QueryValueEx;HKCU\RemoteAccess\Addresses\Direct Cable Connection Host
>> Logon;NOTFOUND;
>> CloseKey;HKCU\RemoteAccess\Addresses;SUCCESS;
>> OpenKey;HKCU\RemoteAccess\Addresses;SUCCESS;hKey: 0xC1216BFC
>> QueryKey;HKCU\RemoteAccess\Addresses;SUCCESS;
>> QueryValueEx;HKCU\RemoteAccess\Addresses\Direct Cable Connection Host
>> Logon;NOTFOUND;
>> EnumValue;HKCU\RemoteAccess\Addresses;SUCCESS;
>> EnumValue;HKCU\RemoteAccess\Addresses;NOMORE;
>> CloseKey;HKCU\RemoteAccess\Addresses;SUCCESS;
>> QueryValueEx;0xC20A93A0\EnableAutodial;SUCCESS;0 0 0 0
>>
>> what's the use of scanning/reading all these values ? Normally I'd just
>> ignore but some little voice inside started dreaming about generic/direct
>> connections using the lpt port and stuff without the TCP protocol
>installed...
>
>The TCP stuff will be networking starting up.  When does WinVNC produce all
>the serial-related output?  Again, the Remote Access stuff will be a

every 6 seconds there is a burst of 3 times the batch above.

>networking thing, I assume.  Is it possible to find out which DLL is causing
>the serial reads?

Hmm, not as far as I know, the process "causing" the activity is called
'Winvnc', I'm afraid that's all information I can give, maybe some hardcore
user could download the source of regmon and get more into detail...

>The above doesn't really explain the original problem of WinVNC allegedly
>continually acessing the disk, of course..

I remember someone saying he could no longer defrag his HD with the latest
version of VNC, maybe this is related... (although it seems to be reading
only)




Cu
Roby.



---------------------------------------------------------------------
The VNC mailing list - see http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------