Constantly Updating Registry

[Kris Hyde]

Hi,

I'm running a fully patched copy of Win2k Pro as Administrator. When I
look in the profile folder, the NTuser.dat.log file is always present.
As I understand it this is a continuity file, which should only be
present when the registry is updating. The date stamp on both the
ntuser.dat and ntuser.dat.log is always at most a minute old,
confirming that the registry is in a constant state of updating, which
is clearly bad. I've exported the HKEY_CURRENT_USER hive into a text
file, repeated the process 1 minute later, and compared them using
WinDiff. There were a few MRU differences, which is fair enough given
that I'd exported a file between the two snap shots of the registry.
But there were some other differences and I was hoping someone would
be able to say whether these were significant:

The were alot of changes to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop

The were alot of changes to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\MISC
HEX CODE\Count

Some Minor Changes to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\NetCache

I'm not sure what these keys do, thus, are any of these changes
unexpected? I've also had some problems with internet slowdown - could
this be related to these keys?

I've tried to isolate which application is changing the NTuser.dat
file by using FileMon.exe, but it doesn't seem to work for that file.
Although, as an aside, it did pick up on the fact that proquota.exe
(the windows program to monitor profile space) scans the entire
profile every 30secs - surely that can't be correct??

Any suggestions would be appreciated.

Kris Hyde

 

[Mark V]

Hi,

I'm running a fully patched copy of Win2k Pro as Administrator.
When I look in the profile folder, the NTuser.dat.log file is
always present. As I understand it this is a continuity file,

Present and open when that account is logged in. All the time and by
design. IOW, "normal".

which should only be present when the registry is updating. The
date stamp on both the ntuser.dat and ntuser.dat.log is always at
most a minute old, confirming that the registry is in a constant
state of updating, which is clearly bad. I've exported the

No, not bad. That's how it was designed. IOW, "normal".

[snip]

I've tried to isolate which application is changing the NTuser.dat
file by using FileMon.exe, but it doesn't seem to work for that

Get REGMON.EXE from sysinternals. You will be *amazed* at what reads
and writes occur during normal (and apparently quiescent) operation.

 

[Kris Hyde]

Thanks for the advice. I'll give it a try.

Hi,

I'm running a fully patched copy of Win2k Pro as Administrator.
When I look in the profile folder, the NTuser.dat.log file is
always present. As I understand it this is a continuity file,

Present and open when that account is logged in. All the time and by
design. IOW, "normal".

which should only be present when the registry is updating. The
date stamp on both the ntuser.dat and ntuser.dat.log is always at
most a minute old, confirming that the registry is in a constant
state of updating, which is clearly bad. I've exported the

No, not bad. That's how it was designed. IOW, "normal".

[snip]

I've tried to isolate which application is changing the NTuser.dat
file by using FileMon.exe, but it doesn't seem to work for that

Get REGMON.EXE from sysinternals. You will be *amazed* at what reads
and writes occur during normal (and apparently quiescent) operation.

 

[Enkidu]

Present and open when that account is logged in. All the time and by
design. IOW, "normal".


No, not bad. That's how it was designed. IOW, "normal".

My ntuser.dat is time stamped about when I booted it this morning. The
log file is time stamped less than a few minutes ago. That's XP
though. I'm not sure that the ntuser.dat should be updating
constantly, should it?

Cheers,

Cliff

 

[Mark V]

My ntuser.dat is time stamped about when I booted it this morning.
The log file is time stamped less than a few minutes ago. That's
XP though. I'm not sure that the ntuser.dat should be updating
constantly, should it?

Reads may be happening frequently (use REGMON to see). Write
frequency ("set value") in HKCU will depend of course on what you do
and what you are running at the time. Write ops hit the LOG file
first then are moved into the DAT in very short order.

I should also have said up-thread that a LOG exists, is active and
open at any time the hive is loaded. That is usually when logged in,
but other things (like a utility loading an account's hive file, or a
"load hive" op. in regedt32) will also cause a LOG file
create/open/lock.