excessive registry queries

  • Thread starter Thread starter David Solomon
  • Start date Start date
D

David Solomon

If you run Regmon (from www.sysinternals.com), you'll see
the Spyware processes doing LOTS and LOTS of regular
registry queries. This is inefficient (wastes CPU time,
memory, and processor time) -- one really obvious bad
example (see below for extract of Regmon log) is the
continuous checking of
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState.
GcasServ.exe opens that key, queries the value 4 (FOUR!)
times in a row, then closes the key, and then does it
again, and again, and again.

A more efficient mechanism to be notified of registry
changes it to call RegNotifyChangeKeyValue to declare
change notification on the key(s) of interest.

Just a suggestion for improvement...
--Dave Solomon - http://www.solsem.com
co-author, Windows Internals 4th edition (MS Press)
and Inside Windows 2000, 3rd edition


=======================
3:01:01 PM gcasServ.exe:19888 OpenKey
HKCU\SOFTWARE\GIANTCompany\AntiSpyware SUCCESS
Access: 0x2000000
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 CloseKey
HKCU\SOFTWARE\GIANTCompany\AntiSpyware SUCCESS

3:01:01 PM gcasServ.exe:19888 OpenKey
HKCU\SOFTWARE\GIANTCompany\AntiSpyware SUCCESS
Access: 0x2000000
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 CloseKey
HKCU\SOFTWARE\GIANTCompany\AntiSpyware SUCCESS

3:01:01 PM gcasServ.exe:19888 OpenKey
HKCU\SOFTWARE\GIANTCompany\AntiSpyware SUCCESS
Access: 0x2000000
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 CloseKey
HKCU\SOFTWARE\GIANTCompany\AntiSpyware SUCCESS
 
Thats a really good bug/observation.
-----Original Message-----
If you run Regmon (from www.sysinternals.com), you'll see
the Spyware processes doing LOTS and LOTS of regular
registry queries. This is inefficient (wastes CPU time,
memory, and processor time) -- one really obvious bad
example (see below for extract of Regmon log) is the
continuous checking of
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState.
GcasServ.exe opens that key, queries the value 4 (FOUR!)
times in a row, then closes the key, and then does it
again, and again, and again.

A more efficient mechanism to be notified of registry
changes it to call RegNotifyChangeKeyValue to declare
change notification on the key(s) of interest.

Just a suggestion for improvement...
--Dave Solomon - http://www.solsem.com
co-author, Windows Internals 4th edition (MS Press)
and Inside Windows 2000, 3rd edition


=======================
3:01:01 PM gcasServ.exe:19888 OpenKey
HKCU\SOFTWARE\GIANTCompany\AntiSpyware SUCCESS
Access: 0x2000000
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 CloseKey
HKCU\SOFTWARE\GIANTCompany\AntiSpyware SUCCESS

3:01:01 PM gcasServ.exe:19888 OpenKey
HKCU\SOFTWARE\GIANTCompany\AntiSpyware SUCCESS
Access: 0x2000000
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 CloseKey
HKCU\SOFTWARE\GIANTCompany\AntiSpyware SUCCESS

3:01:01 PM gcasServ.exe:19888 OpenKey
HKCU\SOFTWARE\GIANTCompany\AntiSpyware SUCCESS
Access: 0x2000000
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 QueryValue
HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState
SUCCESS "1"
3:01:01 PM gcasServ.exe:19888 CloseKey
HKCU\SOFTWARE\GIANTCompany\AntiSpyware SUCCESS


.
Click to expand...
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Solomon wrote:
| If you run Regmon (from www.sysinternals.com), you'll see
| the Spyware processes doing LOTS and LOTS of regular
| registry queries. This is inefficient (wastes CPU time,
| memory, and processor time) -- one really obvious bad
| example (see below for extract of Regmon log) is the
| continuous checking of
| HKCU\SOFTWARE\GIANTCompany\AntiSpyware\ServState.
| GcasServ.exe opens that key, queries the value 4 (FOUR!)
| times in a row, then closes the key, and then does it
| again, and again, and again.
|
| A more efficient mechanism to be notified of registry
| changes it to call RegNotifyChangeKeyValue to declare
| change notification on the key(s) of interest.

I wish more software developers thought of this.
At the moment I am running four processes who are constantly being queried
by Explorer and registry keys checked, despite there being no change.
(Kerio Personal Firewall 4, VNC, United Devices Agent and WinFax)

In one minute, WFXCTL32.EXE (WinFax) and kpf4ss.exe (Kerio) notched up over
3500 QueryKey/QueryValues.

In the same time scale explorer.exe repeatedly OPEN, QUERY INFORMATION and
CLOSEd kpf4gui.exe, ud.exe and winvnc4.exe around 3000 times in all.


We can only wish! :-)


Adam.

- --
Please replace dot invalid with dot uk to email me.
OpenPGP key ID: 0xD3EC5C39
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFB3cJG7uRVdtPsXDkRAu2LAJ9viOGX4ED3UiRdHlKzQMlDW/HLywCdF1tG
n3CZTMl2p5mcdaLLuRDkPC4=
=uqw6
-----END PGP SIGNATURE-----
 
Back
Top