B
Bill Sanderson
Whoops - spoke too soon:
I think this is a better idea:
Learning to use RegMon is useful anyway....
---
Hey Bill,
Since all service startup is driven by their settings in the registry this
should be easy to trap with any sort of registry monitoring program.
If you monitor HKLM\SYSTEM\CurrentControlSet\Services\Messenger you can
watch the value being changed in the "Start" key. You could probably just
use RegMon from SysInternals to catch this, as long as this isn't being
modified by something in the RunOnce/Run on startup, or by another startup
service. You are expecting the Start key to have a value of 0 (to be
disabled) or 3 (to be started manually later). Anything else should be red
flagged.
With something like RegMon, if you use the filters, you should be able to
cut down on the registry noise and be able to see WHEN the change occurs,
and by which process.
Hope that helps.
I think this is a better idea:
Learning to use RegMon is useful anyway....
---
Hey Bill,
Since all service startup is driven by their settings in the registry this
should be easy to trap with any sort of registry monitoring program.
If you monitor HKLM\SYSTEM\CurrentControlSet\Services\Messenger you can
watch the value being changed in the "Start" key. You could probably just
use RegMon from SysInternals to catch this, as long as this isn't being
modified by something in the RunOnce/Run on startup, or by another startup
service. You are expecting the Start key to have a value of 0 (to be
disabled) or 3 (to be started manually later). Anything else should be red
flagged.
With something like RegMon, if you use the filters, you should be able to
cut down on the registry noise and be able to see WHEN the change occurs,
and by which process.
Hope that helps.