Processes querying HKU "load" locations

[cusnap]

Hi,
Is it normal for processes to query the "load" location in user subkeys
(e.g., HKU\S-1-5-21-xxxxxxx\Software\Microsoft\Windows
NT\CurrentVersion\Windows\load)? We had an anti-virus program apparently
removing data from that value (it didn't tell us what it was removing and the
vendor couldn't really help), so we set up procmon with a filter to watch
anything touching those load locations and processes such as net1.exe
llsmgr.exe and userinit.exe were observed to query there. I am not a
developer and really don't know what's normal process behavior and what
isn't. There was no writing, just the queries. Thanks.

 

[Dave Patrick]

Yes, perfectly normal. App installations that write there are probably win9x
applications.


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

[Dave Patrick]

Or possibly even win3.x apps. Probably not used any more but if you're
looking there don't forget win.ini, system.ini are also parsed.


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

[cusnap]

Hi,

Thanks for the reply. Could you elaborate at all? It's normal for Win9x apps
to write to the load value, but these seem to be common (more or less)
Windows processes, not necessarily Win9x as far as I can tell (llsmgr.exe,
userinit.exe, etc.), that are reading that location. Just trying to
understand better. Thanks again.

Yes, perfectly normal. App installations that write there are probably win9x
applications.


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

Hi,
Is it normal for processes to query the "load" location in user subkeys
(e.g., HKU\S-1-5-21-xxxxxxx\Software\Microsoft\Windows
NT\CurrentVersion\Windows\load)? We had an anti-virus program apparently
removing data from that value (it didn't tell us what it was removing and
the
vendor couldn't really help), so we set up procmon with a filter to watch
anything touching those load locations and processes such as net1.exe
llsmgr.exe and userinit.exe were observed to query there. I am not a
developer and really don't know what's normal process behavior and what
isn't. There was no writing, just the queries. Thanks.

 

[Dave Patrick]

Windows 2000 would still read them for backward compatibility.


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

[cusnap]

OK, thanks, that helps. I appreciate you taking the time to answer.

Windows 2000 would still read them for backward compatibility.


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

Hi,

Thanks for the reply. Could you elaborate at all? It's normal for Win9x
apps
to write to the load value, but these seem to be common (more or less)
Windows processes, not necessarily Win9x as far as I can tell (llsmgr.exe,
userinit.exe, etc.), that are reading that location. Just trying to
understand better. Thanks again.

 

[Dave Patrick]

You're welcome.


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect