C
cusnap
Hi,
Is it normal for processes to query the "load" location in user subkeys
(e.g., HKU\S-1-5-21-xxxxxxx\Software\Microsoft\Windows
NT\CurrentVersion\Windows\load)? We had an anti-virus program apparently
removing data from that value (it didn't tell us what it was removing and the
vendor couldn't really help), so we set up procmon with a filter to watch
anything touching those load locations and processes such as net1.exe
llsmgr.exe and userinit.exe were observed to query there. I am not a
developer and really don't know what's normal process behavior and what
isn't. There was no writing, just the queries. Thanks.
Is it normal for processes to query the "load" location in user subkeys
(e.g., HKU\S-1-5-21-xxxxxxx\Software\Microsoft\Windows
NT\CurrentVersion\Windows\load)? We had an anti-virus program apparently
removing data from that value (it didn't tell us what it was removing and the
vendor couldn't really help), so we set up procmon with a filter to watch
anything touching those load locations and processes such as net1.exe
llsmgr.exe and userinit.exe were observed to query there. I am not a
developer and really don't know what's normal process behavior and what
isn't. There was no writing, just the queries. Thanks.