Processes querying HKU "load" locations

  • Thread starter Thread starter cusnap
  • Start date Start date
C

cusnap

Hi,
Is it normal for processes to query the "load" location in user subkeys
(e.g., HKU\S-1-5-21-xxxxxxx\Software\Microsoft\Windows
NT\CurrentVersion\Windows\load)? We had an anti-virus program apparently
removing data from that value (it didn't tell us what it was removing and the
vendor couldn't really help), so we set up procmon with a filter to watch
anything touching those load locations and processes such as net1.exe
llsmgr.exe and userinit.exe were observed to query there. I am not a
developer and really don't know what's normal process behavior and what
isn't. There was no writing, just the queries. Thanks.
 
Yes, perfectly normal. App installations that write there are probably win9x
applications.


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect
 
Or possibly even win3.x apps. Probably not used any more but if you're
looking there don't forget win.ini, system.ini are also parsed.


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect
 
Hi,

Thanks for the reply. Could you elaborate at all? It's normal for Win9x apps
to write to the load value, but these seem to be common (more or less)
Windows processes, not necessarily Win9x as far as I can tell (llsmgr.exe,
userinit.exe, etc.), that are reading that location. Just trying to
understand better. Thanks again.

Dave Patrick said:
Yes, perfectly normal. App installations that write there are probably win9x
applications.


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect


cusnap said:
Hi,
Is it normal for processes to query the "load" location in user subkeys
(e.g., HKU\S-1-5-21-xxxxxxx\Software\Microsoft\Windows
NT\CurrentVersion\Windows\load)? We had an anti-virus program apparently
removing data from that value (it didn't tell us what it was removing and
the
vendor couldn't really help), so we set up procmon with a filter to watch
anything touching those load locations and processes such as net1.exe
llsmgr.exe and userinit.exe were observed to query there. I am not a
developer and really don't know what's normal process behavior and what
isn't. There was no writing, just the queries. Thanks.
 
OK, thanks, that helps. I appreciate you taking the time to answer.

Dave Patrick said:
Windows 2000 would still read them for backward compatibility.


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect


cusnap said:
Hi,

Thanks for the reply. Could you elaborate at all? It's normal for Win9x
apps
to write to the load value, but these seem to be common (more or less)
Windows processes, not necessarily Win9x as far as I can tell (llsmgr.exe,
userinit.exe, etc.), that are reading that location. Just trying to
understand better. Thanks again.
 
Back
Top