the systemn file (windows/system32/config/system) is growing

[Jeff]

Hi,

I recently asked why my system file is 200mb -- I used your advice and used
NTRGOPT and this brought it down to about 8mb.

Now I notice that my system file is gradually growing again. Wen I use
NTREGOPT it comes back down, but this is not a permanent solution. What can I
do to keep the file from growing? How can I check what is happening? I looked
in error logs and system logs and there is nothing listed at the time that
the file was modified.

I appreciate your help with this.

Thanks

 

[Paul]

Hi,

I recently asked why my system file is 200mb -- I used your advice and used
NTRGOPT and this brought it down to about 8mb.

Now I notice that my system file is gradually growing again. Wen I use
NTREGOPT it comes back down, but this is not a permanent solution. What can I
do to keep the file from growing? How can I check what is happening? I looked
in error logs and system logs and there is nothing listed at the time that
the file was modified.

I appreciate your help with this.

Thanks

Process Monitor

http://technet.microsoft.com/en-ca/sysinternals/bb896645.aspx

Run it and set the filter condition to

"Operation" "begins with" "reg"

and apply.

ProcMon will undoubtedly log a lot of extraneous activity, but if
the bloat is as bad as you describe, there should be lots of the bad
operations occurring. That might be the dominant, or virtually only,
activity going on with the registry. Like maybe 99% of the entries
you log, will be the bad thing happening.

Sysinternals also has a forum area, and if you use a search engine
that can be pointed at a single host (altavista.com), you can
search the site for better instructions than I can give, for
the best way to set up ProcMon.

http://forum.sysinternals.com/
http://forum.sysinternals.com/forum_topics.asp?FID=19 (ProcMon)

Another word of warning. Sysinternals programs play with the innards
of Windows OSes. If you're using AV software, the instant you start
programs like ProcMon, the AV software can get in a fight with
ProcMon (freeze city). That used to happen on my other computer, which was
running Kaspersky. I used to sort the AV programs on that computer, into
"freeze" and "don't freeze" folders, to make it easier to figure out
which Sysinternals programs were safe to run. So the first time you
try it, quit any other programs first, just to be on the safe side.
You don't want to lose any edit sessions you might have open.

Good luck,
Paul

 

[joe]

I just measure my system32 file and it is 800mb !
What can I look out for to delete? and what is NTRGOPT ?
Any advice please Paul.

 

[Paul]

I just measure my system32 file and it is 800mb !
What can I look out for to delete? and what is NTRGOPT ?
Any advice please Paul.

You've got to be joking. Is that even possible ? You sure
it isn't some smaller number ?

http://en.wikipedia.org/wiki/Windows_registry

Windows NT-based operating systems

%SystemRoot%\System32\Config\

(On my machine, that is C:\WINDOWS\system32\config directory)

These are my current file sizes.

Filename Size

SAM – HKEY_LOCAL_MACHINE\SAM 24KB
SECURITY– HKEY_LOCAL_MACHINE\SECURITY 256KB
SOFTWARE– HKEY_LOCAL_MACHINE\SOFTWARE 13824KB
SYSTEM– HKEY_LOCAL_MACHINE\SYSTEM 8704KB
DEFAULT– HKEY_USERS\.DEFAULT 260KB

Make sure you're looking in the right directory. The files listed
are my "live" files. There is another (empty) set for emergencies.

It is even possible, you won't be able to list C:\WINDOWS\system32\config
right now. My setup is nice and insecure. I use FAT32, and I'm not
having a problem getting to that directory.

*Please*, don't muck with the registry unless all other options
are been thoroughly discussed. Just because there is some tool
called NTRGOPT, doesn't mean we all have to use it. If you want
to play registry roulette, at least make sure you have a
"bare metal recovery" kind of backup stored somewhere safe.
It is possible to use Recovery Console and System Restore to
restore some sanity to your system, but the process would not
be a lot of fun. Some people don't have a Recovery Console, and
some have turned off their System Restore. Making a fresh
backup, may require less research to do yourself.

Just to give an analogous example, I was looking in a Firefox
directory the other day, and saw some large sqlite files. I found
a thread that discussed the VACUUM option for scrunching the files.
I made a *copy* of one file, and worked on it in another directory.
Sure enough, the tool mentioned did make a significant improvement.
Then, I did some more reading, which warned that the procedure did not
re-index the database, after removing stale entries. And that some
people broke their Firefox after attempting the procedure. So
just because you see a quick mention of a miracle tool, look
for info about what the downside might be of using it. Database
files have structures inside, and you have to know how to properly
preserve what is in there. Any mistake, and you're going to need to
know how to use Recovery Console and System Restore, or your
"bare metal" restore capability.

(There are other ways to back up the registry, but you could
easily spend a whole working day learning about this stuff.
My experience is, to leave well enough alone.)

I can find an NTREGOPT here (8 letters). I wonder if this is the tool ?
There is plenty of good info here.

http://www.larshederer.homepage.t-online.de/erunt/

http://www.larshederer.homepage.t-online.de/erunt/ntregopt.txt

Good luck and stay safe,

Paul

 

[Jeff]

It's an application that optimizes the registry.
Look it up (NTREGOPT) in some search engine and you will find it.
It took my 200+mb system file down to 8mb. However, you might need to run
it in safe mode.

Good luck.

 

[Jeff]

Question -- is the proc mon the same as the process explorer? I have the
sysinternals process explorer -- I am not sure whether this is the same
thing...

I suspect that it could be internet explorer8 related. After I wrote my
original question I noticed that the system file grew a bit. It grew from 8mb
to 11mb Then I optimized again and brought it down. Have you heard of
something like this?

Thanks

 

[Paul]

Question -- is the proc mon the same as the process explorer? I have the
sysinternals process explorer -- I am not sure whether this is the same
thing...

I suspect that it could be internet explorer8 related. After I wrote my
original question I noticed that the system file grew a bit. It grew from 8mb
to 11mb Then I optimized again and brought it down. Have you heard of
something like this?

Thanks

I'm using IE6, and my registry files are on a diet

If you know it is IE8, then you should be able to find it all
that much faster with ProcMon. ProcMon is not the same thing
as Process Explorer. Look in the Sysinternals utilities list,
and you'll find it soon enough.

ProcMon

http://technet.microsoft.com/en-ca/sysinternals/bb896645.aspx

Here, you can watch a program messing about with something
in the file system.

http://images.ask-leo.com/2009/procmon_initial.png

Here, you can see some registry operations, being done by
the program that happens to use those keys.

http://www.leeholmes.com/blog/content/binary/procmon_post_click.gif

It is a powerful tool, that I still don't completely understand.
When I look at how many things it claims to have captured, I have
trouble understanding what it's done with all of them

You could set up two filter conditions. Look for a process name
that matches the name used by IE8. And for that, maybe you can get a hint
from Task Manager or even Process Explorer. Remember to type the
name completely, including the .exe on the end. I made that mistake
when playing with it an hour ago - forgot the .exe and was
staring at a blank output as a result. The second thing might be
to look for an operation that starts with "Reg", if you just want
to see register operations in the filtered output. In the example
here, I think I'm seeing read operations, rather than writes. You'd
really need to see a complete list of the procedure names, to
get a better handle on what to look for.

http://www.leeholmes.com/blog/content/binary/procmon_post_click.gif

Once you know what key is involved, or what it is writing or updating,
you might be better able to craft a search command to find other
people with the same problem. Right now, if I enter a few terms
to describe your problem, all I'm getting as results, is
adverts for registry cleaners... Boo, hiss.

Paul

 

[Jeff]

Thanks.
When I get home from work I will start with this and perhaps find the
culprit!
The "internet explorer8" suspect is just a gut feeling (since it works
pretty lousy on my computer anyway, unfortunately). Perhaps I am right. So
far I am succeeding in fixing this issue.

I left my computer at home on WITHOUT internet explorer running -- and I
will check it's "temperature" (a joke) and see whether the system file grew.

I appreciate your comments and I will use the proc mon and perhaps be able
to make a judgment soon enough.

 

[Elmo]

I just measured my system32 file and it is 800MB!
What can I look out for to delete? and what is NTRGOPT?
Any advice please Paul.

My "System32" FOLDER is 1.2 GB.. my "System" file is 8.25 MB.. Perhaps
you're mixing apples32 with oranges.

 

[joe]

I have checked and rechecked. My Windows/system32 folder is 800mb. The list
of folders and files is so long I cannot even send a screen shot. Is there
somewhere I can find out what should be there and what can be deleted??

 

[Jose]

I have checked and rechecked. My Windows/system32 folder is 800mb. The list
of folders and files is so long I cannot even send a screen shot. Is there
somewhere I can find out what should be there and what can be deleted??

You are truly blessed to have a windows\system32 folder that is only
800MB.

 

[Daave]

Why is this a problem? My system32 folder is 972MB. Then again, my
system *file* (which is in the config folder which is in the system32
folder) is 5.9MB.

Are you confusing the system file with the system32 folder?

I think part of the confusion is you and Paul are not talking about the
same folder! He's talking about the config folder (one folder that is
part of the much larger system32 folder). You're talking about the
entire system32 folder.

 

[Jeff]

Hi,

OK these are the processes that are creating registry entries:
(1) lsass.exe (located, did a search) in windows/system32 and in
windows/servicepackfiles/i386

(2) Explorer.exe
(3) IExplorer.exe
(4) services.exe
(5) vsmon.exe
(6) WLLoginProxy.exe

Any ideas how to stop this?

Thanks,
Jeff

 

[John John - MVP]

So, what's the problem with the machine anyway? You said earlier that
the windows/system32/config/system file was 200MB. This is a registry
file, it's the system hive, represented in the registry by the
HKEY_LOCAL_MACHINE\SYSTEM key.

You said that you ran NTRegOpt and that the file was compacted to about
8MB, so how big is it now? Registry hives are dynamic, they grow and
shrink in size, it's normal. When NTRegOpt is run it will almost always
tell you that it can reduce the size of the registry by a few percents.

Please don't confuse this thread anymore than it already is by going on
a tangent about the size of the WINDOWS/system32 folder! Lets stick to
the C:\WINDOWS\system32\config folder and its contents and see what is
going on there, the rest of the sytem32 folder has nothing to do with
the registry. Give us the size of the SYSTEM hive and lets see if there
is really something going on with its size.

If the windows/system32/config/system *file* is indeed rapidly growing
to an astronomical size of 200 or 800MB then there definetly is
something wrong! Others have given you suggestions as to what might be
causing this, I'm not a betting man but I would bet 1% of the pot on a
virus and the other 99% on that oft misbehaving vsmon.

John

 

[Jeff]

Thanks for your comment. I did not intend for others to discuss the size of
their directories, and I can't take the blame for this.

However, it was suggested that I use the procmon to see what processed are
adding keys to the registry and this is what I did and wat I mentioned in the
previous reply.

Currently the size of the system hive is 8704KB. However, it was 16MB when I
came home and I reduced it to 8704 using NTREGOPT. It grows when the machine
is left on.

I would appreciate advice on how to check whether the problem is in some
misbehaving vsmon or something else. I have ran spybot, superantispyware,
prevx and have the McAfee Total Protection Service running -- I get no real
indication of a virus.

Again, I would appreciate any advice on how to proceed, and I am sorry that
the thread took some interesting directions -- not to my desire.

Thanks for your response.

 

[joe]

Thank you for clearing that up Daave, you are quite right.
Sorry to everyone else for the confusion.