darkdestiny:
In Regmon > Options there is a "Log Boot". However, if I remember correctly the filter does not appear to be in affect with this option and it creates thousands of entries.
darkdestiny:
In Regmon > Options there is a "Log Boot". However, if I remember correctly the filter does not appear to be in affect with this option and it creates thousands of entries.
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
I'm not quite sure how that function works, but that function is enabled. Maybe I'll check out the Log file which it mentioned in the pop-up.
From the Regmon's help facility:
Monitoring Boot-Time Registry Access (Windows NT/2K only)
To use Regmon's boot logging feature simply select the "Log Boot" menu entry. Regmon will indicate that starting the next time the system boots Registry activity will be monitored and recorded to a log file named REGMON.LOG in your system root directory. When you make this selection Regmon configures itself as the very first driver to initialize in the system, enabling it to capture the Registry startup activity of all other device drivers and services, including critical boot drivers such as SCSI miniport drivers and boot file system drivers.
Regmon stops recording to the log file when you start the Regmon GUI, and it will only log a single boot. Logging is therefore also stopped when the system shuts down, unless you have re-enabled boot-time logging for the subsequent boot. The format of the log file is the same tab-delineated text as a standard Regmon output file that can be viewed with any editor.
Before you use the boot-logging feature you should ensure that there is ample free space on your system drive. Capturing Registry activity from startup to shutdown on an NT 4.0 system will generate a log file with 90,000-120,000 records (7-10 MB in size), whereas an identically configured NT 5.0 system (Beta 2) will generate 140,000-160,000 records (15-25 MB's of log data). If Regmon fills the disk while writing to the log it will truncate the log file and leave a message in it indicating that the disk did not have enough free space. Regmon aborts logging and cleans up the log in such cases so that lack of disk space will not prevent a successful boot.
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
I tried twice to view the log file you mentioned, but the file developed is too big (400+ MB). I tried opening RegMon as soon as I logged in, and did managed to get a much smaller file. This is what I found.
NOTE: Below are all the related entries of the raw data I've collected. There are some that have nothing to do with the problem.
248062: tvtsched.exe:2952 OpenKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x1
248063: tvtsched.exe:2952 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\tvtsched.exe NOT FOUND
248067: tvtsched.exe:2952 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\* NOT FOUND
248074: tvtsched.exe:2952 CloseKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS
572328: explorer.exe:1280 OpenKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x1
572329: explorer.exe:1280 QueryValue HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Explorer.EXE NOT FOUND
572330: explorer.exe:1280 QueryValue HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\* NOT FOUND
572331: explorer.exe:1280 CloseKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS
572332: explorer.exe:1280 OpenKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x1
572333: explorer.exe:1280 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Explorer.EXE SUCCESS 0x1
572334: explorer.exe:1280 CloseKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS
648956: SynTPEnh.exe:3788 OpenKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x1
648957: SynTPEnh.exe:3788 QueryValue HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\SynTPEnh.exe NOT FOUND
NOTE: This is somewhat irrelevant, but I just want to state it in case it has anything to do with the change.
648959: SynTPEnh.exe:3788 QueryValue HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\* NOT FOUND
648961: SynTPEnh.exe:3788 CloseKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS
648962: SynTPEnh.exe:3788 OpenKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x1
648963: SynTPEnh.exe:3788 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\SynTPEnh.exe NOT FOUND
648964: SynTPEnh.exe:3788 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\* NOT FOUND
648965: SynTPEnh.exe:3788 CloseKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS
701629: rrservice.exe:2896 OpenKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x1
701631: rrservice.exe:2896 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\rrservice.exe NOT FOUND
701633: rrservice.exe:2896 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\* NOT FOUND
701635: rrservice.exe:2896 CloseKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS
This is as much as I can find. Sorry if it doesn't give much help, but if I left the computer to load completely, the data could have been too much.
I have quite a number of programs, and so I can't really give much of a help with the RegMon log gathering too much data.
Although it's pretty much the same with the other log I received, it showed the entire log of what's happening during and just after Windows boot (it's about 290MB!!!)
Nothing found in relation to the problem. The closest one I've noticed is "explorer.exe", but no "iexplorer.exe"
I'll check with the Microsoft support regarding the problem.
Below is a part of the log which I'd noted that have changed the registry.
934347: ASMonitor.exe:3164 CreateKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x20006
934348: ASMonitor.exe:3164 SetValue HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe SUCCESS 0x0
934349: ASMonitor.exe:3164 CloseKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS
Culprit: ASMonitor.exe (AOL Security Monitor)
I'll uninstall the program and see if the problem is fixed.
After uninstalling Active Security Monitor (sorry, I mad a mistake. It's not AOL, it's Active) and rebooting my computer (which I did a while ago), the problem did not occur again.
So, for those who have the problem whereby the option "Allow active content to run in files in My Computer" (in IE > Internet Options... > Advanced tab > Security) is checked each time you boot, check if you have Active Security Monitor installed.
Thanks, Spybot Team, for the help.