LnS always accessing the hard disk

Discussion in 'LnS English Forum' started by friedclams, Feb 12, 2003.

Thread Status:
Not open for further replies.
  1. friedclams

    friedclams Registered Member

    Joined:
    Jan 25, 2003
    Posts:
    17
    I've been trying to track down reasons why my laptop's battery runs down so fast and have discovered that my LnS v2.03 is regularly accessing the hard disk... whether I'm online or not online (I use dialup)...

    is this normal ??
    can it be stopped/limited ??

    will I get the same problem if/when I upgrade to 2.04??

    thanks,
     
  2. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi,
    i'm on LnS 2.04 and it doesn't happen here (also a notebook/Win98SE).
    Either it's the new release or some configuration issue. What do you have set in your options?
    You could try and use Sysinternals' FileMon to find out what happens (what process accesses what file)...

    HTH,
    Andreas
     
  3. friedclams

    friedclams Registered Member

    Joined:
    Jan 25, 2003
    Posts:
    17
    I'm using sysinternal's Regmon which is constantly showing LnS .... I should have been more specific, the file access shown by Regmon is from LnS going to the registry all the time, like its in some sort of loop...
    even when I'm not dial'ed in to my ISP...
     
  4. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi friedclams,

    Normally Look 'n' Stop should not access the hard disk like you mentioned.

    Perhaps there is another process that is continously trying to connect to internet, and in this case Look 'n' Stop will detect it and will verify the signature exe. Doing that Look 'n' Stop will effectively accessing the hard drive all the time.

    If it is the registry, it is stranger.
    Do you have the registry keys involved ?

    What is your OS ?

    Thanks,

    Frederic.
     
  5. friedclams

    friedclams Registered Member

    Joined:
    Jan 25, 2003
    Posts:
    17
    Frederic:
    Thanks 4 your reply... the following represents the sysinternals regmon output when I'm NOT connected to my ISP via dialup... that is, my win98se system is in IDLE not connected, no browser running.... the outputs shown LOOPS over and over and over.....

    hope you get some clues from this..... thks, Rich


    106   Looknsto   OpenKey   HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes   SUCCESS   hKey: 0xC29B37F0   
    107   Looknsto   EnumKey   HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes   SUCCESS   pcANYWHERE Host Service Class   
    108   Looknsto   OpenKey   HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes   SUCCESS   hKey: 0xC29B37F0   
    109   Looknsto   OpenKey   HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes\pcANYWHERE Host Service Class   SUCCESS   hKey: 0xC29B2A30   
    110   Looknsto   CloseKey   HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes   SUCCESS      
    111   Looknsto   QueryValueEx   HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes\pcANYWHERE Host Service Class\GUID   SUCCESS   "{000915ff-0000-0000-c000-000000000046}"   
    112   Looknsto   CloseKey   HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes\pcANYWHERE Host Service Class   SUCCESS      
    113   Looknsto   EnumKey   0xC29B37F0   NOMORE      
    114   Looknsto   CloseKey   0xC29B37F0   SUCCESS      
    115   Looknsto   OpenKey   HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes   SUCCESS   hKey: 0xC29B37F0   
    116   Looknsto   EnumKey   HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes   SUCCESS   pcANYWHERE Host Service Class   
    117   Looknsto   OpenKey   HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes   SUCCESS   hKey: 0xC29B37F0   
    118   Looknsto   OpenKey   HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes\pcANYWHERE Host Service Class   SUCCESS   hKey: 0xC29B2A30   
    119   Looknsto   CloseKey   HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes   SUCCESS      
    120   Looknsto   QueryValueEx   HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes\pcANYWHERE Host Service Class\GUID   SUCCESS   "{000915ff-0000-0000-c000-000000000046}"   
    121   Looknsto   CloseKey   HKLM\SYSTEM\CurrentControlSet\Control\ServiceProvider\ServiceTypes\pcANYWHERE Host Service Class   SUCCESS      
    122   Looknsto   EnumKey   0xC29B37F0   NOMORE      
    123   Looknsto   CloseKey   0xC29B37F0   SUCCESS      
    124   Looknsto   OpenKey   HKLM\System\CurrentControlSet\Services\VxD\MSTCP   SUCCESS   hKey: 0xC29B37F0   
    125   Looknsto   QueryValueEx   HKLM\System\CurrentControlSet\Services\VxD\MSTCP\HostName   NOTFOUND      
    126   Looknsto   CloseKey   HKLM\System\CurrentControlSet\Services\VxD\MSTCP   SUCCESS      
    127   Looknsto   OpenKey   HKLM\System\CurrentControlSet\Control\ComputerName\ComputerName   SUCCESS   hKey: 0xC29B37F0   
    128   Looknsto   QueryValueEx   HKLM\System\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName   SUCCESS   "TP600"   
    129   Looknsto   CloseKey   HKLM\System\CurrentControlSet\Control\ComputerName\ComputerName   SUCCESS      
    130   Looknsto   OpenKey   HKLM\System\CurrentControlSet\Services\VxD\MSTCP   SUCCESS   hKey: 0xC29B37F0   
    131   Looknsto   QueryValueEx   HKLM\System\CurrentControlSet\Services\VxD\MSTCP\Domain   NOTFOUND      
    132   Looknsto   CloseKey   HKLM\System\CurrentControlSet\Services\VxD\MSTCP   SUCCESS      
    133   Looknsto   OpenKey   HKLM\System\CurrentControlSet\Control\CommAlias   NOTFOUND      
    134   Looknsto   QueryValueEx   0xC29DC540\PORTNAME   SUCCESS   "LPT1"   
    135   Looknsto   QueryValueEx   0xC29DC540\FRIENDLYNAME   SUCCESS   "Printer Port (LPT1)"   
    136   Looknsto   QueryValueEx   0xC29DB580\PORTNAME   SUCCESS   "COM1"   
    137   Looknsto   QueryValueEx   0xC29DB580\FRIENDLYNAME   SUCCESS   "ThinkPad Data Fax Modem"   
    138   Looknsto   QueryValueEx   0xC29DB410\PORTNAME   NOTFOUND      
    139   Looknsto   QueryValueEx   0xC29DB410\FRIENDLYNAME   SUCCESS   "Parallel cable on LPT1"   
    140   Looknsto   QueryValueEx   0xC29DAE30\PORTNAME   NOTFOUND      
    141   Looknsto   QueryValueEx   0xC29DAE30\FRIENDLYNAME   SUCCESS   "Parallel cable on LPT4"   
    142   Looknsto   QueryValueEx   0xC29DADE0\PORTNAME   SUCCESS   "COM5"   
    143   Looknsto   QueryValueEx   0xC29DADE0\FRIENDLYNAME   SUCCESS   "Virtual Infrared COM Port"   
    144   Looknsto   QueryValueEx   0xC29DAB90\PORTNAME   SUCCESS   "LPT4"   
    145   Looknsto   QueryValueEx   0xC29DAB90\FRIENDLYNAME   SUCCESS   "Virtual Infrared LPT Port"   
    146   Looknsto   QueryValueEx   0xC29DAA30\PORTNAME   SUCCESS   "COM2"   
    147   Looknsto   QueryValueEx   0xC29DAA30\FRIENDLYNAME   SUCCESS   "Megahertz Telephony XJ-CC5560 Modem"   
    148   Looknsto   QueryValueEx   0xC29DD030\VDHCP   NOTFOUND      
     
  6. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Your PCanywhere is obviously checking for connection status.
    Check your settings for it.
     
  7. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Look 'n' Stop calls the "gethostbyname" function periodically (to detect an IP change).
    This function seems to read the registry keys you mentioned.

    I will see how it is possible to change this design in a future release.

    Frederic.
     
  8. friedclams

    friedclams Registered Member

    Joined:
    Jan 25, 2003
    Posts:
    17
    Frederic:
    Just 2B clear, pcAnywhere wasn't running when I took the offline regmon snapshot....
    on my system pcAnywhere doesn't normally run unless I manually start it (rarely)...

    so I'll assume your statement means that LooknStop is causing the read registry keys NOT pcAnywhere:

    "Look 'n' Stop calls the "gethostbyname" function periodically (to detect an IP change).
    This function seems to read the registry keys you mentioned."

    Thanks again 4your help...
     
Thread Status:
Not open for further replies.