Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > Autoruns
  New Posts New Posts RSS Feed - Winsock Providers tab in Autoruns 9.21
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Winsock Providers tab in Autoruns 9.21

 Post Reply Post Reply
Author
Message
Edward View Drop Down
Newbie
Newbie


Joined: 10 June 2008
Location: Canada
Status: Offline
Points: 13
Post Options Post Options   Thanks (0) Thanks(0)   Quote Edward Quote  Post ReplyReply Direct Link To This Post Topic: Winsock Providers tab in Autoruns 9.21
    Posted: 10 June 2008 at 1:36pm
In Autoruns 9.21 the "Autorun Entry" column under the "Winsock Providers" tab shows an ascending sequence of numbers, whereas in Autoruns 9.13 a list of names like "MSAFD Tcpip ..." is shown.

I deleted all the values in the [HKEY_CURRENT_USER\Software\Sysinternals\Autoruns] registry key, then ran 9.13, then deleted the values and ran 9.21, with the same results.

I have attached a zip file with two screenshots showing the difference between the two versions (couldn't get the pics. under 15KB).

Has anyone else noticed this?

Thanks
 
[EDIT by molotov: remove attachment, at Edward's request]



Edited by molotov - 07 July 2008 at 10:58am
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 10 June 2008 at 8:11pm
Hi Edward,
 
Not sure why, but it appears that 9.13 would process / parse the PackedCatalogItem entry in the [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\<number>] key such that it could display the path of the DLL as well as the name / details (MSAFD NetBIOS [\Device\NetBT_Tcpip_{1C00D50B-B72E-4227-A70F-72B5979B8996}] DATAGRAM 0, for example).  Autoruns 9.21 does not do all of this parsing / processing, though it does still display the DLL and the description of the DLL from its version resource.
Daily affirmation:
net helpmsg 4006
Back to Top
Edward View Drop Down
Newbie
Newbie


Joined: 10 June 2008
Location: Canada
Status: Offline
Points: 13
Post Options Post Options   Thanks (0) Thanks(0)   Quote Edward Quote  Post ReplyReply Direct Link To This Post Posted: 11 June 2008 at 11:04am
Thanks for the clarity, Molotov.

I want to thank you and Mr. Russinovich and Mr. Cogswell, along with other contributors, for your detailed trouble-shooting over the years on behalf of us users.
The excellent sysinternals tools along with your knowledge are needed and appreciated.

Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 12 June 2008 at 7:07pm
Thanks for the kind words, Edward.
Daily affirmation:
net helpmsg 4006
Back to Top
GrofLuigi View Drop Down
Senior Member
Senior Member


Joined: 18 January 2006
Status: Offline
Points: 268
Post Options Post Options   Thanks (0) Thanks(0)   Quote GrofLuigi Quote  Post ReplyReply Direct Link To This Post Posted: 12 June 2008 at 8:04pm
I noticed this too. While I woudn't recommend anyone touching these keys, it was nice before when we had at least some idea what was going on. Why the change?

GL
Back to Top
GrofLuigi View Drop Down
Senior Member
Senior Member


Joined: 18 January 2006
Status: Offline
Points: 268
Post Options Post Options   Thanks (0) Thanks(0)   Quote GrofLuigi Quote  Post ReplyReply Direct Link To This Post Posted: 20 June 2008 at 11:20pm
And in Mark's blog post "The Case of the Random IE and WMP Crashes" the old behavior is shown. It *might* have helped him to troubleshoot 'more correctly'.

GL
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 22 June 2008 at 11:19am
Hm... Just checked Winsock Providers on Vista with Autoruns 9.21.  It does not display the providers as 0000000000xx - it displays them as 9.13 does on XP...
Daily affirmation:
net helpmsg 4006
Back to Top
Karlchen View Drop Down
Senior Member
Senior Member
Avatar

Joined: 18 June 2005
Location: Germany
Status: Offline
Points: 5131
Post Options Post Options   Thanks (0) Thanks(0)   Quote Karlchen Quote  Post ReplyReply Direct Link To This Post Posted: 22 June 2008 at 11:52am
Confirmed.
Only the list of Winsock Providers displayed by Autoruns v9.21 will be more complete (longer) than the one displayed by Autoruns v9.13. (True on Vista 32bit)

Karl

Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 22 June 2008 at 3:09pm
If you use Process Monitor to look at the stack of an event referencing [HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001] from Autoruns 9.13 and 9.21, you will see some differences...
9.13:
Quote ntoskrnl.exe KiFastCallEntry + 0xf8 0x804de7ec C:\WINDOWS\system32\ntoskrnl.exe
advapi32.dll RegOpenKeyExA + 0x119 0x77dd76eb C:\WINDOWS\system32\advapi32.dll
ws2_32.dll PROTO_CATALOG_ITEM::InitializeFromRegistry + 0x42 0x71ab78ea C:\WINDOWS\system32\ws2_32.dll
ws2_32.dll DCATALOG::RefreshFromRegistry + 0xff 0x71ab728c C:\WINDOWS\system32\ws2_32.dll
ws2_32.dll DCATALOG::InitializeFromRegistry + 0x25 0x71ab7c17 C:\WINDOWS\system32\ws2_32.dll
ws2_32.dll DPROCESS::Initialize + 0x82 0x71ab7b5b C:\WINDOWS\system32\ws2_32.dll
ws2_32.dll DPROCESS::DProcessClassInitialize + 0x28 0x71ab7aaf C:\WINDOWS\system32\ws2_32.dll
autoruns.exe autoruns.exe + 0x2f2a6 0x42f2a6 C:\913\autoruns.exe
autoruns.exe autoruns.exe + 0x11354 0x411354 C:\913\autoruns.exe
autoruns.exe autoruns.exe + 0x342f5 0x4342f5 C:\913\autoruns.exe
autoruns.exe autoruns.exe + 0x3438e 0x43438e C:\913\autoruns.exe

 
 
9.21:
Quote ntoskrnl.exe KiFastCallEntry + 0xf8 0x804de7ec C:\WINDOWS\system32\ntoskrnl.exe
advapi32.dll RegOpenKeyExA + 0x119 0x77dd76eb C:\WINDOWS\system32\advapi32.dll
autoruns.exe autoruns.exe + 0x32b35 0x432b35 C:\921\autoruns.exe
autoruns.exe autoruns.exe + 0x12fdc 0x412fdc C:\921\autoruns.exe
autoruns.exe autoruns.exe + 0x38caf 0x438caf C:\921\autoruns.exe
autoruns.exe autoruns.exe + 0x38d4b 0x438d4b C:\921\autoruns.exe
kernel32.dll BaseThreadStart + 0x37 0x7c80b683 C:\WINDOWS\system32\kernel32.dll
 
If you look at the imports of Autoruns 9.13 vs 9.21, you will see that it no longer imports from WS2_32.dll.  (9.13 imported WSCDeinstallProvider, WSCEnumProtocols, and WSCGetProviderPath.)  So, it would appear that previously Autoruns was using the Winsock API to get this information.  This seems to have changed with 9.21.  The information presented suggests that the change is intentional; one might consider that though this change may seem to provide less information, the change may be for the better as perhaps there is some limitation that is overcome by reporting the information in this fashion.
Daily affirmation:
net helpmsg 4006
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down