Thread: After Windows Update Laptop Keeps Accessing Disk and Fan Kicks In
View Single Post
  #6 (permalink)  
Old 05-22-2008, 09:41 AM
Antony Scerri
 
Posts: n/a
Re: After Windows Update Laptop Keeps Accessing Disk and Fan Kicks
Right i have tried out something else to try and pinpoint the disk access a
bit more precisely. I started with diskmon and that shows 6-8 blocks of 8
bytes being written to the disk every second or so, but doesnt give a process
ID. So i then tried the latest procmon.exe and this shows something very odd.

The AGRSMMSG.EXE process is accessing the registry a LOT. Now i dont know
whether this is normal or not, but looks odd to me. Then mixed up in these
are registry access by LMS.EXE, SERVICES.EXE and blocks of LSASS.EXE now and
then. This is all without me doing anything and all my apps and background
utilities closed. I have included a few lines from the log at the bottom.

This looks a little suspicious, like something is polling away in the
background unecessarily.

Tony

29575 10:30:09.0441381 services.exe 1748 RegOpenKey HKLM\System\CurrentControlSet\Control\DeviceClasse s\{e2d1ff34-3458-49a9-88da-8e6915ce9be5} SUCCESS Desired Access: All Access
29576 10:30:09.0441777 services.exe 1748 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasse s SUCCESS
29577 10:30:09.0442035 services.exe 1748 RegQueryValue HKLM\System\CurrentControlSet\Control\DeviceClasse s\{e2d1ff34-3458-49a9-88da-8e6915ce9be5}\Default NAME NOT FOUND Length: 44
29578 10:30:09.0442199 services.exe 1748 RegEnumKey HKLM\System\CurrentControlSet\Control\DeviceClasse s\{e2d1ff34-3458-49a9-88da-8e6915ce9be5} NO
MORE ENTRIES Index: 0, Length: 512
29579 10:30:09.0442370 services.exe 1748 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasse s\{e2d1ff34-3458-49a9-88da-8e6915ce9be5} SUCCESS
29580 10:30:09.0443479 LMS.exe 652 RegOpenKey HKLM\System\CurrentControlSet\Control\DeviceClasse s\{E2D1FF34-3458-49A9-88DA-8E6915CE9BE5} SUCCESS Desired
Access: Read
29581 10:30:09.0444054 LMS.exe 652 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasse s\{e2d1ff34-3458-49a9-88da-8e6915ce9be5} SUCCESS
29582 10:30:09.0444303 LMS.exe 652 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasse s SUCCESS
29583 10:30:09.1219189 AGRSMMSG.exe 2052 RegOpenKey HKLM\SOFTWARE\Agere\SoftModem SUCCESS Desired Access: Query Value, Set Value
29584 10:30:09.1220460 AGRSMMSG.exe 2052 RegQueryValue HKLM\SOFTWARE\Agere\SoftModem\MsgStopRequest NAME NOT FOUND Length: 144
29585 10:30:09.1220684 AGRSMMSG.exe 2052 RegCloseKey HKLM\SOFTWARE\Agere\SoftModem SUCCESS
29586 10:30:09.1220857 AGRSMMSG.exe 2052 RegOpenKey HKLM\SOFTWARE\Agere\SoftModem SUCCESS Desired Access: Query Value
29587 10:30:09.1221256 AGRSMMSG.exe 2052 RegQueryValue HKLM\SOFTWARE\Agere\SoftModem\ActiveModems SUCCESS Type: REG_BINARY, Length: 4, Data: 00 00 00 00
29588 10:30:09.1221472 AGRSMMSG.exe 2052 RegCloseKey HKLM\SOFTWARE\Agere\SoftModem SUCCESS
29589 10:30:09.2312781 AGRSMMSG.exe 2052 RegOpenKey HKLM\SOFTWARE\Agere\SoftModem SUCCESS Desired Access: Query Value, Set Value

Note the AGSRMMSG.EXE entries are repeated over and over, sometimes ten
times (within a second) to every block of LMS and SERVICES entries.
Reply With Quote