Open Discussion → Critical registry changes by RUNPOPFILE.EXE

Critical registry changes by RUNPOPFILE.EXE

Please confirm that POPFile 1.1.3 makes changes to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet?001\Control\Session Manager\PendingFileRenameOperations?

Agnitum Outpost Firewall Pro 7.5.1 is detecting what it categorises as dangerous activity when RUNPOPFILE.EXE runs for the first time each day.

This is not a problem in itself but your reply would be valuable in achieving the better understanding of a problem in Outpost Firewall.

hake
12/14/11 11:49:40
Tree View Flat View (newer first) Flat View (older first)
  • Message #1598

    It would be useful to know which file is being renamed:

    PendingFileRenameOperations
    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
    Description
    Stores the names of files to be renamed when the system restarts.

    This entry consists of pairs of file names. The file specified in the first item of the pair is renamed to match the second item of the pair. The system adds this entry to the registry when a user or program tries to rename a file that is in use. The file names are stored in the value of this entry until the system is restarted and they are renamed.

    I don't think 'runpopfile.exe' does anything special for the first run of the day.

    brian
    12/14/11 16:41:46
    • Message #1599

      Sorry Brian. I expressed my information request unclearly.

      I am asking if runpopfile.exe modifies the following registry entry: -

      HKEY_LOCAL_MACHINE\SYSTEM\ControlSet?001\Control\Session Manager\BackupRestore?\KeysNotToRestore?\Pending Rename Operations
      or
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet?\Control\Session Manager\BackupRestore?\KeysNotToRestore?\Pending Rename Operations

      Current value is: CurrentControlSet?\Control\Session Manager\PendingFileRenameOperations?

      If I am not making sense, that is understandable since I don't understand what this bit of the registry does.
      I am trying to get a handle on what is triggering erroneous behaviour of System Guard in Agnitum Outpost Firewall Pro 7.5.1. The log file entry is very economical on detail.
      Since Outpost is behaving oddly, my question might be unanswerable.

      I am running Windows XP Pro SP3 32-bit.

      hake
      12/14/11 17:13:50
      • Message #1600

        'runpopfile.exe' does not write to the registry entry you mentioned ... but that does not mean much because programs are not supposed to write to that value ~ it is used internally by Windows in response to requests from applications.

        When an application tries to replace or rename a file that is in use Windows can arrange to make the required changes the next time the system boots (this ensures the files are not being used when the changes are made). The Session Manager (part of Windows) performs this task by reading the registered rename and delete commands from the HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations value.

        This is one of the reasons why Windows Update often requires a reboot after installing an update.

        brian
        12/14/11 21:41:34
        • Message #1601

          Thank you Brian. That is very enlightening. I will pass it on that to others in the Outpost Firewall forum.

          hake
          12/14/11 21:54:42
Tree View Flat View (newer first) Flat View (older first)