Explorer’s Registry Polling

A couple of posts ago I talked about the negative effects of polling the Registry and file system from an application. A developer on the MSN Desktop Search responded to the MSN Desktop Search polling example I presented by saying that they are fixing the problem and thanking me for reporting it. In hopes that someone from the Explorer team is out their listening I’m reporting on the Registry polling that I see Explorer performing on my system.

When I run Regmon I see Explorer query a set of subkeys under HKLM\System\CurrentControlSet\Services\Tcpip\Parameters twice per second:



The values include names like EnableDHCP, DhcpServer, and LeaseObtainedTime so Explorer is obviously interested in one of my adapter’s DHCP settings.

Why does Explorer care about DHCP settings? To answer this question I did the same thing I did when I investigated the MSN Desktop Search polling: I opened Windbg (from Microsoft’s Debugging Tools for Windows), attached to Explorer, and set a breakpoint on ZwQueryValueKey. ZwQueryValueKey is native API that the Windows Registry-value query-APIs use underneath. Looking at the stack of the thread that almost immediately hit the breakpoint revealed that Explorer isn’t directly querying:



Rather, Stobject.Dll, which describes itself as the “Systray shell service object” is executing a thread that executes CNetStatisticsCentral::RefreshStatistics in Netshell.Dll (the Network Connections Shell library) when a timer fires. The refresh function calls into HrGetDHCPAddressType, which calls GetAdapterInfoEx in Iphlpapi.Dll (the IP Helper API library). The GetAdapterInfoEx API, which incidentally is undocumented (much of the IP Helper API, including GetAdapterInfo, is documented in the Platform SDK) pulls parts of its information from the configured adapter information stored in the TCP/IP registry key, which results in the Registry queries.

The next question I had is, what in the system tray is related to adapter statistics? The answer was blinking at me right in the face in the form of the tray icon representing the network connection. The icon updates to show incoming and outgoing networking activity and the combination of the Registry trace and stack dump indicates that it relies on polling to get the information.

Is there a way to get adapter statistics without involving Registry polling? I suspect there is, but without seeing the source code I can’t say for sure. The work around is to uncheck the “Show icon in notification area when connected” check box in the properties dialog of the network adapter.

Anyone from Explorer out there?
Originally by Mark Russinovich on 4/4/2005 1:49:00 PM
Migrated from original Sysinternals.com/Blog

---

# re: Explorer’s Registry Polling

As you noted, Explorer is the victim here. The component doing the polling is the guy that manages the network connections icon.

4/4/2005 4:33:00 PM by Raymond Chen

---

# re: Explorer’s Registry Polling

Thanks Mark,....

I had been wondering about the same thing....

Hari

4/4/2005 10:29:00 PM by Anonymous

---

# re: Explorer’s Registry Polling

The Explorer activity can be seen even easily. Enable "Page Fault Delta" in Task Manager or Process Explorer. Explorer have average 1 page fault per second in no-user-activity state.

4/5/2005 2:19:00 AM by mihailik

---

# re: Explorer’s Registry Polling

Nice one....

I just love this public debugging of MS code!!


Asher

4/5/2005 6:01:00 AM by Anonymous

---

# re: Explorer’s Registry Polling

Thanks for revealing this. The continuos registry polling has always puzzled me, during time I've seen a similar behaviour sported by many applications. Running regmon now I can see actively polling:
Windows Messenger
The dell "wireless" icon tray
In the past I remember also the ATI tray icon applet doing this.

4/5/2005 7:30:00 AM by camillo

---

# re: Explorer’s Registry Polling

On a Windows 2003 Server, I have this registry key checked 4 times per minute :-(
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod

4/6/2005 6:53:00 AM by Xavier

---

# re: Explorer’s Registry Polling

Hi,
interesting article! But wouldn't i be a nice feature for Regmon or Process Explorer if it would show the dll file (running under the explorer.exe process) which actually accesses the registry.

As you probably know there are dll- viruses and spyware. When these dlls access the registry in the current version one only sees that the explorer.exe did the access.

4/13/2005 3:50:00 AM by Mathias

---

# re: Explorer’s Registry Polling

(I apologize for posting this initially in the wrong article: I clicked the wrong URL.)
Hi, Mark.
The problem with applications polling continuosly the registry is bad and too widespread. For example, many years ago I complained to Faxtalk but they didn't seem to give the issue any importance. It's also one of the reasons I ran away from Symantec products: they are not only resource hogs but they poll too often the registry and the file system (one clear example was Winfax, but most of Symantec products have the same flaw). Maybe you could setup a section of your site to list the bad behaved SW known to your readers.

4/13/2005 11:51:00 PM by Claudio

---

# re: Explorer’s Registry Polling

"Dude, your crazy, dude" (from "Old School"), no seriously I just love how you whip out the debugger and like tell the Microsoft team what's wrong with their code. Respect!

4/20/2005 2:43:00 PM by Anonymous

---

# re: Explorer’s Registry Polling

Yes, great idea! Create a "sin bin" and list the offending software/modules... should help to get companies to clean up their act! :)

4/25/2005 9:56:00 AM by Marcus Tucker

---

# re: Explorer’s Registry Polling

Something todo with TCP/IP network status checking?

9/10/2005 4:31:00 PM by tweakradje

---

# re: Explorer’s Registry Polling

great post!

Did the "sin bin" get created? If yes can someone send me the link?
I'd like to share it with by friends...

1/17/2006 10:57:00 PM by Usman