Tirelessly, the evil "polling" exists with almost any resident service of your team, consuming and slowing every small operation. So far your only solution was to wait for the developer version after version to correct inefficient code. Put hand and like never before, bending the arm of that inefficient code
The concept of "polling" refers to the incessant activity that some applications while residents are. In ancient, pre-Windows 2000 operating systems often it was necessary, the developer had very few tools to monitor system activity and for example know when updating a file, a log or other resource, it was only possible to making a constant query of the same.
Currently, it is possible, even in very simple way, add "hooks" that inform us about changes in resources without creating that unproductive "monitoring". An example of this is the FileSystemWatcher component of Visual Studio, which allows us to add a hook (hook) to the NTFS file system which gatillara in an event according to the files or directories that we are monitoring without creating any additional event of constant checks.
My idea in this article is to show how, using techniques already known in previous documents, "clean" our system and even to create a true state of rest of Windows.
Windows Vista It has the distinction of having an infinite number of services running constantly and in this case could be more complicated look at what really disposable events and what not, which would make difficult a little task.
Throughout the course of the document will take place in a machine with Windows XP, although the solution is valid also for Vista, with small exceptions.
Prior to the system out
The polling is present in thousands of programs and services, disk, registry, and network it would be simply impossible to give a universal solution. Thus this document only focuses on removing the polling of the registry of my laptop, running on Windows XP Home and with several years of applications, but overall pretty clean.
First we need the inevitable Regmon or failing that the elder brother Process Monitor (although honestly the first is sufficient for this article). See queries are made to the registry on my computer at rest:
Each about a second is made a series of consultations to the registry, originated by two applications. Our goal then will achieve "near-absolute rest" system by eliminating those consultations.
First enemy, "winlogon.exe"
Why are "winlogon.exe" querying a registry called "KaspeskyLab" constantly as we saw previously?
I will reveal to you the truth, KasperskyLab It is a registry key from the antivirus I have installed KAV, and why winlogon is referring to that key is something called "Winlogon Notification" that allows them to developers hang a DLL library to the process that controls functions as the protection of the home by means of CTRL, blocking the login in the screen saver and other functions base team.
The version of KAV used here is 6, Kaspersky Antivirus 6.0. Available on the trial version.
However after trying the 7 version of the same product, I discovered that though does not produce this problem, it generates (apparently not at the time of installation) another problem of Polling, in this case of disc:
If they notice it well, you're constantly seeing a file or directory does not exist. In this case many times per second that the problem with Winlogon, generating classical activity of "phantom" disk that tends to bother enough.
I reported last week of this problem to the developer (clearly without any response until the time of the publication of this document).
Thus, winlogon offers us a couple of events that will trigger certain actions, can thus look for the entry of the antivirus, which hangs in the library that produces this polling of registration:
As you can be seen in the image, in this case the library is klogon.dll and if they realize, for example when winlogon says "hey!, klogon!, I will log" (Logon), klogon run "WLEventStop". In the same way, when winlogon says "psst!, klogon!, now I'm going to log off" (Logoff), klogon run "WLEventStart" (function klogon has code like the detention).
But strangest thing you say, why to login (to load the user environment) is "stopping" something and closing session is starting something?
Well, because we want to work out session!, indeed, Kaspersky Anti-virus has an option to show a "logo" on the login screen:
Let's recap: is saying klogon, Hung Winlogon is all day checking a registry key, which defines whether in the login window displays or not a logo of the antivirus in a corner. Throughout the day, every second, referring to six times that same record for an aesthetic function!, isn't so much incompetence some credible?, but so, developers of one of the best antivirus with a solution of this kind, unfortunate.
OK, ok, all right, the developers of KAV are clumsy Mr. Einstein. How could you have solved according to UD?
It is not what I wanted to say, it was just to highlight the incompetence that exist in small but important details, even when we don't see what there is "under the hood" and what is visible shows us that excess waste of resources leads us to question the situation.
The clean solution would have been the same klogon had asked only when it was necessary to load the logo and not consistently, i.e. once notified winlogon close session, is to check the registry, once.
How to solve this problem on your computer, simple, by removing the notification from winlogon. Here you can choose to show the KAV logo on the login screen or wasted 518400 registration queries per day, at the clear expense of the response time of your computer. Autoruns It simplifies the task, but also could have been executed manually, eliminating the key "klogon" to the registry (even from the key that indicates Autoruns):
At this time, reboot and see changes in our team at "rest":
Final enemy, "vmware-authd.exe"
As we saw previously, this process is constantly consulting a key called "Disable performance counters". But, why do this?
The file in question is a service of licenses for VMWare Workstation, a well-known program of virtualization (virtual machines). The Windows operating system keep track of counters of events occurring and in general, this is a very valuable information for system administrators. In fact, Windows Vista analyzes the information of these counters and helps us diagnose system problems without knowing the background of the same lot:
Detail of all this is that doubt still remains, why this service is consulting constantly a record that could simply hang an event and save us thousands of accesses to the registry?
There are several solutions to this "problem", the first is to simply terminate the process (though clearly, will restart the computer). The second will be to set the service startup "demand", i.e. in manual mode:
The problem of the second solution is that sometimes applications expect that a service that previously installed is always responding and rather than start it generated an error, causing inconvenience to the user. Also, although the service is started on demand, the problem of unnecessary consultations would be maintained until a computer shutdown.
In this case, those solutions are not a challenge, however edit the executable the service to correct and eliminate those root queries, yes that is it.
A touch under the hood of the service
Fixes the problems listed below may not be published in the form of a modified or Installer file, as it would thus violate the license agreement possible products affected by the changes. However, my idea is to show the ways in which could be repaired, in the form of general computer knowledge.
Open the Ollydbg and attached it to the process of the service in question:
We seek constant inquiries concerning registration, simply use the search engine of references to text strings:
An interesting detail is that the response of the system is that the queried record was not found:
By experimenting, we could create a key:
Only to realize that no matter what there is, this service never cease your pointless questions:
…It is not now, yes you are now!
As in a while playing with Ollydbg I couldn't find a simple solution, I started to debug the process with the debugger of Visual Studio, which precisely worked much better for this task.
Now it was easy to quickly find the call to gatillaba all queries to the registry, which fortunately had a conditional jump on it:
What little that transcends the registry value (as checked above) the most trivial was to change the conditional jump by one unconditional:
Stop the service, save the small change and return to start it just to check with satisfaction that now the team is now in a complete rest and in consequence, the polling has been successfully defeated. Unfortunately, the villain escapes, weak, but still with life, strengthened with each following release of any poorly programmed application, to slow down our team again.
In short, the second part of the solution is to modify one byte of the executable as shown below:
A little logic always and small problems have been corrected satisfactorily. The invitation remains open so that you review your team, look these forados where sneaks your performance and you delete them.
Do not use KAV like antivirus, or at least wait for the company to make a fully refined product. So far I'm trying BitDefender 2008 and I can check optimized bit that was the product of Kaspersky. (Even when I tend to disable annoying extras all functions and) contextual optionsto leave only the monitor files in real time)
As an anecdote, the small positive is article in Wikipedia I wrote in conjunction with this document because it did not exist in our language.