Solved

Can somebody please explain this registry value

Posted on 2004-09-24
15
713 Views
Last Modified: 2013-12-29
Here's an exported .reg file from my Win98se system.

REGEDIT4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Shutdown]
"FastReboot"="0"
"SetupProgramRan"=dword:00000002

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Shutdown\ExclusionList]
"DVP"=""
"NAVEX"=""

I know what the "FastReboot" entry is, but I was wondering if somebody knows precicely how the other values are used by the system.  I don't have any shutdown hangs, so this is a query rather than looking to resolve a problem.

NAVEX seems to relate to my Norton AntiVirus.  I have a bunch of NAVEX32a.VXD, .SYS and .DLL files, and also a lot of NAVEX15. vxd, definition files, sys files, and vxd's, but none named NAVEX.whatever.  I assume it's a generic process name.

I have a sub-key named NAVEX15.EXP in the key:

HKEY_LOCAL_MACHINE\Software\Symantec\Norton Rescue\Basic Rescue\{D3168B01-3A45-11D3-A043-00105ACD6E0E}\{18FE0D44-FDAA-11D8-BC95-853A493F740C}\Items\{D3168938-3A45-11D3-A043-00105ACD6E0E}\  with the {default) StringValue set to "-2", but that is all.

The only file I have named "DVP" is a C source code header file DVP.H, and that's amongst program backups on another drive.  There are no other instances of DVP in my registry.

So, what action do the entries in the key ...\ExclusionList actually have on my system, or are they overridden by the FastReboot=0 value?  Would they have been processes forced to remain open until shutdown?

Also, what is the significance of the DWORD Value named "SetupProgramRan" and why is it set to 2?

I've searched google extensively and, while there are a lot of hits explaining that you can delete the NAVEX value to stop screen hangs at shutdown, none of them have actually explained how it works.  Some Anti Virus and Pest-related sites also tell you to delete "SetProgramRan", but they don't explain why.

I'm full of ideas and guesses, but I need someone who knows for certain about this to explain it or point me to a good url that does.

Thanks
Bill
0
Comment
Question by:BillDL
15 Comments
 
LVL 38

Author Comment

by:BillDL
Comment Utility
Because of the lack of response to this question, I have increased the points to 500 in case experts are hesitant to research it for a measly 125 points.  This can easily be increased again if that is the stumbling block.  I would have thought that this was something you either knew or didn't know, which could well be the reason for lack of response  :-)  Surely some of our highly experienced experts must know this one?
0
 
LVL 38

Author Comment

by:BillDL
Comment Utility
Whoops, I said 500, didn't I, in which case I think that's the max I can give.
0
 
LVL 32

Expert Comment

by:_
Comment Utility
I've been waiting for an answer also. I don't have a clue, but am interested. Looks like you might have stumped us.    : )
0
 
LVL 38

Author Comment

by:BillDL
Comment Utility
Oh, don't say that.  Surely nobody on this earth could stump the team at Experts-Exchange  :-)

Maybe Windows programmers might be in a better position to hazard some educated guesses.

Oh, well.  I'll hang in here for a few days and see if anyone is attracted by the "500 point" comment in Community Support.
0
 
LVL 2

Expert Comment

by:Sootah
Comment Utility
You've got me, I've deleted the NAVDX key a few times, but have never been able to figure out exactly what everything in there does. Google has provided little.
0
 
LVL 38

Author Comment

by:BillDL
Comment Utility
Thanks for checking in here Sootah.  I'm glad I'm not the only one who has rooted around in that key and tested to see what deleting the key actually does.  Nothing, as far as I can determine, but why is it there?  Strange that google didn't come up with an answer at the time, but I see one that I'm sure didn't show before:

http://www.techadvice.com/w98/S/Shutdown.htm

It appears that, because I have never experienced shutdown issues, that this registry entry NAVEX has had no significance.

The DVP entry seems to go hand-in-hand with the various hits, like this german page translated in google:

http://translate.google.com/translate?hl=en&sl=de&u=http://www.pcwelt.de/forum/archive/index.php/t-129781.html&prev=/search%3Fq%3DHKEY_LOCAL_MACHINE%255CSystem%255CCurrentControlSet%255CControl%255CShutdown%255CExclusionList%2BDVP%26hl%3Den%26lr%3D%26ie%3DUTF-8%26safe%3Doff%26sa%3DG

I love the final feedback message:

"rear most turbo, best one thanks, will try it out equal tomorrow, because I do not have this system momentarily locally, nevertheless, best one thanks already times first, here one am unfortunately helped, can only sagen,,, "continue to make really very fast sooo" ""
genuinly super...;))"

In fact, "turbo" refers to the person who posted the previous comment, it wasn't anything to do with a natural wind problem ;-)

One disturbing hit on google (while searching the "SetupProgramRan" DWord)  relates  to spyware (FreeScratchAndWin and, and suggests deleting the "Dword" entry.

http://www.doxdesk.com/parasite/FreeScratchAndWin.html

This page indicates that A Spyware remover finds the entry, allows removal, but it is then reinstated:

http://www.buriedtruth.com/spysoftware/spynews/spyware-newgroup-archive/spyware-newgroup-archive-p-1123.html

And again a .reg file of changes made when an "Application Launcher" seemingly named "timwin.exe", and "Blitzrechnen 1+2" were installed:

http://www.leu.bw.schule.de/allg/son/tim3/tim3reg.txt
http://www.leu.bw.schule.de/allg/son/blitz12/blitzreg.txt

The installation of Adobe Acrobat viewer appears to have changed the value of "SetupProgramRan" from 1 to 2 this person's registry:

http://www.multingles.net/docs/mic_ar4.htm

The only thing I can think is that it relates to the last software installed.

Who knows, but I will just wait this out and see if anyone else has any solid knowledge of this.
0
 

Assisted Solution

by:BeastOfBodmin
BeastOfBodmin earned 150 total points
Comment Utility
Hi BillDL

HAVE YOU SEEN THIS?

http://www.inet-mates.com/articles/6_rm_freescratchandwin.html

not being that up on this I too was interested to see what the answer is to this question, my quick feeling is that it is checking to see if the program / process indicated by the key it is contained within  has been run or not.

this is purely a guess though ! but in my experience sometimes programmes/ processes can be just there waiting to be called on and then there must be a way of not calling them again and again

I looked for the entry in my system but I do not see it at all HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\  is as far as I get , there is no shutdown
 
0
Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

 
LVL 38

Author Comment

by:BillDL
Comment Utility
Thanks for your interest, BeastofBodmin.  Yes, after finding this key while browsing (yes, I know it's sad, I have been known to "browse" the registry :-), those were the kind of pages that kept coming up in my google searches.

That's really what made my question a little more than just curiosity.  I wondered why spyware, etc, would be using that key, and why legitimate programs would also be listed there.

The annoying thing about ALL of those pages is that NONE of them actually explain WHY they suggest deleting the key.  Perhaps they found out by accident that it does something beneficial, but they don't know what it does either.

Strange that your system doesn't have this key at all though.  It MUST be one created by only a handful of programs that specifically need to use this entry, and there would be no sense in it persisting if it only had a "one time" use.  My feeling is that it is more significant than mere registry clutter.

I believe that your idea is the best explanation and goes in parallel with what I have been thinking.  A "validation check" of sorts.

Consider this:

You run the installer program for Norton AntiVirus, and during the process it needs to reboot the system to write settings to the registry (or to create an entry in the "RunOnce" key that it must catch on the reboot for it to work).

IF "FastReboot" was ENABLED (ie. set to 1 instead of 0), then this might be detrimental to the installation process.  It therefore lists the named program as an EXCLUSION to the rule set by the "FastReboot" entry.

By changing the value of the "SetupProgramRan" just before the system reboots, it thus recognises that the restart was mid-way through an install and tells it NOT to perform a "Fast Shutdown".

Perhaps it is also a way of storing an instruction that is READ at STARTUP in the event that the system is shut down rather than restarted.  On most occasions, if the system was mid-way through an install and it was shut down, you would tend to think that this would "break the process" and lead to an aborted install.  EXCEPT where, when the computer is powered up the next time, the registry tells the system that there had been an installation in progress, and to finish the process.

This notion is made slightly more credible by the fact that the only NAVEX*.* files on my system are navex??.vxd, .dll, and .sys files that reside in the folder where the virus definitions are stored for use by Norton AntiVirus.  With MY version, virus definitions are INSTALLED by Norton AntiVirus using what they refer to as the "Intelligent Updater", and the computer needs a reboot before that definition is loaded by NAV.

An embellishment to this train of thought is that Norton AntiVirus intercepts a virus as a file is accessed and needs to try and fix or delete the file.  If the file was in use, then this is often impossible unless the file is unloaded from memory.  Assuming that this interception was made while something malicious was trying to INSTALL whatever payload it normally delivers, then this might be important if part of that process caused a forced reboot.  By detecting that this was a "setup" program by means of the change to the "SetupProgramRan" value, then a "Fast Reboot" might not allow NAV to fully unload the file from memory and fix/delete it.  So, by making this an exception, the system is forced to perform a more standard shutdown and restart where all the running processes that cause shutdown problems in Win98SE can be fully offloaded and fixed.

A good theory, or just too much thinking time on my hands???
0
 
LVL 38

Author Comment

by:BillDL
Comment Utility
But what the hell is DVP then ??  As I said earlier on, no DVP*.* files reside on my computer apart from one.

dvp.h

DirectDrawVideoPort include (header) file used by Borland's C++ 5.5 free command line C and C++ compiler that I haven't used on this computer since it was last formatted, and the file is amongst my backup programs on a partition anyway.
0
 
LVL 9

Expert Comment

by:paraghs
Comment Utility
BillDL,

Take a look at the following link :
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncenet/html/cetk.asp

DVP stands for Driver Validation Program.
0
 
LVL 38

Author Comment

by:BillDL
Comment Utility
Thanks for your interest, paraghs.  It's an interesting page, and an equally interesting theory, but I cannot see how it would be related to my setup.

The page centres on a discussion about the "Windows CE .NET Test Kit (CETK)" intended to test embedded devices and drivers based on Windows CE .NET.  The "Driver Validation Program" (DVP) provides developers, Hardware Vendors, etc the opportunity to validate their drivers for use with Windows CE .NET operating systems.

Unfortunately this has no relation to anything I have done with this computer.  The nearest it has ever come to Windows CE was an iPaq PocketPC connected via usb and synchronised with ActiveSync.  No programming or testing involved, unless there is some automated testing of drivers at the client side performed by Windows 98 to allow the interface, but I can't understand a singular mention of DVP in the registry or system files.

Apart from that, the ipaq hasn't been connected, and interface software not installed, since I last formatted.

The DVP Acronym derivation (Driver Verification Program) is something that I will search for and see what I can dig up though.

Thanks for that info.

 
0
 
LVL 38

Author Comment

by:BillDL
Comment Utility
If this is indeed some type of driver verification routine, perhaps the fact that it is an "excusion" from fast shutdown is something intended to retain drivers in memory during a fast reboot, which otherwise might miss out on being re-initialized at the very first stages of boot.  A wild guess?
0
 
LVL 9

Accepted Solution

by:
paraghs earned 350 total points
Comment Utility
A google search for "Driver Verification Program" returns 173 results, with most DVPs for Sun Solaris.

But there is one interesting link at <http://www.ftponline.com/wss/2003_04/magazine/features/sreimer/default_pf.aspx>. It has only one reference to Driver Verification Program, and says :

"Windows servers have also been infamous for frequent occurrences of the "Blue Screen of Death"—an error condition that freezes the OS and usually requires a reboot. Microsoft addressed the reasons behind this problem to a great extent in Windows 2000 and worked out further issues in Windows Server 2003. Poorly written drivers account for most server crashes, and Microsoft has continued the Driver Verification program. If you try to install a driver that isn't certified for Windows Server 2003, you'll receive a warning. This helps you avoid endangering your servers' stability unnecessarily."

I think DVP is there where .net is.

Allow me to make another wild guess : Some programmes use DVP module during their setup. It is never required afterwards.

I have seen a large number of programmes leaving this DVP entry in registry. (I use System Mechanic to monitor regisrty).
0
 
LVL 38

Author Comment

by:BillDL
Comment Utility
I think that the combination of gueses is probably pretty close to the truth here, and probably as close as we'll ever get.

I am going to split points here because of the 2 part nature of the question which has been addressed by both of you.

Thank you for your input.

Bill
0
 
LVL 9

Expert Comment

by:paraghs
Comment Utility
Thanks Bill.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Reading registry key from HKCU and not hklm 10 58
JDeveloper 12c for 32 bit 4 34
Connecting two servers 30 45
What is this Task? 4 34
Recently Microsoft released a brand new function called CONCAT. It's supposed to replace its predecessor CONCATENATE. But how does it work? And what's new? In this article, we take a closer look at all of this - we even included an exercise file for…
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now