LSP / Winsock Analysis Using A Log From Autoruns

The LSP / Winsock component in the Internet Protocol network stack is complex. It’s used by the Windows OS, and by malware and anti-malware alike, to allow, and to affect, your access to the network.

Problems with the LSP / Winsock layer can be a lot of fun to diagnose. Generally, the problem is termed “corruption”, and you are urged to use any of several tools / procedures to simply reset it. But what if you suspect a problem, but a simple reset isn’t possible? Or what if you want to make an educated decision about a problem, or to help somebody else do the same?

You might start by enumerating (inventorying) the system components registered in the stack. One tool for doing this is the SysInternals product, Autoruns.

Autoruns, like many SysInternals products, needs no complicated install process. Just download it, and run it. Make sure that “Verify Code Signatures”, under Options, is enabled. It will present an incredibly detailed GUI inventory of all of the processes started by your computer automatically, in a tabbed display. One of the tabs, labeled “Winsock Providers”, will list all components registered in the LSP / Winsock layer.

If you save an Autoruns log, you can extract the Protocol_Catalog9 portion of the log, which will contain a text based inventory of LSP / Winsock components. Each section of the log is headed by the complete path of the key to its root, in the case of Protocol_Catalog9, that’s

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9

Protocol_Catalog9, on my computers, is the next to last section in the log.

Below, in Attachment A, you will find an example of the relevant information, extracted from a log from one of my computers. A log from one of your computers may or may not contain the same entries – and the differences might point us towards a solution to your problem. If your log includes entries that are listed as “(Not verified)”, check them out with Online Analysis (free).

If none of these details interest you, you are welcome to simply reset your LSP / Winsock, using any of the 6 recommended procedures and tools. It’s your computer, and your dime.

Attachment A – Autoruns Log: LSP / Winsock Enumeration

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9  
+ DiamondCS TCP/IP Layer [RAW] dcsws2 (Not verified) DiamondCS c:\windows\system32\dcsws2.dll
+ DiamondCS TCP/IP Layer [TCP] dcsws2 (Not verified) DiamondCS c:\windows\system32\dcsws2.dll
+ DiamondCS TCP/IP Layer [UDP] dcsws2 (Not verified) DiamondCS c:\windows\system32\dcsws2.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{4AA95793-B5DE-4179-8D2C-2469C3D63D3F}] DATAGRAM 2 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{4AA95793-B5DE-4179-8D2C-2469C3D63D3F}] SEQPACKET 2 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{64409384-CE61-4B92-ADFA-77A210FA4C80}] DATAGRAM 3 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{64409384-CE61-4B92-ADFA-77A210FA4C80}] SEQPACKET 3 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{7D8C1637-F016-494D-B66A-1BD865F1E19F}] DATAGRAM 7 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{7D8C1637-F016-494D-B66A-1BD865F1E19F}] SEQPACKET 7 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{9E8A31FA-5327-49A2-8091-E9C207367658}] DATAGRAM 8 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{9E8A31FA-5327-49A2-8091-E9C207367658}] SEQPACKET 8 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{AE574BAC-9E75-4917-B07E-EC7CB922CF5D}] DATAGRAM 1 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{AE574BAC-9E75-4917-B07E-EC7CB922CF5D}] SEQPACKET 1 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7E18D15-D9B1-4295-9DAD-C733C695294F}] DATAGRAM 0 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7E18D15-D9B1-4295-9DAD-C733C695294F}] SEQPACKET 0 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [RAW/IP] Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [TCP/IP] Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [UDP/IP] Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ RSVP TCP Service Provider Microsoft Windows Rsvp 1.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\rsvpsp.dll
+ RSVP UDP Service Provider Microsoft Windows Rsvp 1.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\rsvpsp.dll
Advertisements

One Response to “LSP / Winsock Analysis Using A Log From Autoruns”

  1. Downloadable Ringtone Says:

    What’s up, this weekend is fastidious in favor of me, because this point in time i am reading this enormous educational piece of writing here at my home.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: