[ Moderator: this message superseeds the one I've just sent to the list.
Thanks! ]

* captmeoff (at) yahoo (dot) com [email concealed] <captmeoff (at) yahoo (dot) com [email concealed]> [21/03/04 - 11:47]:

> HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\NoNameReleaseOnD
emand

is correct, as said by other posters (the NoNameReleaseOnDemand registry
value refers to NetBIOS names, handled by the NetBIOS over TCP/IP
driver (NetBT) driver).

> HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableFragmentCh
ecking

Does not seem to be valid, see below.

> HKLM\SYSTEM\CurrentControlSet\Services\IPFilterDriver\Parameters\EnableF
ragmentChecking

Does not seem to be valid any more on Windows 2000.

More generally, there are at least two methods to determine which
registry values are read by a system component such as a driver or a
service:

- start manually the driver or service using the net start command and
watch with regmon (http://www.sysinternals.com/) which registry keys
and values are read at startup.

Of course, you might need to stop the driver or service before
attempting to start it. This is what I've just used with the Windows
2000 IPv4 filtering driver:

C:\>net stop ipfilterdriver

-> start regmon

C:\>net start ipfilterdriver

-> watch in regmon output which registry values (typically under the
Parameters\ keys of the driver or service configuration, under
HKLM\SYSTEM\CCS\Services\service_or_driver_name\Parameters\).

For instance, the W2K ipfilter driver seems to read the following
registry keys:
- FragmentLifetime
- FragmentCacheSize
- AddressHashSize
- FragmentThreshold

With services or drivers that can not be started manually (because they
are typically automatically started early in the boot process), such as
the tcpip driver, you can use the Log Boot feature of regmon (Edit ->
Log Boot).

When enabled, all registry accesses occuring during system startup will
be logged in a regmon.log file under the system directory.

You can then grep for the registry keys and parameters that are read by
a given driver.

By the way, this is a good way to discover undocumented registry values.

Sometimes, you'll need to create the Parameters\ subkey if it does not
exist, otherwise, the driver or service won't try to read values under
the Parameters\ key if this key does not exist:

http://www.hsc.fr/ressources/presentations/sambaxp2003/slide35.html

- use a strings command (Sysinternals has one, that understands Unicode)
to extract strings in binaries, for instance:

C:\>strings %systemroot%\system32\drivers\tcpip.sys

For instance:

C:\>strings %systemroot%\system32\drivers\ipfltdrv.sys

will show the 4 registry values aforementionned.

C:\>strings %systemroot%\system32\drivers\tcpip.sys | find "Frag"

does not return any line, whereas

C:\>strings %systemroot%\system32\drivers\tcpip.sys | find "Enable"

returns the following registry values:

EnableTrafficControl
EnableTOSsetting
EnableDHCP
IpEnableRouter
EnableAddrMaskReply
EnableDeadGWDetect
EnablePMTUDiscovery
EnableICMPRedirects
EnableFastRouteLookup
EnableBcastArpReply
EnablePMTUBHDetect
EnablePMTUDiscovery
EnableDeadGWDetect
EnableSecurityFilters

So, the EnableFragmentChecking registry value does not seem to be
applicable to either the tcpip or ipfilterdriver driver...

Jean-Baptiste Marchand
--
Jean-Baptiste.Marchand (at) hsc (dot) fr [email concealed]
HSC - http://www.hsc.fr/

------------------------------------------------------------------------
---
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with
Astaro Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost
of ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_focus-ms_040301
------------------------------------------------------------------------
---

[ reply ]