LSP / Winsock Analysis Using A Log From Autoruns

The LSP / Winsock component in the Internet Protocol network stack is complex. It's used by the Windows OS, and by malware and anti-malware alike, to allow, and to affect, your access to the network.

Problems with the LSP / Winsock layer can be a lot of fun to diagnose. Generally, the problem is termed "corruption", and you are urged to use any of several tools / procedures to simply reset it. But what if you suspect a problem, but a simple reset isn't possible? Or what if you want to make an educated decision about a problem, or to help somebody else do the same?

You might start by enumerating (inventorying) the system components registered in the stack. One tool for doing this is the SysInternals product, Autoruns.

Autoruns, like many SysInternals products, needs no complicated install process. Just download it, and run it. Make sure that "Verify Code Signatures", under Options, is enabled. It will present an incredibly detailed GUI inventory of all of the processes started by your computer automatically, in a tabbed display. One of the tabs, labeled "Winsock Providers", will list all components registered in the LSP / Winsock layer.

If you save an Autoruns log, you can extract the Protocol_Catalog9 portion of the log, which will contain a text based inventory of LSP / Winsock components. Each section of the log is headed by the complete path of the key to its root, in the case of Protocol_Catalog9, that's


HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9

Protocol_Catalog9, on my computers, is the next to last section in the log.

Below, in Attachment A, you will find an example of the relevant information, extracted from a log from one of my computers. A log from one of your computers may or may not contain the same entries - and the differences might point us towards a solution to your problem. If your log includes entries that are listed as "(Not verified)", check them out with Online Analysis (free).

If none of these details interest you, you are welcome to simply reset your LSP / Winsock, using any of the 6 recommended procedures and tools. It's your computer, and your dime.


Attachment A - Autoruns Log: LSP / Winsock Enumeration

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
+ DiamondCS TCP/IP Layer [RAW] dcsws2 (Not verified) DiamondCS c:\windows\system32\dcsws2.dll
+ DiamondCS TCP/IP Layer [TCP] dcsws2 (Not verified) DiamondCS c:\windows\system32\dcsws2.dll
+ DiamondCS TCP/IP Layer [UDP] dcsws2 (Not verified) DiamondCS c:\windows\system32\dcsws2.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{4AA95793-B5DE-4179-8D2C-2469C3D63D3F}] DATAGRAM 2 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{4AA95793-B5DE-4179-8D2C-2469C3D63D3F}] SEQPACKET 2 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{64409384-CE61-4B92-ADFA-77A210FA4C80}] DATAGRAM 3 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{64409384-CE61-4B92-ADFA-77A210FA4C80}] SEQPACKET 3 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{7D8C1637-F016-494D-B66A-1BD865F1E19F}] DATAGRAM 7 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{7D8C1637-F016-494D-B66A-1BD865F1E19F}] SEQPACKET 7 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{9E8A31FA-5327-49A2-8091-E9C207367658}] DATAGRAM 8 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{9E8A31FA-5327-49A2-8091-E9C207367658}] SEQPACKET 8 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{AE574BAC-9E75-4917-B07E-EC7CB922CF5D}] DATAGRAM 1 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{AE574BAC-9E75-4917-B07E-EC7CB922CF5D}] SEQPACKET 1 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7E18D15-D9B1-4295-9DAD-C733C695294F}] DATAGRAM 0 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD NetBIOS [\Device\NetBT_Tcpip_{B7E18D15-D9B1-4295-9DAD-C733C695294F}] SEQPACKET 0 Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [RAW/IP] Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [TCP/IP] Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ MSAFD Tcpip [UDP/IP] Microsoft Windows Sockets 2.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\mswsock.dll
+ RSVP TCP Service Provider Microsoft Windows Rsvp 1.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\rsvpsp.dll
+ RSVP UDP Service Provider Microsoft Windows Rsvp 1.0 Service Provider (Verified) Microsoft Windows Publisher c:\windows\system32\rsvpsp.dll

0 comments: