What is a decent program doing?

[GRoston]

I have been programming for ‘a few years’ and may be more sensitive to reasonable system usage than most. The program f.lux, from justgetflux.com, is particularly helpful for night-owls like me and I am not complaining about the program’s functionality.

However, I am really wondering about what it is doing. Using procmon.exe (another very useful program), I see that over a 20 seconds, f.lux made 154 RegOpenKey calls, 308 RegQueryValue calls, and 77 RegSetInfoKey calls. To say that this is beyond insane is an understatement. What on earth is the program doing and more importantly, why???

 

[file3456]

I don't think this is limited to just f.lux. If you run the program Disk Pulse for example you will see your computer open and close many registry values all the time.

 

[GRoston]

My bad if you got the sense that I suggested that f.lux was the only program behaving in this manner. I picked on it a) because I clearly see the data and b) given the nature of the program, I cannot imagine its having to look at the registry more than just a few times per day...

 

[Alejandro85]

First of all be sure to filter on procmon to capture only those events on the interesting process and not the whole system. Procmon produces TONS of events and a good filter is important to draw any conclussion.

Fixed that, the only definitive answer is to look at the program's source code and identify where the calls come from, but besides that I can think of a few reasons:

- Many times it's not the program itself calling the kernel, but its libraries. A notable example is the open/save file built-in dialog, that basically loads a mini Windows Explorer in-process. That alone can account for all the activity you see.
- The program may monitor certain configuration regularly for updates, and also write some logs.
- The program may have a bug that causes it to read/write far more often than it really intended.
- It may have a piece of spyware bundled, even if not outright malicious it's a common practice nowadays to track the users (aka "telemetry").
- If your computer is infected with an antivirus, the AV may inject code into the process and seems like another program is making registry calls when it's actually the AV to be blamed.
- Is the program actually "decent", for sure?

Looking at the source code and attaching a debugger to it may also shed some light on its inner workings.