Program Update

[jedakay]

Only get this when I do a program update, not an iAVS update to avast free edition in Vista Home Premium.  After the update is done some bar appears directly above the avast icon and mentions some registry key and tells me that "write" is denied; I can't read the whole thing because it appears and disappears so fast, also I am unable to find any reference to this in the log file and the updates seem to have been successful.  Never had this problem prior to using Vista.

[Lisandro]

Which avast version are you using? 4.8.1201?
This message shouldn't be appearing there anymore...

Also, please, post the last 200-250 lines of avast log: C:\Program Files\Alwil Software\Avast4\DATA\log\Setup.log

[alanrf]

You should be able to find the lines logged in a file called selfdef.log in the avast logs folder. 

[jedakay]

You should be able to find the lines logged in a file called selfdef.log in the avast logs folder. 

Looked at the wrong log, here is selfdef.log

5/28/2008 7:30:35 PM   Write access to registry key \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswMonFlt denied. [C:\Windows\system32\services.exe]
5/28/2008 7:30:35 PM   Write access to registry key \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswMonFlt denied. [PID 3976]
5/28/2008 7:30:35 PM   Write access to registry key \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswMonFlt\Instances denied. [PID 3976]
5/28/2008 7:30:35 PM   Write access to registry key \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswMonFlt\Instances\aswMonFlt Instance denied. [PID 3976]

[jedakay]

4.8.1201


29.05.2008   09:46:21.000   1212072381   general   Started: 29.05.2008, 09:46:21
29.05.2008   09:46:21.000   1212072381   general   Running setup_av_pro-4b1 (1201)
29.05.2008   09:46:21.000   1212072381   system   Operating system: Windows Vista ver 6.0, build 6001, sp 1.0 [Service Pack 1]
29.05.2008   09:46:21.000   1212072381   system   Memory: 37% load. Phys:1303280/2085328K free, Page:3469676/4194303K free, Virt:2031572/2097024K free
29.05.2008   09:46:21.000   1212072381   system   Computer WinName: HDBG62-PC
29.05.2008   09:46:21.000   1212072381   system   Windows Net User: hdbg62-PC\hdbg62
29.05.2008   09:46:21.000   1212072381   general   Cmdline: /downloadpkgs /noreboot /silent /progress 
29.05.2008   09:46:21.000   1212072381   general   DldSrc set to inet
29.05.2008   09:46:21.000   1212072381   general   Operation set to INST_OP_UPDATE_GET_PACKAGES
29.05.2008   09:46:21.000   1212072381   general   Old version: 4b1 (1201)
29.05.2008   09:46:21.000   1212072381   system   Using temp: C:\Users\hdbg62\AppData\Local\Temp\_av_proI.tm~a04020 (412166M free)
29.05.2008   09:46:21.000   1212072381   general   SGW32P::CheckIfInstalled set m_bAlreadyInstalled to 1
29.05.2008   09:46:21.000   1212072381   internet   SYNCER: Agent=Syncer/4.80 (av_pro-1201;p)
29.05.2008   09:46:21.000   1212072381   system   Computer DnsName: hdbg62-PC
29.05.2008   09:46:21.000   1212072381   system   Computer Ip Addr: 70.255.83.102
29.05.2008   09:46:21.000   1212072381   system   Installed in: C:\Program Files\Alwil Software\Avast4 (412166M free)
29.05.2008   09:46:21.000   1212072381   internet   SYNCER: Type: use IE settings
29.05.2008   09:46:21.000   1212072381   internet   SYNCER: Auth: another authentication, use WinInet
29.05.2008   09:46:21.000   1212072381   package   Part prg_av_pro-4b1 is installed
29.05.2008   09:46:21.000   1212072381   package   Part vps-8052900 is installed
29.05.2008   09:46:21.000   1212072381   package   Part news-4b is installed
29.05.2008   09:46:21.000   1212072381   package   Part setup_av_pro-4b1 is installed
29.05.2008   09:46:21.000   1212072381   package   Part jrog-3c is installed
29.05.2008   09:46:21.000   1212072381   general   Old version: 4b1 (1201)
29.05.2008   09:46:22.000   1212072382   file   SetExistingFilesBitmap: 1054->154->154
29.05.2008   09:46:22.000   1212072382   general   GUID: 6b2c6395-23fc-4028-a316-2637a3e4a5da
29.05.2008   09:46:22.000   1212072382   general   Server definition(s) loaded for 'main': 183 (maintenance:0)
29.05.2008   09:46:22.000   1212072382   general   SelectCurrent: selected server 'Download939 AVAST Server' from 'main'
29.05.2008   09:46:22.000   1212072382   internet   SYNCER: Type: use IE settings
29.05.2008   09:46:22.000   1212072382   internet   SYNCER: Auth: another authentication, use WinInet
29.05.2008   09:46:22.000   1212072382   internet   SYNCER: Agent=Syncer/4.80 (av_pro-1201;f)
29.05.2008   09:46:22.000   1212072382   internet   Used server: http://download939.avast.com/iavs4x
29.05.2008   09:46:23.000   1212072383   general   Server definition(s) loaded for 'main': 183 (maintenance:0)
29.05.2008   09:46:23.000   1212072383   general   SelectCurrent: selected server 'Download656 AVAST Server' from 'main'
29.05.2008   09:46:23.000   1212072383   internet   SYNCER: Type: use IE settings
29.05.2008   09:46:23.000   1212072383   internet   SYNCER: Auth: another authentication, use WinInet
29.05.2008   09:46:23.000   1212072383   internet   Used server: http://download656.avast.com/iavs4x
29.05.2008   09:46:23.000   1212072383   package   LoadProductVpu: C:\Program Files\Alwil Software\Avast4\Setup\prod-av_pro.vpu
29.05.2008   09:46:23.000   1212072383   package   LoadPartInfo: jrog = jrog-3c returned 00000000
29.05.2008   09:46:23.000   1212072383   package   LoadPartInfo: news = news-4b returned 00000000
29.05.2008   09:46:23.000   1212072383   package   LoadPartInfo: program = prg_av_pro-4b1 returned 00000000
29.05.2008   09:46:23.000   1212072383   package   LoadPartInfo: setup = setup_av_pro-4b1 returned 00000000
29.05.2008   09:46:23.000   1212072383   package   LoadPartInfo: vps = vps-8052900 returned 00000000
29.05.2008   09:46:23.000   1212072383   package   LoadProductVpu: C:\Program Files\Alwil Software\Avast4\Setup\prod-av_pro.vpu ended with 00000000
29.05.2008   09:46:23.000   1212072383   package   LoadPartVpu: Loading 'part-prg_av_pro-4b1.vpu' returned 00000000
29.05.2008   09:46:23.000   1212072383   package   LoadPartVpu: Loading 'part-vps-8052900.vpu' returned 00000000
29.05.2008   09:46:23.000   1212072383   package   LoadPartVpu: Loading 'part-news-4b.vpu' returned 00000000
29.05.2008   09:46:23.000   1212072383   package   LoadPartVpu: Loading 'part-setup_av_pro-4b1.vpu' returned 00000000
29.05.2008   09:46:23.000   1212072383   package   WARN:LoadPartVpu ended on no pInfo
29.05.2008   09:46:23.000   1212072383   package   LoadPartVpu: Loading 'part-jrog-3c.vpu' returned 00000000
29.05.2008   09:46:23.000   1212072383   general   Part of license key: W54341434H4400A1106
29.05.2008   09:46:23.000   1212072383   package   IsFullOkay: setup_av_pro-4b1.vpu - is okay
29.05.2008   09:46:23.000   1212072383   package   IsFullOkay: setif_av_pro-4b1.vpu - is okay
29.05.2008   09:46:23.000   1212072383   package   FilterOutExistingFiles: 154 & 154 = 0
29.05.2008   09:46:23.000   1212072383   package   IsFullOkay: setif_av_pro-4b1.vpu - is okay
29.05.2008   09:46:23.000   1212072383   package   IsFullOkay: setup_av_pro-4b1.vpu - is okay
29.05.2008   09:46:23.000   1212072383   package   IsFullOkay: vps-8052900.vpu - is okay
29.05.2008   09:46:23.000   1212072383   package   IsFullOkay: vpsm-8052900.vpu - is okay
29.05.2008   09:46:23.000   1212072383   package   IsFullOkay: news409-32.vpu - is okay
29.05.2008   09:46:23.000   1212072383   package   IsFullOkay: jrog-3c.vpu - is okay
29.05.2008   09:46:28.000   1212072388   package   vps: same as previous [8052900]
29.05.2008   09:46:28.000   1212072388   package   FilterOutExistingFiles: 154 & 154 = 0
29.05.2008   09:46:28.000   1212072388   package   IsFullOkay: setif_av_pro-4b1.vpu - is okay
29.05.2008   09:46:28.000   1212072388   package   IsFullOkay: setup_av_pro-4b1.vpu - is okay
29.05.2008   09:46:28.000   1212072388   package   IsFullOkay: vps-8052900.vpu - is okay
29.05.2008   09:46:28.000   1212072388   package   IsFullOkay: vpsm-8052900.vpu - is okay
29.05.2008   09:46:28.000   1212072388   package   IsFullOkay: news409-32.vpu - is okay
29.05.2008   09:46:28.000   1212072388   package   IsFullOkay: jrog-3c.vpu - is okay
29.05.2008   09:46:28.000   1212072388   package   FilterOutExistingFiles: 154 & 154 = 0
29.05.2008   09:46:28.000   1212072388   package   Transferred: files 2, bytes 20, time 375 ms
29.05.2008   09:46:28.000   1212072388   package   Retries: total 0, files 0, servers 2
29.05.2008   09:46:28.000   1212072388   file   NeedReboot=false
29.05.2008   09:46:28.000   1212072388   general   Return code: 0x20000001 [Nothing done]
29.05.2008   09:46:28.000   1212072388   general   Stopped: 29.05.2008, 09:46:28

[Lisandro]

jedakay, you seem to be using the last avast version and I see no problems with your log.
The registry keys are not 'used' by the System (the CurrentControlSet and not the ControlSet001 is important). But I can't help further on troubleshooting this. Maybe any programmer could help...

[alanrf]

jedakay,

other Vista users have also reported seeing these pop-ups happening at avast program update time.  The pop-ups are (rather useless) notifications only that avast has prevented write access to its registry keys - there is no action you can take on them.

I'm sure the avast folks will eventually get them suppressed but until then it seems they are harmless to your system.

   

[jedakay]

jedakay,

other Vista users have also reported seeing these pop-ups happening at avast program update time.  The pop-ups are (rather useless) notifications only that avast has prevented write access to its registry keys - there is no action you can take on them.

I'm sure the avast folks will eventually get them suppressed but until then it seems they are harmless to your system.

   

Thanks for your time, as long as all my updates get in there I can live with it.

[Appl]

To start, I have been having the same problem on Vista Home Premium 32-bit.  I'm not too worried, but then again I don't know what aswmonflt contains, so I don't know what's missing.

jedakay,

other Vista users have also reported seeing these pop-ups happening at avast program update time.  The pop-ups are (rather useless) notifications only that avast has prevented write access to its registry keys - there is no action you can take on them.

I'm sure the avast folks will eventually get them suppressed but until then it seems they are harmless to your system.

I find it bold to suggest that the Avast! developers decided they should create an informational box, placed visibly right above the icon in the systray, with that message, because it's *useless*.  The reason for it being displayed there instead of buried away in some log is probably that the developers thought it deserved attention, more attention than the stuff relegated to logs in the Program Files folder.  I doubt anyone expected the average user to know what the contents of aswmonflt are, so it was probably put there to get people's attention.  And, the problem is that Avast! has prevented itself from writing to some of its own registry keys, which seems unlikely to be the purpose of Avast!'s write protection of its registry keys.  Whether that is harmful or not, I don't know, but I haven't seen any answer as to what aswmonflt contains and what the Avast! updater is trying to put there.

jedakay, you seem to be using the last avast version and I see no problems with your log.
The registry keys are not 'used' by the System (the CurrentControlSet and not the ControlSet001 is important). But I can't help further on troubleshooting this. Maybe any programmer could help...

The registry keys in ControlSet001 *are* used by the System.  The CurrentControlSet hive is simply a symlink to an existing ControlSetN, and that N is typically 001.  HKLM\System\Select has some DWORDs in it; if the value in Current is 1, then the *current* control set (which, unsurprisingly, is CurrentControlSet), the one that the system is using at the moment, is ControlSet001.  Avast! is trying to change the current system configuration, and it's not being allowed to do so.  That makes me think something isn't going as planned.  It may well not be serious at all, but, again, that depends on how important it is to have the contents of aswmonflt correct (if they are even incorrect at the moment).

[jedakay]

Wow! Don't really understand all; perhaps another response will be forthcoming to shed more light on this?

[alanrf]

I doubt that Appl participated in the last round of avast beta testing when these popups were first introduced by avast and the discussion that accompanied them.  The frequency of these messages from the new self protection feature and the fact they simply represent information about avast preventing write access to its registry keys (about which the user can do absolutely nothing) was causing sufficient confusion that avast suppressed the popups before going to production.  In Vista they have not been entirely successful in the suppression.

The prevention of write access to registry keys could indicate an attack on avast by malware.  Unfortunately what it is showing is that poor coding techniques exist all over the place where functions that are just looking at registry keys have been written with write access requested unnecessarily.  So, in essence these popups are not a cause for alarm and they do not represent any problem in the avast program update process.

I am sure that the avast team will correct any information posted here if required. 
   

[Lisandro]

The registry keys in ControlSet001 *are* used by the System.  The CurrentControlSet hive is simply a symlink to an existing ControlSetN, and that N is typically 001.  HKLM\System\Select has some DWORDs in it; if the value in Current is 1, then the *current* control set (which, unsurprisingly, is CurrentControlSet), the one that the system is using at the moment, is ControlSet001.  Avast! is trying to change the current system configuration, and it's not being allowed to do so.  That makes me think something isn't going as planned.  It may well not be serious at all, but, again, that depends on how important it is to have the contents of aswmonflt correct (if they are even incorrect at the moment).

Thanks for the explanation, makes sense. Sometimes, while deleting 001 keys, the Current were deleted also and I've never understood that. Living and learning.