I have noticed that about once a day svchost.exe hits the registry relatively hard accessing a entries seemingly related to physical hardware. Mostly entries in HKLM\System\CurrentControlSet\Enum. I have been trying to figure out what is behind this. Looking at the call stack for one entry in process monitor I see a reference to a PnpSelfHealEnumTimerCallback. Is there some kind of process that is part of the plug and play manger that runs once a day to do something? Call Stack: 0 ntoskrnl.exe CmpCallCallBacks + 0x1c0 0xfffff8000363ffb0 C:\windows\system32\ntoskrnl.exe 1 ntoskrnl.exe ?? ::NNGAKEGL::`string' + 0x2ca60 0xfffff800034f6e2d C:\windows\system32\ntoskrnl.exe 2 ntoskrnl.exe ObpLookupObjectName + 0x588 0xfffff80003591488 C:\windows\system32\ntoskrnl.exe 3 ntoskrnl.exe ObOpenObjectByName + 0x306 0xfffff800035926a6 C:\windows\system32\ntoskrnl.exe 4 ntoskrnl.exe CmOpenKey + 0x28a 0xfffff80003565dfc C:\windows\system32\ntoskrnl.exe 5 ntoskrnl.exe NtOpenKeyEx + 0xf 0xfffff800035682cf C:\windows\system32\ntoskrnl.exe 6 ntoskrnl.exe KiSystemServiceCopyEnd + 0x13 0xfffff8000329a453 C:\windows\system32\ntoskrnl.exe 7 ntdll.dll NtOpenKeyEx + 0xa 0x7717226a C:\windows\SYSTEM32\ntdll.dll 8 kernel32.dll LocalBaseRegOpenKey + 0x1f5 0x76a54172 C:\windows\system32\kernel32.dll 9 kernel32.dll RegOpenKeyExInternalW + 0x123 0x76a544b5 C:\windows\system32\kernel32.dll 10 kernel32.dll RegOpenKeyExW + 0x1d 0x76a5457d C:\windows\system32\kernel32.dll 11 umpnpmgr.dll SecuritySubkeyCallback + 0x79 0x7fefc998f01 c:\windows\system32\umpnpmgr.dll 12 umpnpmgr.dll EnumRegKeyWithCallback + 0xa5 0x7fefc998e2d c:\windows\system32\umpnpmgr.dll 13 umpnpmgr.dll SecuritySubkeyCallback + 0xb8 0x7fefc998f40 c:\windows\system32\umpnpmgr.dll 14 umpnpmgr.dll EnumRegKeyWithCallback + 0xa5 0x7fefc998e2d c:\windows\system32\umpnpmgr.dll 15 umpnpmgr.dll InstanceSubkeyCallback + 0x115 0x7fefc9992c5 c:\windows\system32\umpnpmgr.dll 16 umpnpmgr.dll EnumRegKeyWithCallback + 0xa5 0x7fefc998e2d c:\windows\system32\umpnpmgr.dll 17 umpnpmgr.dll EnumSubkeyCallback + 0x156 0x7fefc99950e c:\windows\system32\umpnpmgr.dll 18 umpnpmgr.dll EnumRegKeyWithCallback + 0xa5 0x7fefc998e2d c:\windows\system32\umpnpmgr.dll 19 umpnpmgr.dll EnumSubkeyCallback + 0x156 0x7fefc99950e c:\windows\system32\umpnpmgr.dll 20 umpnpmgr.dll EnumRegKeyWithCallback + 0xa5 0x7fefc998e2d c:\windows\system32\umpnpmgr.dll 21 umpnpmgr.dll EnumSubkeyCallback + 0x156 0x7fefc99950e c:\windows\system32\umpnpmgr.dll 22 umpnpmgr.dll EnumRegKeyWithCallback + 0xa5 0x7fefc998e2d c:\windows\system32\umpnpmgr.dll 23 umpnpmgr.dll PnpSelfHealEnumTimerCallback + 0x12f 0x7fefc999757 c:\windows\system32\umpnpmgr.dll 24 ntdll.dll RtlpTpTimerCallback + 0xcb 0x77136ccb C:\windows\SYSTEM32\ntdll.dll 25 ntdll.dll TppTimerpExecuteCallback + 0x105 0x771363e5 C:\windows\SYSTEM32\ntdll.dll 26 ntdll.dll TppWorkerThread + 0x6c9 0x77136bd2 C:\windows\SYSTEM32\ntdll.dll 27 kernel32.dll BaseThreadInitThunk + 0xd 0x76a5652d C:\windows\system32\kernel32.dll 28 ntdll.dll RtlUserThreadStart + 0x1d 0x7714c521 C:\windows\SYSTEM32\ntdll.dll

1. Any AV program? Try this without it and uninstall old and install fresh version. 2. Very useful info contains basic history, new installations, configuration etc. Any traces in logs? Regards Milos

1. Any AV program? Try this without it and uninstall old and install fresh version. On the particular machine this stack was on there is MSE running. However I have seen this behavior is multiple machines, even a fresh install with win7 x64 with SP1. 2. Very useful info contains basic history, new installations, configuration etc. Any traces in logs? Not quite sure what information your looking for here. I have seen this behavior primarily on x64 win7 systems. I'm guessing the systems have to be on for an extended period of time. There is one non 64bit I have which is not on very often in which I have not been able to observe this. Regards Milos The initial symptom/effect I was tracking down was when I would run USBdeview it would show the Created Date for all USB devices as some odd date relatively close to the present and I noticed it would change about every 24 hours. Tried to figure out what was going on I found as I described that svchost.exe was fiddling around with all the device entries in the registry once a day. I am curious as to why this is happening.

Hi, How about using Process Explorer and Process Monitor to troubleshoot the issue?Niki Han TechNet Community Support

Hi, How about using Process Explorer and Process Monitor to troubleshoot the issue? Niki Han TechNet Community Support I have done exactly that. The stack trace(?) in the original post is from process monitor on one of the registry access events. What I am trying to find out is if there is something in the plug and play manager that runs periodically.