So, I work on an application which is shipped commercially. Recently I got a report of it hanging on startup for a customer. I looked into it a bit, and the Windows machine is under the uk.com domain. After looking at the procmon.pml file, I observed that my application seemed to have a few calls similar to this:
Create File \\GUID\PIPE\winreg (Path not found)
TCP Reconnect localmachinename:<port> -> 208.91.197.189:epmap
TCP Reconnect localmachinename:<port> -> 208.91.197.189:epmap
I got on the machine today and tried a nslookup of the GUID. It returned me an address of 208.91.197.189. I was like "AH HAH!". Then I started trying to figure out why? After more experimentation I found that it returns an address for any random string you pass it. (To see what I mean, open cmd and type "nslookup", then type f.uk.com). You will get back an address of 208.91.197.189.
So, a couple of questions. Why would uk.com return back a fixed address for every string passed to it? This doesn't seem like normal behavior IMHO.
Furthermore, after more researching, the \\GUID\PIPE\winreg shows each time my application does a RegConnectRegistry() api call. That connection attempt fails (The registry value doesn't exist), which causes windows under the covers to try and resolve the GUID, which eventually causes the TCP Reconnect to the resolved GUID address. Is that GUID a session name, or where does that GUID come from. I have tried it on many machines and it is not a well known GUID. So, it seems specific to each machine, but I cannot find it in the registry as a packed GUID, or a registry formatted GUID. I'm not sure where windows gets it from, or if there is a way to change the behavior. The app is actually having to time out on every failed registry read which is causing the hang. Why is windows doing this for failed registry reads?
Thanks for your time and input!
Nick