Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Topic: Nmap accessing foobar (Read 3260 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Nmap accessing foobar

Couple of days ago I noticed that console is outputting "DNS error 11004" after couple of tracks being played, and I thought that it's something with audioscrobbler. So today I disabled scrobbler but still got this error. Then I run Process Monitor and in time when this error was outputted there was nothing suspicious but this line:

Code: [Select]
"foobar2000.exe","69724","TCP Connect","PC.lan:56210 -> akamai18.ipv4ilink.net:http","SUCCESS","Length: 0, mss: 1452, sackopt: 1, tsopt: 0, wsopt: 1, rcvwin: 17424, rcvwinscale: 2, sndwinscale: 2, seqnum: 0, connid: 0"

As I see "akamai18.ipv4ilink.net" is server for some Bulgarian Nokia clone and then I started to search windows registry but found nothing. Searching in windows folder I was able to locate file: "nmap-service-probes" in system32 folder, which is part of Nmap and the time stamp showed me that it was installed with Nettools bundle 2 days ago.

I deleted the files without problem, which means that the process wasn't in memory. So I'm curious how it runs through foobar and I just don't know what is it purpose.

I'm running Avira, and I know that the problem is in my system and don't want to point to components but this lines also occurs unreported by console during track playback (from PE log), in time when UPnP is accessing my home computers.
 

Nmap accessing foobar

Reply #1
OK, nobody replied, probably nothing to reply or my post is poorly written
The problem with mysterious "akamai..." has gone, now that I've deleted the mentioned files but I still get "DNS error" in console - I guess I solved other problem while looking at this
Error is reported by foo_uie_biography.
From UIE Console in time when it appears [23:33:50] this threads are activated:

Code: [Select]
------------------------------------------------------------------------------------------------
"23:33:50,0468182","foobar2000.exe","17988","Thread Create","","SUCCESS","Thread ID: 3868":

"0","ntoskrnl.exe","ntoskrnl.exe + 0x229572","0x82a73572","C:\Windows\system32\ntoskrnl.exe"
"1","ntoskrnl.exe","ntoskrnl.exe + 0x26b680","0x82ab5680","C:\Windows\system32\ntoskrnl.exe"
"2","ntoskrnl.exe","ntoskrnl.exe + 0x26d391","0x82ab7391","C:\Windows\system32\ntoskrnl.exe"
"3","ntoskrnl.exe","ntoskrnl.exe + 0x4131a","0x8288b31a","C:\Windows\system32\ntoskrnl.exe"
"4","ntdll.dll","ntdll.dll + 0x45e9c","0x77d75e9c","C:\Windows\System32\ntdll.dll"
"5","KernelBase.dll","KernelBase.dll + 0xab2f","0x75f3ab2f","C:\Windows\System32\KernelBase.dll"
"6","kernel32.dll","kernel32.dll + 0x52785","0x766e2785","C:\Windows\System32\kernel32.dll"
"7","DSOUND.dll","DSOUND.dll + 0x9625","0x6b549625","C:\Windows\system32\DSOUND.dll"
"8","DSOUND.dll","DSOUND.dll + 0x9f87","0x6b549f87","C:\Windows\system32\DSOUND.dll"
"9","DSOUND.dll","DSOUND.dll + 0x9f12","0x6b549f12","C:\Windows\system32\DSOUND.dll"
"10","DSOUND.dll","DSOUND.dll + 0x1ba37","0x6b55ba37","C:\Windows\system32\DSOUND.dll"
------------------------------------------------------------------------------------------------

"23:33:50,2828513","foobar2000.exe","17988","Thread Exit","","SUCCESS","Thread ID: 20136, User Time: 0.0000000, Kernel Time: 0.0000000"

"0","ntoskrnl.exe","ntoskrnl.exe + 0x229a5f","0x82a73a5f","C:\Windows\system32\ntoskrnl.exe"
"1","ntoskrnl.exe","ntoskrnl.exe + 0x22a155","0x82a74155","C:\Windows\system32\ntoskrnl.exe"
"2","ntoskrnl.exe","ntoskrnl.exe + 0x236a2c","0x82a80a2c","C:\Windows\system32\ntoskrnl.exe"
"3","ntoskrnl.exe","ntoskrnl.exe + 0x4131a","0x8288b31a","C:\Windows\system32\ntoskrnl.exe"
"4","ntdll.dll","ntdll.dll + 0x4704c","0x77d7704c","C:\Windows\System32\ntdll.dll"
"5","ntdll.dll","ntdll.dll + 0x2e113","0x77d5e113","C:\Windows\System32\ntdll.dll"
"6","foo_uie_biography.dll","foobar2000_get_interface + 0xcb3","0x3c2b9d3","C:\Program Files\foobar2000\components\foo_uie_biography.dll"
"7","foo_uie_biography.dll","foobar2000_get_interface + 0xd74","0x3c2ba94","C:\Program Files\foobar2000\components\foo_uie_biography.dll"
"8","ntdll.dll","ntdll.dll + 0x5a0e0","0x77d8a0e0","C:\Windows\System32\ntdll.dll"
"9","ntdll.dll","ntdll.dll + 0x5a0b3","0x77d8a0b3","C:\Windows\System32\ntdll.dll"
------------------------------------------------------------------------------------------------

"23:33:50,3392086","foobar2000.exe","17988","Thread Create","","SUCCESS","Thread ID: 14200"

"0","ntoskrnl.exe","ntoskrnl.exe + 0x229572","0x82a73572","C:\Windows\system32\ntoskrnl.exe"
"1","ntoskrnl.exe","ntoskrnl.exe + 0x26b680","0x82ab5680","C:\Windows\system32\ntoskrnl.exe"
"2","ntoskrnl.exe","ntoskrnl.exe + 0x26d391","0x82ab7391","C:\Windows\system32\ntoskrnl.exe"
"3","ntoskrnl.exe","ntoskrnl.exe + 0x4131a","0x8288b31a","C:\Windows\system32\ntoskrnl.exe"
"4","ntdll.dll","ntdll.dll + 0x45e9c","0x77d75e9c","C:\Windows\System32\ntdll.dll"
"5","KernelBase.dll","KernelBase.dll + 0xab2f","0x75f3ab2f","C:\Windows\System32\KernelBase.dll"
"6","kernel32.dll","kernel32.dll + 0x52785","0x766e2785","C:\Windows\System32\kernel32.dll"
"7","foo_uie_biography.dll","foobar2000_get_interface + 0xdfa","0x3c2bb1a","C:\Program Files\foobar2000\components\foo_uie_biography.dll"
------------------------------------------------------------------------------------------------

"23:33:50,3523167","foobar2000.exe","17988","Thread Create","","SUCCESS","Thread ID: 14292"

"0","ntoskrnl.exe","ntoskrnl.exe + 0x229572","0x82a73572","C:\Windows\system32\ntoskrnl.exe"
"1","ntoskrnl.exe","ntoskrnl.exe + 0x26b680","0x82ab5680","C:\Windows\system32\ntoskrnl.exe"
"2","ntoskrnl.exe","ntoskrnl.exe + 0x26d391","0x82ab7391","C:\Windows\system32\ntoskrnl.exe"
"3","ntoskrnl.exe","ntoskrnl.exe + 0x4131a","0x8288b31a","C:\Windows\system32\ntoskrnl.exe"
"4","ntdll.dll","ntdll.dll + 0x45e9c","0x77d75e9c","C:\Windows\System32\ntdll.dll"
"5","KernelBase.dll","KernelBase.dll + 0xab2f","0x75f3ab2f","C:\Windows\System32\KernelBase.dll"
"6","kernel32.dll","kernel32.dll + 0x52785","0x766e2785","C:\Windows\System32\kernel32.dll"
"7","foo_uie_biography.dll","foobar2000_get_interface + 0xdfa","0x3c2bb1a","C:\Program Files\foobar2000\components\foo_uie_biography.dll"
------------------------------------------------------------------------------------------------

"23:33:50,3529036","foobar2000.exe","17988","Thread Create","","SUCCESS","Thread ID: 2944"

"0","ntoskrnl.exe","ntoskrnl.exe + 0x229572","0x82a73572","C:\Windows\system32\ntoskrnl.exe"
"1","ntoskrnl.exe","ntoskrnl.exe + 0x26b680","0x82ab5680","C:\Windows\system32\ntoskrnl.exe"
"2","ntoskrnl.exe","ntoskrnl.exe + 0x26d391","0x82ab7391","C:\Windows\system32\ntoskrnl.exe"
"3","ntoskrnl.exe","ntoskrnl.exe + 0x4131a","0x8288b31a","C:\Windows\system32\ntoskrnl.exe"
"4","ntdll.dll","ntdll.dll + 0x45e9c","0x77d75e9c","C:\Windows\System32\ntdll.dll"
"5","KernelBase.dll","KernelBase.dll + 0xab2f","0x75f3ab2f","C:\Windows\System32\KernelBase.dll"
"6","kernel32.dll","kernel32.dll + 0x52785","0x766e2785","C:\Windows\System32\kernel32.dll"
------------------------------------------------------------------------------------------------

"23:33:50,4223515","foobar2000.exe","17988","Thread Create","","SUCCESS","Thread ID: 824"

"0","ntoskrnl.exe","ntoskrnl.exe + 0x229572","0x82a73572","C:\Windows\system32\ntoskrnl.exe"
"1","ntoskrnl.exe","ntoskrnl.exe + 0x26b680","0x82ab5680","C:\Windows\system32\ntoskrnl.exe"
"2","ntoskrnl.exe","ntoskrnl.exe + 0x26d391","0x82ab7391","C:\Windows\system32\ntoskrnl.exe"
"3","ntoskrnl.exe","ntoskrnl.exe + 0x4131a","0x8288b31a","C:\Windows\system32\ntoskrnl.exe"
"4","ntdll.dll","ntdll.dll + 0x45e9c","0x77d75e9c","C:\Windows\System32\ntdll.dll"
"5","KernelBase.dll","KernelBase.dll + 0xab2f","0x75f3ab2f","C:\Windows\System32\KernelBase.dll"
"6","kernel32.dll","kernel32.dll + 0x52785","0x766e2785","C:\Windows\System32\kernel32.dll"

------------------------------------------------------------------------------------------------
"23:33:50,4348050","foobar2000.exe","17988","Thread Create","","SUCCESS","Thread ID: 3420"

"0","ntoskrnl.exe","ntoskrnl.exe + 0x229572","0x82a73572","C:\Windows\system32\ntoskrnl.exe"
"1","ntoskrnl.exe","ntoskrnl.exe + 0x26b680","0x82ab5680","C:\Windows\system32\ntoskrnl.exe"
"2","ntoskrnl.exe","ntoskrnl.exe + 0x26d391","0x82ab7391","C:\Windows\system32\ntoskrnl.exe"
"3","ntoskrnl.exe","ntoskrnl.exe + 0x4131a","0x8288b31a","C:\Windows\system32\ntoskrnl.exe"
"4","ntdll.dll","ntdll.dll + 0x45e9c","0x77d75e9c","C:\Windows\System32\ntdll.dll"
"5","KernelBase.dll","KernelBase.dll + 0xab2f","0x75f3ab2f","C:\Windows\System32\KernelBase.dll"
"6","kernel32.dll","kernel32.dll + 0x52785","0x766e2785","C:\Windows\System32\kernel32.dll"
------------------------------------------------------------------------------------------------
And this is complete PM log in that referenced time:

Code: [Select]
"Time of Day","Process Name","PID","Operation","Path","Result","Detail"
"23:33:50,0226110","foobar2000.exe","17988","RegOpenKey","HKLM\System\CurrentControlSet\Control\MediaResources","REPARSE","Desired Access: All Access"
"23:33:50,0226924","foobar2000.exe","17988","RegOpenKey","HKLM\System\CurrentControlSet\Control\MediaResources","SUCCESS","Desired Access: All Access"
"23:33:50,0227952","foobar2000.exe","17988","RegOpenKey","HKLM\System\CurrentControlSet\Control\MediaResources\DirectSound","SUCCESS","Desired Access: All Access"
"23:33:50,0228709","foobar2000.exe","17988","RegCloseKey","HKLM\System\CurrentControlSet\Control\MediaResources","SUCCESS",""
"23:33:50,0229214","foobar2000.exe","17988","RegOpenKey","HKLM\System\CurrentControlSet\Control\MediaResources\DirectSound\Speaker Configuration","SUCCESS","Desired Access: All Access"
"23:33:50,0230473","foobar2000.exe","17988","RegQueryValue","HKLM\System\CurrentControlSet\Control\MediaResources\DirectSound\Speaker Configuration\Speaker Configuration","SUCCESS","Type: REG_DWORD, Length: 4, Data: 4"
"23:33:50,0231072","foobar2000.exe","17988","RegCloseKey","HKLM\System\CurrentControlSet\Control\MediaResources\DirectSound\Speaker Configuration","SUCCESS",""
"23:33:50,0231595","foobar2000.exe","17988","RegOpenKey","HKLM\System\CurrentControlSet\Control\MediaResources\DirectSound\Speaker Configuration","SUCCESS","Desired Access: All Access"
"23:33:50,0232666","foobar2000.exe","17988","RegSetValue","HKLM\System\CurrentControlSet\Control\MediaResources\DirectSound\Speaker Configuration\Speaker Configuration","SUCCESS","Type: REG_DWORD, Length: 4, Data: 4"
"23:33:50,0233420","foobar2000.exe","17988","RegCloseKey","HKLM\System\CurrentControlSet\Control\MediaResources\DirectSound\Speaker Configuration","SUCCESS",""
"23:33:50,0351475","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,0353437","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,0355704","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,0356923","foobar2000.exe","17988","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}\DeviceState","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"23:33:50,0357599","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,0394350","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,0396409","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,0398592","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,0399707","foobar2000.exe","17988","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}\DeviceState","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"23:33:50,0400731","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,0450500","foobar2000.exe","17988","RegOpenKey","HKLM\System\CurrentControlSet\Control\MediaResources\DirectSound\Speaker Configuration","SUCCESS","Desired Access: All Access"
"23:33:50,0451618","foobar2000.exe","17988","RegSetValue","HKLM\System\CurrentControlSet\Control\MediaResources\DirectSound\Speaker Configuration\Speaker Configuration","SUCCESS","Type: REG_DWORD, Length: 4, Data: 4"
"23:33:50,0452344","foobar2000.exe","17988","RegCloseKey","HKLM\System\CurrentControlSet\Control\MediaResources\DirectSound\Speaker Configuration","SUCCESS",""
"23:33:50,0468182","foobar2000.exe","17988","Thread Create","","SUCCESS","Thread ID: 3868"
"23:33:50,0828664","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,0830632","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,0832919","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,0834004","foobar2000.exe","17988","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}\DeviceState","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"23:33:50,0834664","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,0865133","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,0866636","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,0868729","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,0870165","foobar2000.exe","17988","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}\DeviceState","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"23:33:50,0870791","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,0925800","foobar2000.exe","17988","RegOpenKey","HKCU\Software\Microsoft\Multimedia\DirectSound","NAME NOT FOUND","Desired Access: All Access"
"23:33:50,0927246","foobar2000.exe","17988","RegOpenKey","HKCU\Software\Microsoft\Multimedia\DirectSound","NAME NOT FOUND","Desired Access: Read"
"23:33:50,0927778","foobar2000.exe","17988","RegOpenKey","HKCU\Software\Microsoft\Multimedia\DirectSound","NAME NOT FOUND","Desired Access: Query Value"
"23:33:50,1291137","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,1293058","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,1317280","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,1319242","foobar2000.exe","17988","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}\DeviceState","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"23:33:50,1319998","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,1469327","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,1471483","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,1473750","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,1474905","foobar2000.exe","17988","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}\DeviceState","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"23:33:50,1475595","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,1508210","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,1510420","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,1512633","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,1514106","foobar2000.exe","17988","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}\DeviceState","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"23:33:50,1514772","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,2077977","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,2079926","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,2082226","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,2083646","foobar2000.exe","17988","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}\DeviceState","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"23:33:50,2084295","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,2117132","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,2118806","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,2120949","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,2122429","foobar2000.exe","17988","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}\DeviceState","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"23:33:50,2123289","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,2204404","foobar2000.exe","17988","FASTIO_READ","C:\Users\Dejan\Music\Iain Ballamy\Mirrormask\05 - Running For The Bus.mp3","SUCCESS","Offset: 24.576, Length: 4.096"
"23:33:50,2461191","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,2463132","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,2465510","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,2488120","foobar2000.exe","17988","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}\DeviceState","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"23:33:50,2488917","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,2828513","foobar2000.exe","17988","Thread Exit","","SUCCESS","Thread ID: 20136, User Time: 0.0000000, Kernel Time: 0.0000000"
"23:33:50,3392086","foobar2000.exe","17988","Thread Create","","SUCCESS","Thread ID: 14200"
"23:33:50,3523167","foobar2000.exe","17988","Thread Create","","SUCCESS","Thread ID: 14292"
"23:33:50,3529036","foobar2000.exe","17988","Thread Create","","SUCCESS","Thread ID: 2944"
"23:33:50,3916264","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,3917807","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,3919880","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,3920935","foobar2000.exe","17988","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}\DeviceState","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"23:33:50,3921802","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,4223515","foobar2000.exe","17988","Thread Create","","SUCCESS","Thread ID: 824"
"23:33:50,4259378","foobar2000.exe","17988","Process Profiling","","SUCCESS","User Time: 14.1562500, Kernel Time: 13.2812500, Private Bytes: 100.913.152, Working Set: 101.007.360"
"23:33:50,4348050","foobar2000.exe","17988","Thread Create","","SUCCESS","Thread ID: 3420"
"23:33:50,4699050","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,4701065","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,4703644","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,4704859","foobar2000.exe","17988","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}\DeviceState","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"23:33:50,4705539","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,4742828","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,4744459","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,4747030","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,4748145","foobar2000.exe","17988","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}\DeviceState","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"23:33:50,4748811","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,4796293","foobar2000.exe","17988","FASTIO_READ","C:\Users\Dejan\Music\Iain Ballamy\Mirrormask\05 - Running For The Bus.mp3","SUCCESS","Offset: 28.672, Length: 4.096"
"23:33:50,5491636","foobar2000.exe","17988","IRP_MJ_QUERY_VOLUME_INFORMATION","C:\Users\Dejan\Music","SUCCESS","Type: QueryInformationVolume, VolumeCreationTime: 20.05.2009 09:57:00, VolumeSerialNumber: E88F-2219, SupportsObjects: True, VolumeLabel: "
"23:33:50,5492771","foobar2000.exe","17988","IRP_MJ_QUERY_INFORMATION","C:\Users\Dejan\Music","BUFFER OVERFLOW","Type: QueryAllInformationFile, CreationTime: 20.05.2009 00:15:53, LastAccessTime: 13.06.2009 15:45:08, LastWriteTime: 13.06.2009 15:45:08, ChangeTime: 13.06.2009 15:45:08, FileAttributes: RD, AllocationSize: 65.536, EndOfFile: 65.536, NumberOfLinks: 1, DeletePending: False, Directory: True, IndexNumber: 0x2000000000180, EaSize: 0, Access: Read Data/List Directory, Read Attributes, Synchronize, Position: 0, Mode: , AlignmentRequirement: Word"
"23:33:50,5502799","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,5526254","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,5528771","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,5529947","foobar2000.exe","17988","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}\DeviceState","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"23:33:50,5530626","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,5786128","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,5787922","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,5790065","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,5791143","foobar2000.exe","17988","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}\DeviceState","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"23:33:50,5791763","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,6321060","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,6323059","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,6325573","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,6326671","foobar2000.exe","17988","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}\DeviceState","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"23:33:50,6327338","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,6358671","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,6360201","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
"23:33:50,6362303","foobar2000.exe","17988","RegOpenKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS","Desired Access: Read"
"23:33:50,6363626","foobar2000.exe","17988","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}\DeviceState","SUCCESS","Type: REG_DWORD, Length: 4, Data: 1"
"23:33:50,6364296","foobar2000.exe","17988","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{10fdd0b7-e1f0-4244-b0e1-2ba1bbb08123}","SUCCESS",""
I posted note about this to the author on his component page