Why does cisvc.exe keep modifying Registry Keys on system startup?

By Nell_Smith ·
Hi there,
This isn't a question about the usual problem people seem to have with cisvc.exe (and the Windows Indexing Service in general), i.e. that it's hogging resources -- I don't find that a problem and I find the Indexing Service useful, so I don't want to disable it.
However, every time my system starts up (WinXP Pro SP 3), I get repeated warnings (up to 15) from ZoneAlarm Security Suite (latest build) as follows:
"Content Index service is trying to reconfigure software by modifying the registry key: HKLM\SOFTWARE\CLASSES\CSLID"
I have checked out the details for cisvc.exe and it's the genuine MSoft article, not a Trojan.
It's very tiresome having to allow so many alerts every time I start Windows -- and, indeed, why on earth is cisvc.exe doing this, when it never used to do so? Any ideas on what it's modifying and why, and whether I can stop it? For information, I updated ZoneAlarm to the latest build around about the time when cisvc.exe started behaving like this, but then again, that was also around the time when I installed WinXP SP3, so I'm guessing that one or the other of these may be the culprit...?
All advice gratefully appreciated!
Thanks in advance,
Nell :)

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

You need to re-educate ZoneAlarm, that's all ...

by OldER Mycroft In reply to Why does cisvc.exe keep m ...

When the next ZoneAlarm pop-up appears, sit for a second and take a deep breath.

Use the time to actually read what the pop-up is saying. BEFORE you click on the 'Allow' button, tick the 'Remember' box.

That way, ZoneAlarm will not warn you the next time the cisvc.exe process occurs.

"It's very tiresome having to allow so many alerts every time I start Windows -- and, indeed, why on earth is cisvc.exe doing this, when it never used to do so? Any ideas on what it's modifying and why, and whether I can stop it? For information, I updated ZoneAlarm to the latest build around about the time when cisvc.exe startd behaving like this, but then again, that was also around the time when I installed WinXP SP3, so I'm guessing that one or the other of these may be the culprit...?"

I would suggest the updating of ZoneAlarm to be the most likely cause of this annoyance/panic. You just have to set a few ground rules for the 'new' ZoneAlarm. Chances are that the 'old' ZoneAlarm had already been instructed NOT to warn you.

The cisvc.exe process is likely to have been running as long as you have used the computer - you have just never been aware of it.

However, on a home computer system, unless you have hard drives approaching Terabyte capacity, you can quite safely just disable File Indexing within 'services.msc' and never be worried by the process ever again. :)

Collapse -

Old Mycroft: Thanks for the reply (and thumbs-up given!)...but....

by Nell_Smith In reply to You need to re-educate Zo ...

... I think you might have been answering a slightly different question (probably one that gets asked far more often) -- that question being how to set ZoneAlarm to permanently allow certain request from certain processes/programs, thus reducing the number of popups.<br><br>
I'm a long-time user of ZoneAlarm (since it first came out) and also of CIS (since MSoft first invented it!), and, although I know that many people prefer to disable CIS as they find it to be a resource hog, I myself do find it useful and prefer to keep it running. This is firstly because, as far as I can tell, it makes no noticeable difference to system performance (cisvc.exe uses <800Kb and cidaemon.exe uses 00Kb of memory on a 1Gb system), and secondly because, although I don't have terabytes of storage, in my 20+ years of owning PCs and 15+ years of being on the Net, I have created and acquired over 500,000 discrete (small) data files which I keep in a labyrinthine (but, to me, useful) folder structure, to which I make many changes and additions daily, so I find that keeping CIS running does noticeably speed up the frequent searches I make.<br><br>
<i>(BTW, I know that Google Desktop Search is preferred by many these days, but I personally dislike Google and its apparent crusade to run not just the Internet but also my PC, so I'm not willing to use Google's search -- in any case, I find MSoft's search function quite adequate for my purposes and I've always thought that the more I complicate my system by bolting on all kinds of gadgets, the more chance it'll end up broken. Anyway...)</i><br><br>
I do have ZoneAlarm set to Maximum security in Program Control, but CIS itself is set to "Allow" and ZoneAlarm's Alert Events are switched off, so that I receive only program-level alerts -- these are the settings I've always used, and it's only since the new build of ZoneAlarm that I've been receiving the popups regarding cisvc.exe (and no popups about anything else). The alerts I'm receiving aren't program-level alerts and they don't have the "Remember" checkbox -- they merely state the information I gave in my original post, give a link to cisvc.exe (which shows up as being exactly where and what it should be) and then helpfully state that "no information is available for alerts of this type". As I say, CIS is already "Allowed", so it shouldn't be generating alerts unless one of its processes changes, and even then, the alert should have the "Remember" checkbox. Also, the popups I'm getting don't state WHICH Registry keys are being modified, merely giving the location "HKLM\SOFTWARE\CLASSES\CSLID".<br><br>
I know I could back up my registry, restart the system and then check which keys have changed, but it would be a huge and lengthy task and I was just hoping that someone here might know about this odd little behaviour of ZoneAlarm's and save me much Registry trawling!<br><br>
Once again, thanks for your detailed reply, but I'm already aware of what CIS is, and I choose to keep it running for the reasons I've stated (although, like you, I would normally advise most home users to disable it, generally speaking) -- I'm simply curious as to what CIS is actually doing in the Registry, and why it seems to need to do the exact same thing every time Windows starts. Again, as you say, no doubt CIS was doing this anyway and ZoneAlarm's previous versions were simply not reporting it to me, but it would be quite nice if I could get it to stop reporting it now, too... and contacting ZoneAlarm tech support has always been, er, not that helpful (to be diplomatic!), so I'm hoping that the forum community here might be able to help.<br><br>
Nell :)

Collapse -

Given the recent 'update' of Zonealarm ...

by OldER Mycroft In reply to Old Mycroft: Thanks for t ...

I am wondering if perhaps familiarity may have led to an element of ZoneAlarm-complacency.

When I installed the new build I reset program control to 'Medium' (as all new users are advised to do) thereby allowing the NEW ZoneAlarm to learn all over again. I'm thinking that you probably didn't do that because I'm not getting the warnings that you are getting.

The box for 'remember this next time' usually only appears while ZoneAlarm is in 'Learning Mode'. Perhaps that is why you are not seeing it.

Hope this helps you.

Collapse -

Further suggestion ...

by OldER Mycroft In reply to Old Mycroft: Thanks for t ...

You might say I've just had a wave of inspiration from afar.

Try using RegMon, which is now called Process Monitor from Sysinternals, now bought up by M$. Try running it in tandem with Process Explorer. Both can be found at:

Fire it up, leaving it running in the background then wait for the next instance of your annoying pop-up. Highlight it, find out where it's going and what it's doing to the Registry. :)


Collapse -

Old M: Thank you!! Fantastic...

by Nell_Smith In reply to Further suggestion ...

... thanks so much for both the idea and the link. I've got Process Explorer for XP, but my only copy of RegMon is the version for 95/XP (dating from 1999!) and I've had it in the back of my mind for ages to hunt down a new version, but never got round to it, so very many thanks for kickstarting my brain <u>and</u> pointing me in the right direction as well! :)<br><br>

Off to download now, and hopefully resolve the problem... many thanks once again.<br><br>

Nell :)

Collapse -

Well there are a few misconceptions here to start off with

by OH Smeg In reply to Why does cisvc.exe keep m ...

Just because M$ make something doesn't mean that it doesn't behave like a Trojan or that it's not a Trojan under the Strict Sense of the Word it just means that you want this Trojan.

As Old Mycroft has said above you need to tell Zone Alarm to remember the change and not to report it again as every time that you start up your Computer it makes these changes and the only way to stop it is to disable it. Put Simply it acts exactly like a Trojan and to all intents & purposes is a Trojan just like Windows is a Virus. If it looks and works like something then by the definition of that term that it acts like it can be accepted that it is. The difference here is it is something that you want installed not something that you need to avoid at all costs.

These things where developed along the lines of existing M$ Products to take advantage of holes or vulnerabilities in the OS so because a Nasty Thing that you catch is something that you don't want doesn't mean that everything that works the same way is something nasty that needs to be deleted.

As Old M has said program up Zone Alarm to remember the accepted changes and this warning will no longer appear. It should be as simple as telling ZA to remember your accepted changes when the warning pops up and you shouldn't need to do any more.

Post back if you require any more information and don't forget to give the first respondent a Thumbs Up for telling you how to solve your problem.


Collapse -

Oh Smeg/Col: ...Plus maybe one more misconception?...

by Nell_Smith In reply to Well there are a few misc ...

... that being your possible misconception as to how much I do or don't know about Windows (and ZoneAlarm, and Trojans, and viruses, and so on, for that matter)?!

Thanks for your reply, but I'm probably a bit older (and an older hand with computers) than you're assuming: I've owned (and worked with) PCs since the days of x86 and DOS, when "the Internet" pretty much meant ARPANet/JaNET plus USENet (and "browsing" was something that only cattle did!), "email" meant text-only messaging via UNIX (none of this "Forward the hilarious 5Mb AVI of some animated thing or other to my entire 500-member email list" nonsense), and when XTree Pro Gold was the nearest you could get to a GUI on a PC. Over the years I've built up a pretty good working knowledge of all versions of Windows from v3.0, via NT3.51/4.0 and 95/98, up until Win2000 and XP, when I stopped working as an IT professional for a multinational corporation, supporting 250 local users on the London corporate HQ LAN as well as a 100,000-member/100-country WAN hosted on a dozen or so racks of Compaq ProLineas and ProLiants, to look after my three kids (7, 4 and 3). Phew...! <i>(Deep breath... that was some rant! -- Sorry!)</i><br><br>

Anyway, my home PC may not be a marvel of modern technology, but it suits me just fine, being a dual-boot 98 (love it to bits) and XP (OK once you stop it looking like an episode of Teletubbies and undo all of MSoft's "idiot-proof" settings) machine which happily hosts my children's wirelessly networked PC and, in both hardware and software terms, is probably more secure than your average corporate server (seriously -- I actually *care* about my own data!), because the idiotic "Hey, let's download and install dozens of browser toolbars, plus every piece of rubbish we see on YouTube and/or receive via email from people we've never heard of, while running outdated or non-existent security software" behaviour of many users these days means that the rest of us have to spend immense amounts of time and effort avoiding the botnets, mail-spamming worms and Trojans infesting over 90% of the machines out there (and I mean "Trojans" in MY sense of the word -- i.e. potentially dangerous and deliberately concealed malware, not Windows' core processes or subroutines, or legitimate software which utilises those routines and which I myself have installed). I remember the days when the only Nasty Things anyone had to worry about were archaic (to our eyes now -- but appalling then) viruses such as Michaelangelo -- a copy of which I still keep zipped on my hard drive out of nostalgia, after it took down the entire Bristol University network for a week -- I was working there at the time (18 years ago), and it necessitated a full reinstall/restore of hundreds of machines -- not bad for a couple of lines of code, and something that today's "hackers" aren't remotely capable of, annoying though they are, thanks to the huge advances in security by MSoft and the various anti-malware software providers.<br><br>

Anyway, obviously I'm busy with my kids most of the time and I can't possibly keep up to speed with the exponential explosion of latest'n'greatest(?) products out there (indeed, I spend little time online, thanks to the little ones), but it would seem from what you've written that I may know just a bit more about how computers and software generally work (or don't, I suppose, if you look at it the other way) than you're presuming...?<br><br>

As I mentioned to Old Mycroft, I think there's a small mistake here as to what question I'm actually asking... I know how to set ZoneAlarm's permissions, whether via the checkboxes or, as I do whenever updating ZoneAlarm, by manually adding and configuring permissions for the various apps I have installed, but the popups I'm getting aren't of that nature -- as I've said to Old Mycroft, they don't have a checkbox, they can't be permanently dismissed, and they don't seem to be the usual program-level alerts.<br><br>

Thanks anyway for taking the trouble to reply, and your views on Windows acting like a virus/Trojan are, I know, widely held -- indeed, jokes like: <b><i>"Norton has detected a virus on C -- "" -- Delete?"</b></i> were circulating 15 years ago, and probably still are now, although maybe you'd have to substitute "Spyware Doctor" for "Norton" and "win.exe" for "" to suit the, er, younger generation who don't know who Peter Norton is?) <br><br>

Nell :)

Collapse -

Your TR Biography space would've assuaged our assumptions...

by OldER Mycroft In reply to Oh Smeg/Col: ...Plus mayb ...

But since it is empty we tend to cover all bases in our replies.


Collapse -

Old M: I know, my fault...

by Nell_Smith In reply to Your TR Biography space w ...

... and my reply to Oh Smeg/Col was really addressed directly to him/her, not to you... there were a couple of remarks in that particular post which I thought were a bit, well, high-handed, unlike what you wrote, which was nothing but considerate, helpful and, as you so rightly say, in the absence of any information from me, quite correctly assumed the general level of computer knowledge for an average home user, which isn't much (to put it kindly!). All that you said was polite, friendly and much appreciated, and I really didn't intend that particular reply for you (hence the split replies)... I'll go and update my profile and stop ranting! :)<br><br>

Many thanks once again for your help and your time and trouble, and, especially, for the link to the Sysinternals Utilities page, which is a goldmine and which I'm busy raiding right now for all the latest versions of my trusty old (but sadly outdated) versions of system monitoring software! You really wouldn't believe (I don't!) how much having kids keeps one off one's PC... most days I don't even power it on, which is sad indeed, and I only d/load mail once a week or so(!)... still, apparently they grow up, so I've been told!<br><br>

I do hope I haven't caused you any offence, as none at all was intended. I'll get the profile updated.<br><br>

Nell :)

Collapse -

No problem. I've been insulted by experts over the years...

by OldER Mycroft In reply to Old M: I know, my fault.. ...

So much so that unless you have a Master's Degree in being offensive, little or nothing will ever register upon my psyche.

My own biography has me listed as a Grumpy Old Man so I rather enjoy a rant or two myself.

By the way, as way of a riposte, DISCRETE does not mean small: it means distinct and separate!

Related Discussions

Related Forums