More WinLogon.exe problems

I run XP Pro (SP2) with RegDefend version 1.300. I have been using RegDefend for the past week. I have noticed these two Event Viewer (Application) errors have repeatedly occurred since installing RegDefend. These errors seem to occur when logging off one user and logging on another. They didn't occur before the install and do not occur if I disable the Registry Groups.

As yet I have received no display messages from RegDefend about WinLogon.exe and have not given it any Permission Overrides. Should I add WinLogon.exe to the Permission Overrides box? I thought when anything was blocked I would be notified of it and asked to make a decision?

My rules are the default downloaded ones with no amendments.

Can anyone suggest a course of action for this new (registered) RegDefend user?


I have noted the discussion in https://www.wilderssecurity.com/showthread.php?t=67729

I do not use Fast User switching.

I have only the 3 default Groups.



Rule.

hkey_current_user\software\microsoft\windows\currentversion\policies\explorer* | * | Key + Value | Mod Key, Mod Value | Ask User


Errors.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1096
Date: 13/06/2005
Time: 12:59:23 PM
User: NT AUTHORITY\SYSTEM
Computer: P4
Description:
Windows cannot access the registry policy file, F:\WINDOWS\System32\GroupPolicy\User\registry.pol. (Access is denied. ).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1022
Date: 13/06/2005
Time: 12:59:23 PM
User: NT AUTHORITY\SYSTEM
Computer: P4
Description:
Windows cannot delete registry value NoRun. (Access is denied. ).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Logging.

winlogon.exe [932] was allowed to delete a protected value | 12:45:12 - 13 Jun 2005 | hkey_current_user\software\microsoft\windows\currentversion\policies\explorer | norun | f:\windows\system32\winlogon.exe | EXTRA PROTECTION
winlogon.exe [932] was allowed to delete a protected value | 12:45:12 - 13 Jun 2005 | hkey_current_user\software\microsoft\windows\currentversion\policies\explorer | hideclock | f:\windows\system32\winlogon.exe | EXTRA PROTECTION
winlogon.exe [932] was allowed to delete a protected value | 12:46:08 - 13 Jun 2005 | hkey_current_user\software\microsoft\windows\currentversion\policies\explorer | norun | f:\windows\system32\winlogon.exe | EXTRA PROTECTION
winlogon.exe [932] was allowed to delete a protected value | 12:46:08 - 13 Jun 2005 | hkey_current_user\software\microsoft\windows\currentversion\policies\explorer | hideclock | f:\windows\system32\winlogon.exe | EXTRA PROTECTION
winlogon.exe [932] was blocked from setting this value to 0x00000091 (145) [AUTO RESPONSE] | 12:59:42 - 13 Jun 2005 | hkey_current_user\software\microsoft\windows\currentversion\policies\explorer | nodrivetypeautorun | f:\windows\system32\winlogon.exe | EXTRA PROTECTION
winlogon.exe [932] was blocked from deleting a protected value | 12:59:42 - 13 Jun 2005 | hkey_current_user\software\microsoft\windows\currentversion\policies\explorer | norun | f:\windows\system32\winlogon.exe | EXTRA PROTECTION

 

I don't know the technical details, but I personally can't see any problem with adding winlogon.exe to your APO's in the 'Extra Protection' group.

 

That sounds like decent advice to me, assuming that you have windows installed in F:

1. add f:\windows\system32\winlogon.exe as an application permissions override entry to the EXTRA PROTECTION group
   • you could enter it in as %Windir%\system32\winlogon.exe
2. right click on the winlogon.exe line and choose Automatically Allow. Modify Registry Values

The issue was created by the block after the "[AUTO RESPONSE]" and can be avoided by making a rule that doesn't need to ask the user (avoiding the auto-response block) and that is done by adding winlogon.exe as an APO to that group in the suggestion above

It can be done differently if you *want* to stop the policy being applied, but that can be done just as easily by setting registry permissions; you don't need regdefend to do that

RegDefend shouldn't be the cause of no access to a file though...
It might be worth checking the file permissions and see what permissions SYSTEM has on that file (because winlogon.exe runs as that builtin user)

 

Thank you both for your assistance, I have made the necessary adjustments as far as RegDefend is concerned (and WinLogon.exe) and will see what happens from here on.