More WinLogon.exe problems

Discussion in 'Ghost Security Suite (GSS)' started by linney, Jun 13, 2005.

Thread Status:
Not open for further replies.
  1. linney

    linney Registered Member

    Joined:
    Feb 17, 2002
    Posts:
    174
    I run XP Pro (SP2) with RegDefend version 1.300. I have been using RegDefend for the past week. I have noticed these two Event Viewer (Application) errors have repeatedly occurred since installing RegDefend. These errors seem to occur when logging off one user and logging on another. They didn't occur before the install and do not occur if I disable the Registry Groups.

    As yet I have received no display messages from RegDefend about WinLogon.exe and have not given it any Permission Overrides. Should I add WinLogon.exe to the Permission Overrides box? I thought when anything was blocked I would be notified of it and asked to make a decision?

    My rules are the default downloaded ones with no amendments.

    Can anyone suggest a course of action for this new (registered) RegDefend user?


    I have noted the discussion in https://www.wilderssecurity.com/showthread.php?t=67729

    I do not use Fast User switching.

    I have only the 3 default Groups.



    Rule.

    hkey_current_user\software\microsoft\windows\currentversion\policies\explorer* | * | Key + Value | Mod Key, Mod Value | Ask User


    Errors.

    Event Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1096
    Date: 13/06/2005
    Time: 12:59:23 PM
    User: NT AUTHORITY\SYSTEM
    Computer: P4
    Description:
    Windows cannot access the registry policy file, F:\WINDOWS\System32\GroupPolicy\User\registry.pol. (Access is denied. ).

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



    Event Type: Error
    Event Source: Userenv
    Event Category: None
    Event ID: 1022
    Date: 13/06/2005
    Time: 12:59:23 PM
    User: NT AUTHORITY\SYSTEM
    Computer: P4
    Description:
    Windows cannot delete registry value NoRun. (Access is denied. ).

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



    Logging.

    winlogon.exe [932] was allowed to delete a protected value | 12:45:12 - 13 Jun 2005 | hkey_current_user\software\microsoft\windows\currentversion\policies\explorer | norun | f:\windows\system32\winlogon.exe | EXTRA PROTECTION
    winlogon.exe [932] was allowed to delete a protected value | 12:45:12 - 13 Jun 2005 | hkey_current_user\software\microsoft\windows\currentversion\policies\explorer | hideclock | f:\windows\system32\winlogon.exe | EXTRA PROTECTION
    winlogon.exe [932] was allowed to delete a protected value | 12:46:08 - 13 Jun 2005 | hkey_current_user\software\microsoft\windows\currentversion\policies\explorer | norun | f:\windows\system32\winlogon.exe | EXTRA PROTECTION
    winlogon.exe [932] was allowed to delete a protected value | 12:46:08 - 13 Jun 2005 | hkey_current_user\software\microsoft\windows\currentversion\policies\explorer | hideclock | f:\windows\system32\winlogon.exe | EXTRA PROTECTION
    winlogon.exe [932] was blocked from setting this value to 0x00000091 (145) [AUTO RESPONSE] | 12:59:42 - 13 Jun 2005 | hkey_current_user\software\microsoft\windows\currentversion\policies\explorer | nodrivetypeautorun | f:\windows\system32\winlogon.exe | EXTRA PROTECTION
    winlogon.exe [932] was blocked from deleting a protected value | 12:59:42 - 13 Jun 2005 | hkey_current_user\software\microsoft\windows\currentversion\policies\explorer | norun | f:\windows\system32\winlogon.exe | EXTRA PROTECTION
     
  2. Vikorr

    Vikorr Registered Member

    Joined:
    May 1, 2005
    Posts:
    662
    I don't know the technical details, but I personally can't see any problem with adding winlogon.exe to your APO's in the 'Extra Protection' group.
     
  3. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    That sounds like decent advice to me, assuming that you have windows installed in F:



    1. add f:\windows\system32\winlogon.exe as an application permissions override entry to the EXTRA PROTECTION group
      • you could enter it in as %Windir%\system32\winlogon.exe
    2. right click on the winlogon.exe line and choose Automatically Allow. Modify Registry Values
    The issue was created by the block after the "[AUTO RESPONSE]" and can be avoided by making a rule that doesn't need to ask the user (avoiding the auto-response block) and that is done by adding winlogon.exe as an APO to that group in the suggestion above

    It can be done differently if you *want* to stop the policy being applied, but that can be done just as easily by setting registry permissions; you don't need regdefend to do that

    RegDefend shouldn't be the cause of no access to a file though...
    It might be worth checking the file permissions and see what permissions SYSTEM has on that file (because winlogon.exe runs as that builtin user)
     
  4. linney

    linney Registered Member

    Joined:
    Feb 17, 2002
    Posts:
    174
    Thank you both for your assistance, I have made the necessary adjustments as far as RegDefend is concerned (and WinLogon.exe) and will see what happens from here on.
     
Thread Status:
Not open for further replies.