Registry handle leak

Discussion in 'malware problems & news' started by OrlandoR, Nov 15, 2010.

Thread Status:
Not open for further replies.
  1. OrlandoR

    OrlandoR Registered Member

    Joined:
    Nov 15, 2010
    Posts:
    10
    I keep getting the following types of messages in my event logs and would love to know what they mean:

    "Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL -- 14 user registry handles leaked from \Registry \User\S-1-5-21-3076477255...
    Process 2092 (\Device\HarddiskVolume4\Windows\System32\dwm.exe) has opened key \REGISTRY\USER\s-1-5-21-30764...."

    Doesn't sound good to me. Also this:

    "Special privileges assigned to new logon

    SECURITY ID: SYSTEM
    ACCOUNT NAME: SYSTEM
    ACCOUNT DOMAIN: NT AUTHORITY
    LOGON ID: 0x1c5f16c
    Privileges:
    SeAssignPrimaryTokenPrivilege
    SeTcbPrivilege
    SeSecurityPrivilege
    SeTakeOwnershipPrivilege
    SeLoadDriverPrivilege
    SeDebugPrivilege
    SeAuditPrivilege
    SeSystemEnvironmentPrivilege
    SeImpersonatePrivilege"

    I have not set up any new accounts, so this "Special logon" certainly is "Special." Any ideas as to what's going on with this? Thanks much.
     
  2. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Probably normal due to an application activity.

    EventID.Net this site will help you with your logs, enter the source also or all events will be listed.

    The S-numbers or string in the keys are called SIDs, security identifiers assigned at log on to users and groups to identify them.

    So, SID - domain or local computer - unique id

    What SID was associated with the second one?..looks like OS Service account.

    If your concerned security wise check this out.
     
    Last edited: Nov 15, 2010
  3. OrlandoR

    OrlandoR Registered Member

    Joined:
    Nov 15, 2010
    Posts:
    10
    Thanks a lot. I've come across the Blue Z guide from Gizmo's site after being badly burned and did a clean install. Problem is these are the same sorts of messages I received when my machnie was compromised. The second 'special logon' SID is s-1-5-18. Subject Username is System in domain NTAuthority.
    However, after i did a clean install and tried to connect to download updates I immediately was notified my Print Spooler initiated and I had a "Router Error." Is this something to be concerned about? This happened last time around, and looking at logs I saw that services I had explicitely disabled (IP Helper, Media Extender, etc) entered the "running state" not too long after my install. Then all AV failed to update, etc. Can services you've disabled start running on their own? I thought only in manual setting they could.
     
Thread Status:
Not open for further replies.