system 32 & dhcp... values?

Discussion in 'Ghost Security Suite (GSS)' started by beethoven, Sep 8, 2005.

Thread Status:
Not open for further replies.
  1. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,168
    Since upgrading to the new version I get a range of alerts from hd\winnt\system32... all wanting to delete a key: hklm\system\controlset001\... and then affecting the following values:
    • dhcpnameserver
    • dhcpdomain
    • dhcpsubnetmaskopt
    • dhcpdomain
    • dhcpdefaultgateway
    • dhcpnameserver
    and so on, seemingly repeating.

    I am using RD as is without any rulesets - what should I do? Just blocking it does not seem to work, as it appears back at least upon reboot irrespective of the always button ticked.

    o_O
     
  2. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi Beethoven,
    can you tell us what app is trying to delete the values?
     
  3. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,168
    Sorry, services.exe :oops:
     
  4. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    I'm not sure if you should allow it or not,What ver. of windows you running? In WinXP, svchost.exe deletes them (and i think adds them back). So yours could be legit,if your systems clean of malware etc.then i personally would allow it and see what happens (do a backup of your registry/or HD first though just in case).

    That's just my opinion though so you might want to wait for someone to give you a definate answer.
     
  5. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,168
    This particular PC is running W2K - I noticed on another PC running XP that similar requests are coming from Svchost.exe?
     
  6. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    Beethoven, I see the exact same behavior with my 2 XP computers here on the home LAN, by chance are your computers on a network? On my systems the entry times coincide with the IP address renewal from the DHCP server in the router. Could it be that you are seeing the same thing?

    Followup:
    I am now not so sure about what I said above. Looking at the RD log there are now entries for almost each hour of the day. So I am as confused as everyone else, why is svchost deleting/setting values to these keys on such a regular basis.
     
    Last edited: Sep 9, 2005
  7. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,168
    disciple - you are right, it's a LAN network. Right now I am only using one XP pc (the others are sleeping - it's weekend in Sydney :)
    On this one I have allowed svchost.exe to do its work, so I don't get any alerts (though I am really not sure whether it is the right decision) o_O

    The other pc running the new RD is W2K and for this one services.exe will be asking once I start the pc. It usually goes through a cycle of alerts which I block and eventually falls silent. Can't say that I get the same alert during the day again.

    Hopefully Jason or someone else has a bit more insight :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.