winlogon.exe

Hi,

for quite some weeks i get alerts from RegDefend concerning winlogon.exe. Since it happens usually when my machine connected with the internet, espacially when being online for several hours, i am used to block it once.

From GSS log file:
21:47:05 25 Jun 2006 | RegDefend | Blocked delete value by winlogon.exe | HKLM\Software\Microsoft\Windows nt\Currentversion\Secedit | policychangedinsetup |

21:47:10 25 Jun 2006 | RegDefend | Blocked set value by winlogon.exe | HKLM\Software\Microsoft\Windows nt\Currentversion\Secedit | policychangedinsetup |

21:47:18 25 Jun 2006 | RegDefend | Blocked set value by winlogon.exe | HKLM\Software\Microsoft\Windows nt\Currentversion\Secedit | lastwinlogonconfig |

21:47:20 25 Jun 2006 | RegDefend | Blocked set value by winlogon.exe | HKLM\Software\Microsoft\Windows nt\Currentversion\Winlogon\Gpextensions\{827d319e-6eac-11d2-a4ea-00c04f79f83a} | lastpolicytime |


Does anybody know, if this is a legitimate behavior of the system? I'm running W2k SP4 (fully patched) as poweruser by default. Using Tony Klein's gsr-file (it's great) I'm also wondering, because there is an application rule about winlogon like

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon* | * | CREATE KEY, MODIFY KEY, SET VALUE | | Winlogon | 1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon\Gpextensions | lastpolicytime | SET VALUE, DELETE VALUE | | Winlogon | 5


Should i add a rule to this in order to cover the alert above? And, just for clarity, would the last alert (with this long key in {}) be avoided if i add a * directly behind Gpextensions in Tony's rule?

 

hi SYS 64738 !
First, your post is kind of scary too many registry setting in a dense text...
However i'll try to answer you.


This is some interesting read about SecEdit (Security Editor)
http://www.microsoft.com/resources/...all/proddocs/en-us/secedit_cmds.mspx?mfr=true

So seeying Secedit together with policy editor somehow is a hing that the application is doing what it is suposed to do.

SecEdit compare current settting with some templates.
Winlogon is resposable of many security feature of windows.
Moreover the key that winlogon is trying to change seem very informational.

policychangedinsetup

It's even likely that once you do allow it once it will not reppear in a while.
To sum up... It's generally wise to let the internal of windows modify the internal of windows. Especially if there is a logic link between the two actors.

Please do not wait for a *specialist* to approve your security settings. Most of what we can learn on a pc is done by toying and trial / error. Very few of our board member have such in depth knowlege of windows registry. Paranoid2000 migth be one of those. Instead of waiting for a specialist, become one Go for what you think is the best and post your result.

--------------------------

Question 2:

Answer:
NO.

Please read the FAQ concerning wildcards
a * would not be enougth. as it'll only do one level of keys. ** would cover even subkeys and is what you need.

Hope this help.