winlogon.exe

Discussion in 'Ghost Security Suite (GSS)' started by SYS 64738, Jun 25, 2006.

Thread Status:
Not open for further replies.
  1. SYS 64738

    SYS 64738 Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    130
    Hi,

    for quite some weeks i get alerts from RegDefend concerning winlogon.exe. Since it happens usually when my machine connected with the internet, espacially when being online for several hours, i am used to block it once.

    From GSS log file:
    21:47:05 25 Jun 2006 | RegDefend | Blocked delete value by winlogon.exe | HKLM\Software\Microsoft\Windows nt\Currentversion\Secedit | policychangedinsetup |

    21:47:10 25 Jun 2006 | RegDefend | Blocked set value by winlogon.exe | HKLM\Software\Microsoft\Windows nt\Currentversion\Secedit | policychangedinsetup |

    21:47:18 25 Jun 2006 | RegDefend | Blocked set value by winlogon.exe | HKLM\Software\Microsoft\Windows nt\Currentversion\Secedit | lastwinlogonconfig |

    21:47:20 25 Jun 2006 | RegDefend | Blocked set value by winlogon.exe | HKLM\Software\Microsoft\Windows nt\Currentversion\Winlogon\Gpextensions\{827d319e-6eac-11d2-a4ea-00c04f79f83a} | lastpolicytime |


    Does anybody know, if this is a legitimate behavior of the system? I'm running W2k SP4 (fully patched) as poweruser by default. Using Tony Klein's gsr-file (it's great) I'm also wondering, because there is an application rule about winlogon like

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon* | * | CREATE KEY, MODIFY KEY, SET VALUE | | Winlogon | 1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon\Gpextensions | lastpolicytime | SET VALUE, DELETE VALUE | | Winlogon | 5


    Should i add a rule to this in order to cover the alert above? And, just for clarity, would the last alert (with this long key in {}) be avoided if i add a * directly behind Gpextensions in Tony's rule?
     
  2. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    hi SYS 64738 !
    First, your post is kind of scary ;) too many registry setting in a dense text...
    However i'll try to answer you.


    This is some interesting read about SecEdit (Security Editor)
    http://www.microsoft.com/resources/...all/proddocs/en-us/secedit_cmds.mspx?mfr=true

    So seeying Secedit together with policy editor somehow is a hing that the application is doing what it is suposed to do.

    SecEdit compare current settting with some templates.
    Winlogon is resposable of many security feature of windows.
    Moreover the key that winlogon is trying to change seem very informational.

    policychangedinsetup

    It's even likely that once you do allow it once it will not reppear in a while.
    To sum up... It's generally wise to let the internal of windows modify the internal of windows. Especially if there is a logic link between the two actors.

    Please do not wait for a *specialist* to approve your security settings. Most of what we can learn on a pc is done by toying and trial / error. Very few of our board member have such in depth knowlege of windows registry. Paranoid2000 migth be one of those. Instead of waiting for a specialist, become one ;) Go for what you think is the best and post your result.

    --------------------------

    Question 2:

    Answer:
    NO. ;)

    Please read the FAQ concerning wildcards
    a * would not be enougth. as it'll only do one level of keys. ** would cover even subkeys and is what you need.

    Hope this help.
     
    Last edited by a moderator: Jun 26, 2006
Thread Status:
Not open for further replies.