Resolution of "Events from one domain logged on a different domain's DC"

From: Boris Yakubov (borisy_at_PWSOFTWARE.COM)
Date: 01/18/05

  • Next message: Berend-Jan Wever: "Re: Kazaa Sig2Dat Protocol Remote Integer Overflow and Denial Of Service by creating files in arbitrary locations"
    Date:         Tue, 18 Jan 2005 13:42:34 -0800

    Ok, since there is been a considerable number of replies to my original post (see with requests to notify of resolution or cause, I figured I'd try and post the findings and resolution for the issue. (Russ sorry if that's against the rules)...

    A quick background on what I've done to try and trap the events and get a notification as soon as they happen:

    I've set up a notification system with the use of WMI and event subscription, so as soon as the event id 529 or 681 is generated I would get an e-mail notification. With that in place all left to do was to sit back and wait for the bells to go off.

    Here is the cause for the issue:

    JDoe-PC is a windows XP SP2 in DomainB (I have confirmed that the issue is successfully duplicated from any winXP SP2 pc)
    The user JDoe would attempt to insert a jpg file into an MS Word doc when the error events would generate on the DomainA's DC (don't ask how many times I had to hear "I wasn't doing anything"). The jpg file is located in a folder which holds a number of other folders and files (the path to file is z:\USERS\USERFILES\MYLOGO.JPG). JDoe has the view in windows explorer set to "thumbnails", and this is the biggy because it does not happen if the view is set to anything else. The USERFILES folder also contains a folder, let's call it "MAPPING", which contains shortcuts to the resources on the servers in the DomainA, and the shortcuts are only used by a special group, members of which must provide user name and password to connect to those resources (needless to say JDoe is not a member of that group and has no knowledge of the shortcuts).
    So what seems to happen is the following, on JDoe-PC with the view set to "thumbnails" and using windows explorer navigate to z:\USERS\USERFILES\, as soon as I land in that directory, I get the error event 681 or 529 notification in the email.

    Now the fact that the MAPPING folder is directly at the root of z:\USERS\USERFILES\ is also a consideration because if I bury the MAPPING folder inside another folder for e.g. z:\USERS\USERFILES\testfolder\MAPPING, then just being in z:\USERS\USERFILES\ does not produce the same effect.

    My guess is that windows explorer in xpsp2 attempts to enumerate/scan the folders in an attempt classify them as either "documents" or "photo album" or something else (there are a few of them, you can see them all if you right-click on a folder and select Properties->Customize->"What kind of folder do you want?" dropdown), then upon encountering a shortcut it tries to follow it and thus ending up trying to actually connect to the resources that the shortcuts are pointing to.
    So in my case the error messages were actually a good thing, however one could argue that there is a possible security flaw in the way MS Windows Explorer tries to classify folders when in thumbnails view. For now I'm too pooped to think about that, but may not be a bad topic for a discussion.

    And the resolution I guess is to either change the view from thumbnails to something else or to burry the MAPPING folder one or two directories deep.

    As a side note, I do realize that my explanation may be confusing, so please feel free to email me with questions for clarification or follow-up.

    Once again thank you everyone who'd responded.

    Best regards,

    Boris Yakubov
    P+W Software, Inc.
    (818) 707-7690

    NTBugtraq Editor's Note:
    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.

  • Next message: Berend-Jan Wever: "Re: Kazaa Sig2Dat Protocol Remote Integer Overflow and Denial Of Service by creating files in arbitrary locations"