Re: missing key/value in registry of w2k server - hot to track it?

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/13/05

  • Next message: Roger Abell: "Re: centralized, multi-OS authentication ?" 
    Date: Mon, 13 Jun 2005 00:17:22 -0700

    If the disappearing key/value is recurring, happening over
    and over each time you reestablish the key/value, then you
    could consider increasing the size of the security log, making
    sure that the auditing ACL of the relevant key is set to record
    any change events for Everyone, and that the audit policy is
    set to record success and failure for object access.

    Other than that there really is no record of what has happened,
    at least not in a standard fashion (ex. some software may have
    written a custom log file). 

    -- 
Roger Abell
Microsoft MVP (Windows  Security)
"kono" <kono@discussions.microsoft.com> wrote in message
news:F720537B-641E-4A55-84B6-30AB99AF2BC9@microsoft.com...
> Hi Roger,
> The event log didn't cater when the problem was occured since I found that
> the oldest system/security event log was cleaned up and remain only 3 days
> ago. The problem was encountered 6 days ago.....please advise...
>
> "Roger Abell [MVP]" wrote:
>
> > The main way to uncover such things is the event log if there was
> > auditing configured before the event occurred.  After it is done and
> > the change has happened there is little trace that remains, but one
> > can always examine the system for unknown/suspect software.
> >
> > -- 
> > Roger Abell
> > Microsoft MVP (Windows Server: Security)
> >
> > "kono" <kono@discussions.microsoft.com> wrote in message
> > news:B8A63223-0A8A-41EB-90F5-468450A5BA44@microsoft.com...
> > > wi there,
> > > Recently I have a problem that the key included the value in registry
had
> > > been deleted / missing but I can not find why or by who? My question
is
> > > perharps there is a way to zoom in why it could be happened and how to
> > > track
> > > the causing of missing key/value in registry. Is there any tools to
help
> > > it
> > > out? Thanks for your help.....
> >
> >
> >
  • Next message: Roger Abell: "Re: centralized, multi-OS authentication ?"

    Relevant Pages

    • Re: Security Event log
      ... Security) ... >>What you should do is determine why their event log is ... >>Roger Abell ... >>Microsoft MVP (Windows Server System: ...
      (microsoft.public.windowsxp.security_admin)
    • Re: AspErrorsToNTLog no longer works in IIS6
      ... The security implication is that anonymous remote requests can be used to ... fill the event log and cause the server to stop responding (for very legal ... > logic for further disabling it. ... How about using the web log file? ...
      (microsoft.public.inetserver.iis)
    • Viewing Event Logs
      ... How to set event log security locally or by using Group Policy in Windows ... Descriptor Definition Language (SDDL) syntax. ...
      (microsoft.public.windows.server.active_directory)
    • Re: AspErrorsToNTLog no longer works in IIS6
      ... Am I to assume IIS6 no longer offers a way to audit VBScript errors? ... >>when the security log is full has any relevance. ... Is event log performance significantly ... > log instead of the normal log file) was flawed from a security perspective, ...
      (microsoft.public.inetserver.iis)
    • Re: Writing to Windows Security Log
      ... UNIX syslog-the-network-protocol is that it's UDP - ... a Windows application or service ... equivalent source of bogus data into an Event Log stream ... to the>Security< Event Log are the LSA and the Event ...
      (Pen-Test)