Re: Folder reappeares on desktop
From: Steven L Umbach (n9rouz_at_nscomcast.net)
Date: 11/02/03
- Previous message: sandi: "Re: Folder reappeares on desktop"
- In reply to: sandi: "Re: Folder reappeares on desktop"
- Next in thread: sandi: "Re: Folder reappeares on desktop"
- Reply: sandi: "Re: Folder reappeares on desktop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 02 Nov 2003 02:06:53 GMT
Enabling auditing of object access generates a lot of system events such as those
below. I would be looking for an Event ID 560 for the parent folder where the
questionable folder is being created, but you first need to enable auditing of that
specific folder for write of folder and files. That folder [parent] would then appear
in the field for Object Name when write access to it has occurred. Username BN$ is a
computer name. You may or may not be able to find a correlating process in the
security log when that happens but it is worth a try. If you have another like
configured domain controller you might try to examine the processes running on it via
Task Manager, etc. to see if there is an additional process running on the one where
the mystery folder is appearing that may help pin it down. I am assuming a
virus/trojan scan did not find anything. --- Steve
"sandi" <anonymous@discussions.microsoft.com> wrote in message
news:062601c3a0dd$72dc90a0$a101280a@phx.gbl...
> Hello Steve..
>
> i went through logs as per your suggestion. i found
> following two logs of time of floder creation.
>
> Can you tell me what is that username BN$ id dont have
> such user.
>
> administrators,administrator and system user were for that
> folder.
>
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 562
> Date: 11/1/2003
> Time: 4:36:03 PM
> User: NT AUTHORITY\SYSTEM
> Computer: BN
> Description:
> Handle Closed:
> Object Server: Security Account Manager
> Handle ID: 17544048
> Process ID: 264
> ----------------------------------------------
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 11/1/2003
> Time: 4:36:03 PM
> User: NT AUTHORITY\SYSTEM
> Computer: BN6
> Description:
> Object Open:
> Object Server: Security Account Manager
> Object Type: SAM_SERVER
> Object Name: SAM
> New Handle ID: 17544048
> Operation ID: {0,99972121}
> Process ID: 264
> Primary User Name: BN$
> Primary Domain: BAL.localhost
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: BN$
> Client Domain: BAL.localhost
> Client Logon ID: (0x0,0x3E7)
> Accesses EnumerateDomains
> LookupDomain
>
> Privileges -
>
> I am not getting any idea to tack this.
> your valuable thoughts would be appricieated .
>
> Thanks
>
>
>
>
>
>
>
>
>
>
>
>
> >-----Original Message-----
> >Sorry I misunderstood. I would check the properties of
> the shortcut to see the
> >path it maps to for a clue as to what it belongs to or
> application it may be
> >associated with. Though it will generate a lot of events
> in the security log,
> >it might help to enable auditing of object access and
> process tracking. Then you
> >could audit write access to the desktop folder it is
> being created in and
> >possibly correlate the write event to a process which
> would have the same time.
> >The folder properties would have a created time/date that
> would help you narrow
> >down the search in the security log. --- Steve
> >
> >
> ><anonymous@discussions.microsoft.com> wrote in message
> >news:02a201c3a0c9$45bcfd30$a601280a@phx.gbl...
> >> Hello Steve,
> >>
> >> Thanks,
> >>
> >> but what i see on my desktop is not tild ( ~)sign.
> >> its a folder named s character. and repeatedly i see it
> on
> >> desktop even i deleted that folder.
> >>
> >> is this is too due to update 330994 ?
> >>
> >> >-----Original Message-----
> >> >It is a bug caused by an MS update 330994. See links
> >> below. --- Steve
> >> >
> >> >http://www.nhyrvana.com/~e2c/glitch_ab.html
> >>
> >http://computing.net/windowsxp/wwwboard/forum/66903.html
> >> >
> >> >
> >> >"sandi" <anonymous@discussions.microsoft.com> wrote in
> >> message
> >> >news:02d801c3a0b4$7da66480$a301280a@phx.gbl...
> >> >> Hello,
> >> >>
> >> >> I am using windows 2000 server.
> >> >>
> >> >> last from 15-20 days i am seeing folder named as s on
> >> >> desktop. i have deleted that folder 7 times and still
> >> that
> >> >> folder is reappearing.i m sure none of the our our
> >> server
> >> >> administrators have created that folder. i dont know
> >> what
> >> >> is happening and how to track that.only folder is get
> >> >> created on the desktop with no contents inside.
> >> >>
> >> >> can you please help me to check this problem.
> >> >>
> >> >> Thanks
> >> >>
> >> >> Sandi
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >
- Previous message: sandi: "Re: Folder reappeares on desktop"
- In reply to: sandi: "Re: Folder reappeares on desktop"
- Next in thread: sandi: "Re: Folder reappeares on desktop"
- Reply: sandi: "Re: Folder reappeares on desktop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
