Re: Folder reappeares on desktop
From: sandi (anonymous_at_discussions.microsoft.com)
Date: 11/04/03
- Next message: Steven L Umbach: "Re: How To maximize folder store?"
- Previous message: Geoff: "password issue"
- In reply to: sandi: "Re: Folder reappeares on desktop"
- Next in thread: Steven L Umbach: "Re: Folder reappeares on desktop"
- Reply: Steven L Umbach: "Re: Folder reappeares on desktop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 3 Nov 2003 19:18:17 -0800
Hello,
Still the problem is not resolved after auditing the
folder we are not able find why and how the folder is get
created on desktop.
what could be next move ?
>-----Original Message-----
>Thanks steve,
>
>Your quick ,valuable and correct guidance is appricieated.
>
>I have enabled auditing for that folder.as well as for
>desktop folder also.
>i have checked there is no virus/troja. did MBSA test.
>checked processes in task manager evrything is normal.
>
>I will get back to you after log check.
>
>
>>-----Original Message-----
>>Enabling auditing of object access generates a lot of
>system events such as those
>>below. I would be looking for an Event ID 560 for the
>parent folder where the
>>questionable folder is being created, but you first need
>to enable auditing of that
>>specific folder for write of folder and files. That
>folder [parent] would then appear
>>in the field for Object Name when write access to it has
>occurred. Username BN$ is a
>>computer name. You may or may not be able to find a
>correlating process in the
>>security log when that happens but it is worth a try. If
>you have another like
>>configured domain controller you might try to examine
the
>processes running on it via
>>Task Manager, etc. to see if there is an additional
>process running on the one where
>>the mystery folder is appearing that may help pin it
>down. I am assuming a
>>virus/trojan scan did not find anything. --- Steve
>>
>>"sandi" <anonymous@discussions.microsoft.com> wrote in
>message
>>news:062601c3a0dd$72dc90a0$a101280a@phx.gbl...
>>> Hello Steve..
>>>
>>> i went through logs as per your suggestion. i found
>>> following two logs of time of floder creation.
>>>
>>> Can you tell me what is that username BN$ id dont have
>>> such user.
>>>
>>> administrators,administrator and system user were for
>that
>>> folder.
>>>
>>>
>>> Event Type: Success Audit
>>> Event Source: Security
>>> Event Category: Object Access
>>> Event ID: 562
>>> Date: 11/1/2003
>>> Time: 4:36:03 PM
>>> User: NT AUTHORITY\SYSTEM
>>> Computer: BN
>>> Description:
>>> Handle Closed:
>>> Object Server: Security Account Manager
>>> Handle ID: 17544048
>>> Process ID: 264
>>> ----------------------------------------------
>>> Event Type: Success Audit
>>> Event Source: Security
>>> Event Category: Object Access
>>> Event ID: 560
>>> Date: 11/1/2003
>>> Time: 4:36:03 PM
>>> User: NT AUTHORITY\SYSTEM
>>> Computer: BN6
>>> Description:
>>> Object Open:
>>> Object Server: Security Account Manager
>>> Object Type: SAM_SERVER
>>> Object Name: SAM
>>> New Handle ID: 17544048
>>> Operation ID: {0,99972121}
>>> Process ID: 264
>>> Primary User Name: BN$
>>> Primary Domain: BAL.localhost
>>> Primary Logon ID: (0x0,0x3E7)
>>> Client User Name: BN$
>>> Client Domain: BAL.localhost
>>> Client Logon ID: (0x0,0x3E7)
>>> Accesses EnumerateDomains
>>> LookupDomain
>>>
>>> Privileges -
>>>
>>> I am not getting any idea to tack this.
>>> your valuable thoughts would be appricieated .
>>>
>>> Thanks
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> >-----Original Message-----
>>> >Sorry I misunderstood. I would check the properties of
>>> the shortcut to see the
>>> >path it maps to for a clue as to what it belongs to or
>>> application it may be
>>> >associated with. Though it will generate a lot of
>events
>>> in the security log,
>>> >it might help to enable auditing of object access and
>>> process tracking. Then you
>>> >could audit write access to the desktop folder it is
>>> being created in and
>>> >possibly correlate the write event to a process which
>>> would have the same time.
>>> >The folder properties would have a created time/date
>that
>>> would help you narrow
>>> >down the search in the security log. --- Steve
>>> >
>>> >
>>> ><anonymous@discussions.microsoft.com> wrote in message
>>> >news:02a201c3a0c9$45bcfd30$a601280a@phx.gbl...
>>> >> Hello Steve,
>>> >>
>>> >> Thanks,
>>> >>
>>> >> but what i see on my desktop is not tild ( ~)sign.
>>> >> its a folder named s character. and repeatedly i
see
>it
>>> on
>>> >> desktop even i deleted that folder.
>>> >>
>>> >> is this is too due to update 330994 ?
>>> >>
>>> >> >-----Original Message-----
>>> >> >It is a bug caused by an MS update 330994. See
links
>>> >> below. --- Steve
>>> >> >
>>> >> >http://www.nhyrvana.com/~e2c/glitch_ab.html
>>> >>
>>>
>>http://computing.net/windowsxp/wwwboard/forum/66903.html
>>> >> >
>>> >> >
>>> >> >"sandi" <anonymous@discussions.microsoft.com>
wrote
>in
>>> >> message
>>> >> >news:02d801c3a0b4$7da66480$a301280a@phx.gbl...
>>> >> >> Hello,
>>> >> >>
>>> >> >> I am using windows 2000 server.
>>> >> >>
>>> >> >> last from 15-20 days i am seeing folder named as
>s on
>>> >> >> desktop. i have deleted that folder 7 times and
>still
>>> >> that
>>> >> >> folder is reappearing.i m sure none of the our
our
>>> >> server
>>> >> >> administrators have created that folder. i dont
>know
>>> >> what
>>> >> >> is happening and how to track that.only folder
is
>get
>>> >> >> created on the desktop with no contents inside.
>>> >> >>
>>> >> >> can you please help me to check this problem.
>>> >> >>
>>> >> >> Thanks
>>> >> >>
>>> >> >> Sandi
>>> >> >
>>> >> >
>>> >> >.
>>> >> >
>>> >
>>> >
>>> >.
>>> >
>>
>>
>>.
>>
>.
>
- Next message: Steven L Umbach: "Re: How To maximize folder store?"
- Previous message: Geoff: "password issue"
- In reply to: sandi: "Re: Folder reappeares on desktop"
- Next in thread: Steven L Umbach: "Re: Folder reappeares on desktop"
- Reply: Steven L Umbach: "Re: Folder reappeares on desktop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
