Re: Is this normal or a security breach?

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 05/29/04

Next message: Shenan Stanley: "Re: unexpected shutdown"
Previous message: Roger Abell: "Re: MBSA install"
In reply to: Nick: "Is this normal or a security breach?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 29 May 2004 07:31:41 -0700

The message about Office registering a provider with WMI is
normal after an Office install.

The long sequence of failed logons, ending with a success is
not too normal. If the success was for an impowered account
and you did not log in at the time, and you were not running
MBSA at the time, then you may want to investigate.
However, as you say you had ICS on, it is likely from something
you initiated (unless you have poked some holes in ICS).
You may want to run
net localgroup administrators
and then log in with each listed admin account and change
its password, checking to see if there are any noticible
differences in each account while logged in.

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Nick" <ncincott@yahoo.com> wrote in message
news:1A95C7FF-864B-4E4E-BE17-CB6CFF82358D@microsoft.com...
> I noticed my HD started working up pretty heavily out of the blue so I
checked the event logs and I saw these entries.
>
> First, in the applications log there was a Winmgt warning that "a
provider, OffProv, has been registered in the WMI namespace, Root\MSAPPS, to
use the LocalSystem account.  This account is privileged and the provider
may cause a security violation if it does not correctly impersonate user
requests."
>
> Also around this time I noticed many failure audits and finally a success
in the security logs for logging on.
>
> I'm running XP home on a cable network.... this computer is using ICS's
firewall services... This computer is also a DELL and I noticed it has some
support services that I haven't totally been able to clear out.  Should I be
worried?
>

Next message: Shenan Stanley: "Re: unexpected shutdown"
Previous message: Roger Abell: "Re: MBSA install"
In reply to: Nick: "Is this normal or a security breach?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Event 63 Warning
... A provider, OffProv12, has been registered in the WMI namespace, ... to use the LocalSystem account. ... From what little I've found refers to a Server. ... This happen if a security updates been applied and the WMI is up and running ...
(microsoft.public.windowsxp.general)
Re: Health Monitor stuck in Collecting
... Stopped WMI, renamed Repository, and started WMI. ... step left is to perform a clean installation of the Operating System." ... This provider will be run using the LocalSystem ... This account is privileged and the provider may cause a security ...
(microsoft.public.windows.server.sbs)
Re: Renaming AD User Accounts using the WinNT Provider
... Rename the AD Username and Pre-Windows 2000 username with new ... Disable the account once it has been renamed. ... The distinguishedName of the object uniquely identifies the object, ... The first problem with your question is that the WinNT provider is blind to ...
(microsoft.public.scripting.vbscript)
Re: Cannot start services
... | Computer: COUNTYG ... see Help and Support Center at ... | A provider, PerfProv, has been registered in the WMI namespace, ... | will be run using the LocalSystem account. ...
(microsoft.public.windows.server.general)
Re: problems sending mail
... But for some reason if I configure another account using the same settings - it doesn't work. ... an e-mail provider saying a message was undeliverable, and doesn't seem to be generated by your PPC. ... I called Demon (service provider) on the phone and had them look at my data coming out. ...
(microsoft.public.pocketpc)