Re: HKLM\Software key grayed out
- From: "Matt Nowell" <mdnowell@xxxxxxxxxxxxxxxxxxx>
- Date: Thu, 29 Dec 2005 15:36:57 -0600
Thanks for the response!
I hadn't originally thought about spyware or viruses, since this is a server
that we "shouldn't" be surfing from. That said, I discovered after an audit
that some developers have administrator access.
Unfortunately, the RKRevealer, McAfee Stinger and spyware checks came back
with nothing. A Regmon was slightly more interesting.
I can see applications (mostly Microsoft) continuing to use, access, create,
write and query registry keys under HKLM\Software. Some are successful,
some are not. I still can't get to it from Regedit or any other tool that I
can see. I'm about to the point of calling Microsoft, because I can't even
get to the point of finding any processes that would have the registry
locked.
I also took a look at the active processes using ProcExp (another Mark
Russinovich wondertool), and nothing tracks to being odd. I don't see
anything there that shouldn't be. I'm going to go ahead and reboot the
server after gaining permission and rerun these toolks and checks after the
registry is fully readable.
I'll post whatever resolution Microsoft gives me or I find here for public
consumption once I have one.
Thanks,
"Mark V" <notvalid@xxxxxxxxxxx> wrote in message
news:Xns973AAEC96CEE3z9zzaQ2btw@xxxxxxxxxxxxxxxxxxxxxxx
> In microsoft.public.win2000.registry Matt Nowell wrote:
>
>> Good morning,
>>
>> The details:
>>
>> Windows 2000 SP4
>> IIS 5
>> .Net Framework 1.1
>> SQL 2000 SP3
>>
>>
>> The problem: HKLM\Software key becomes intermittently
>> inaccessible. This occurs on both a development box and a
>> production box (both similarly loaded to the specs above). I'd
>> post some event log messages, but there aren't any that seem
>> relevant to the problem. A reboot resolves the problem, but
>> we've had it reoccur.
>>
>> Originally we'd thought that the symptoms were limited to the
>> scheduled TSM backups failing (couldn't read the password from
>> the registry). Unfortunately, we now have the problem that
>> there's a process run that schedules a job using Task Scheduler.
>> That fails, due to the registry problems.
>
> I should try running REGMON (Sysinternals) to see if the relevant
> registry writes (assumed) can be logged.
>
>> I've attempted to take ownership of the key, but the dialog
>> fails with "Unable to display security permissions." Searches
>
> Yet this is gone on a reboot? Initially it sounds somewhat like
> corrupt security data in the SOFTWARE hive (which usually means
> replace from last available backup hive file). But clearing on
> reboot makes it seem more like some active process is modifying or
> locking the key. See if Regmon can show you what process is
> (presumably) "messing" things up.
>
> I assume that Anti-* tools have been run on the system and came up
> clean. I assume the process list is "normal" and that none of the
> event log entries are unexpected or unexplained. Have you thought
> to run RootkitRevealer (Sysinternals) just to eliminate one set of
> possibilities? (the system should be quiescent for this RKR run)
>
> Just some initial ideas to look at. Anything more you can think of
> there to post, may be useful to others here.
.
- References:
- HKLM\Software key grayed out
- From: Matt Nowell
- Re: HKLM\Software key grayed out
- From: Mark V
- HKLM\Software key grayed out
- Prev by Date: Re: key variable
- Next by Date: Re: Help! I have a user that can't see thumbnails
- Previous by thread: Re: HKLM\Software key grayed out
- Next by thread: Help! I have a user that can't see thumbnails
- Index(es):
Relevant Pages
|
