Re: Autoexec.nt file missing?

From: David Candy (.)
Date: 11/25/04 

Date: Fri, 26 Nov 2004 09:27:52 +1100

I've wasted my time before telling people the process on how to fix. But you idiots refuse to do it. YOU HAVE NOT FIXED IT (as some setup programs will now fail).

Autoexec.nt. There is something deleting it for many people at boot or shutdown. Hopefully auditiong will show what program or virus is doing it. Most people can't use auditing so noone know what it is. Auditing records access to something (what you specify it to) in Windows. It's off by default because it slows down the computer and often noone cares.

1. Turn on auditing (this turns it on but nothing is being audited)
2. Set auditing for just this file (else you'll get millions of messages to sort through if you audit everything).

1. You must enable Auditing for the machine (in Local Security Policy - see Help).

2. You must specify what to audit. You do this the same place you set permissions (click Advanced).

Then you can read it in the Event Viewer

Audit object access
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

Description
Determines whether to audit the event of a user accessing an object-for example, a file, folder, registry key, printer, and so forth-that has its own system access control list (SACL) specified.

If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has a SACL specified. To set this value to no auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.

Note that you can set a SACL on a file system object using the Security tab in that object's Properties dialog box.

Default: No auditing.

Then set auditing for your drives in the Drives Properties - Security - Advanced - Auditing

You have to turn it on then set what is to be audited.

This is what a audit for a printer looks like

Object Open:
Object Server: Spooler
Object Type: Document
Object Name: http://smh.com.au/news/opinion/webdiary/index.html?from=lhsnav
Handle ID: 9487952
Operation ID: {-,-}
Process ID: 1020
Image File Name: C:\WINDOWS\system32\spoolsv.exe
Primary User Name: SERENITY$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: David Candy
Client Domain: SERENITY
Client Logon ID: (0x0,0xE179)
Accesses: READ_CONTROL
%%6949
Privileges: -
Restricted Sid Count: 0
For more information, see Help and Support Center at

Big companies have programs that look through these logs. You can use a spread***. 

-- 
----------------------------------------------------------
http://www.uscricket.com
"Terry" <tllawton@prodigy.net> wrote in message news:OHDwDQy0EHA.3900@TK2MSFTNGP10.phx.gbl...
> Well can you believe that? I tried the suggestion of "Bullwinkle" and
> changed the file's properties to "read only" and it doesn't get deleted upon
> boot. I'm flabbergasted that such a simple thing could resolve this deletion
> problem! Even if the root cause of the original problem of the file being
> deleted in the first place, is still unknown, at least I can live with it
> until I can discover what caused it.
> I've put this problem to all kind of places on the Web (I use both Terry and
> Bud Norris) and even to my computer OEM (Gateway) and nobody ever thought of
> changing the file's properties.
> Many, many thanks to Bullwinkle!
> 
> "Bud Norris" <bdev605@prodigy.net> wrote in message
> news:uNYq88Y0EHA.1924@TK2MSFTNGP10.phx.gbl...
>> Lots of luck Sebastion! If somehow you can replace the AUTOEXEC.NT file in
>> your C:\WINNT\System32| folder AND keep it there, please let me know how
> you
>> managed it. Everytime I put the file into the system32 folder it is
> deleted
>> the next time I reboot. No body seems to know why this happens It's
>> obviously something to do with the Windows XP file protection feature but
> no
>> one can tell me what to do to stop the deletion.
>> Also when people tell you that the folder you are to put the AUTOEXEC.NT
>> file in is your C:\Windows\System32\ folder they are incorrect. It's the
>> C:\WINNT\System32| folder. People for some reason keep saying it's the
>> C:\Windows|System32 folder. (Ido realize thats what the Microsoft articles
>> say but ther're wrong)
>> If any of these experts that answered your question can tell me how to
> stop
>> the deletion problem please do it!
>>
>> NevBud
>>
>> Sebastian <Sebastian@discussions.microsoft.com> wrote in message
>> news:AC0C0803-9FC3-40F8-96BF-1CE6116CF993@microsoft.com...
>> > "JerryM (ID)" wrote:
>> > > The file is located in the Windows\system32 folder
>> >
>> > I didn't really phrase my question properly.  I had already discovered
>> that
>> > the file is missing from that directory and I was trying to locate
> another
>> > copy to put there.  As I understand it (you can see I'm a new user) this
>> used
>> > to be windows\driver cache\i386 and [since SP2]
> windows\sustem32zdllcache.
>> >
>> > "Patti MacLeod" suggested two refences.  The second wasn't available,
> the
>> > first was helpful.
>> >
>> > Thanks for all clues - I'll have more if they're availabe because, being
>> > naive, I keep thinking I might learn to understand all this stuff one
> day.
>> >
>> >
>>
>>
> 
>