Re: Autoexec.nt file missing?

From: Bud Norris (bdev605_at_prodigy.net)
Date: 11/26/04 

Date: Fri, 26 Nov 2004 15:18:29 -0800

STUPID? isn't that a little harsh David? However be that as it may, please
read the following disclaimer:

Because Windows XP Home Edition does not include the Local Security Settings
Console, you can't enable Auditing on a computer running Home Edition.

I have Home Edition and I would bet most others do also.

Just how do you know we haven't fixed the problem? If you know what's
causing it please let us know.

If no anti-virus program or ad-aware program or Trojan hunting program can
find the culprit what do you expect us to do? I'm sure we would really
appreciate your suggestions, except auditing of course.

Respectfully, 

--
NevBud
Winners: They have the guts to face the envy and hatred of the losers and
the wrath of the gods.
David Candy <.> wrote in message
news:#O7qJ4z0EHA.3120@TK2MSFTNGP12.phx.gbl...
I've wasted my time before telling people the process on how to fix. But you
idiots refuse to do it. YOU HAVE NOT FIXED IT (as some setup programs will
now fail).
Autoexec.nt. There is something deleting it for many people at boot or
shutdown. Hopefully auditiong will show what program or virus is doing it.
Most people can't use auditing so noone know what it is. Auditing records
access to something (what you specify it to) in Windows. It's off by default
because it slows down the computer and often noone cares.
1. Turn on auditing (this turns it on but nothing is being audited)
2. Set auditing for just this file (else you'll get millions of messages to
sort through if you audit everything).
1. You must enable Auditing for the machine (in Local Security Policy - see
Help).
2. You must specify what to audit. You do this the same place you set
permissions (click Advanced).
Then you can read it in the Event Viewer
Audit object access
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy
Description
Determines whether to audit the event of a user accessing an object-for
example, a file, folder, registry key, printer, and so forth-that has its
own system access control list (SACL) specified.
If you define this policy setting, you can specify whether to audit
successes, audit failures, or not audit the event type at all. Success
audits generate an audit entry when a user successfully accesses an object
that has a SACL specified. Failure audits generate an audit entry when a
user unsuccessfully attempts to access an object that has a SACL specified.
To set this value to no auditing, in the Properties dialog box for this
policy setting, select the Define these policy settings check box and clear
the Success and Failure check boxes.
Note that you can set a SACL on a file system object using the Security tab
in that object's Properties dialog box.
Default: No auditing.
Then set auditing for your drives in the Drives Properties - Security -
Advanced - Auditing
You have to turn it on then set what is to be audited.
This is what a audit for a printer looks like
Object Open:
Object Server: Spooler
Object Type: Document
Object Name: http://smh.com.au/news/opinion/webdiary/index.html?from=lhsnav
Handle ID: 9487952
Operation ID: {-,-}
Process ID: 1020
Image File Name: C:\WINDOWS\system32\spoolsv.exe
Primary User Name: SERENITY$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: David Candy
Client Domain: SERENITY
Client Logon ID: (0x0,0xE179)
Accesses: READ_CONTROL
%%6949
Privileges: -
Restricted Sid Count: 0
For more information, see Help and Support Center at
Big companies have programs that look through these logs. You can use a
spread***.
--
----------------------------------------------------------
http://www.uscricket.com
"Terry" <tllawton@prodigy.net> wrote in message
news:OHDwDQy0EHA.3900@TK2MSFTNGP10.phx.gbl...
> Well can you believe that? I tried the suggestion of "Bullwinkle" and
> changed the file's properties to "read only" and it doesn't get deleted
upon
> boot. I'm flabbergasted that such a simple thing could resolve this
deletion
> problem! Even if the root cause of the original problem of the file being
> deleted in the first place, is still unknown, at least I can live with it
> until I can discover what caused it.
> I've put this problem to all kind of places on the Web (I use both Terry
and
> Bud Norris) and even to my computer OEM (Gateway) and nobody ever thought
of
> changing the file's properties.
> Many, many thanks to Bullwinkle!
>
> "Bud Norris" <bdev605@prodigy.net> wrote in message
> news:uNYq88Y0EHA.1924@TK2MSFTNGP10.phx.gbl...
>> Lots of luck Sebastion! If somehow you can replace the AUTOEXEC.NT file
in
>> your C:\WINNT\System32| folder AND keep it there, please let me know how
> you
>> managed it. Everytime I put the file into the system32 folder it is
> deleted
>> the next time I reboot. No body seems to know why this happens It's
>> obviously something to do with the Windows XP file protection feature but
> no
>> one can tell me what to do to stop the deletion.
>> Also when people tell you that the folder you are to put the AUTOEXEC.NT
>> file in is your C:\Windows\System32\ folder they are incorrect. It's the
>> C:\WINNT\System32| folder. People for some reason keep saying it's the
>> C:\Windows|System32 folder. (Ido realize thats what the Microsoft
articles
>> say but ther're wrong)
>> If any of these experts that answered your question can tell me how to
> stop
>> the deletion problem please do it!
>>
>> NevBud
>>
>> Sebastian <Sebastian@discussions.microsoft.com> wrote in message
>> news:AC0C0803-9FC3-40F8-96BF-1CE6116CF993@microsoft.com...
>> > "JerryM (ID)" wrote:
>> > > The file is located in the Windows\system32 folder
>> >
>> > I didn't really phrase my question properly.  I had already discovered
>> that
>> > the file is missing from that directory and I was trying to locate
> another
>> > copy to put there.  As I understand it (you can see I'm a new user)
this
>> used
>> > to be windows\driver cache\i386 and [since SP2]
> windows\sustem32zdllcache.
>> >
>> > "Patti MacLeod" suggested two refences.  The second wasn't available,
> the
>> > first was helpful.
>> >
>> > Thanks for all clues - I'll have more if they're availabe because,
being
>> > naive, I keep thinking I might learn to understand all this stuff one
> day.
>> >
>> >
>>
>>
>
>