Re: Autoexec.nt file missing?

From: David Candy (.)
Date: 11/26/04 

Date: Sat, 27 Nov 2004 10:43:21 +1100

I'm refering to all users generically.
 I also don't acknowledge the legitamacy of Home. If something is happening then tough luck is Home's attitude.. 

-- 
----------------------------------------------------------
http://www.uscricket.com
"Bud Norris" <bdev605@prodigy.net> wrote in message news:uS4np4A1EHA.2196@TK2MSFTNGP14.phx.gbl...
> STUPID? isn't that a little harsh David? However be that as it may, please
> read the following disclaimer:
> 
> Because Windows XP Home Edition does not include the Local Security Settings
> Console, you can't enable Auditing on a computer running Home Edition.
> 
> I have Home Edition and I would bet most others do also.
> 
> Just how do you know we haven't fixed the problem? If you know what's
> causing it please let us know.
> 
> If no anti-virus program or ad-aware program or Trojan hunting program can
> find the culprit what do you expect us to do? I'm sure we would really
> appreciate your suggestions, except auditing of course.
> 
> Respectfully,
> --
> NevBud
> Winners: They have the guts to face the envy and hatred of the losers and
> the wrath of the gods.
> 
> David Candy <.> wrote in message
> news:#O7qJ4z0EHA.3120@TK2MSFTNGP12.phx.gbl...
> I've wasted my time before telling people the process on how to fix. But you
> idiots refuse to do it. YOU HAVE NOT FIXED IT (as some setup programs will
> now fail).
> 
> Autoexec.nt. There is something deleting it for many people at boot or
> shutdown. Hopefully auditiong will show what program or virus is doing it.
> Most people can't use auditing so noone know what it is. Auditing records
> access to something (what you specify it to) in Windows. It's off by default
> because it slows down the computer and often noone cares.
> 
> 1. Turn on auditing (this turns it on but nothing is being audited)
> 2. Set auditing for just this file (else you'll get millions of messages to
> sort through if you audit everything).
> 
> 
> 1. You must enable Auditing for the machine (in Local Security Policy - see
> Help).
> 
> 2. You must specify what to audit. You do this the same place you set
> permissions (click Advanced).
> 
> Then you can read it in the Event Viewer
> 
> 
> Audit object access
> Computer Configuration\Windows Settings\Security Settings\Local
> Policies\Audit Policy
> 
> Description
> Determines whether to audit the event of a user accessing an object-for
> example, a file, folder, registry key, printer, and so forth-that has its
> own system access control list (SACL) specified.
> 
> If you define this policy setting, you can specify whether to audit
> successes, audit failures, or not audit the event type at all. Success
> audits generate an audit entry when a user successfully accesses an object
> that has a SACL specified. Failure audits generate an audit entry when a
> user unsuccessfully attempts to access an object that has a SACL specified.
> To set this value to no auditing, in the Properties dialog box for this
> policy setting, select the Define these policy settings check box and clear
> the Success and Failure check boxes.
> 
> Note that you can set a SACL on a file system object using the Security tab
> in that object's Properties dialog box.
> 
> Default: No auditing.
> 
> 
> 
> Then set auditing for your drives in the Drives Properties - Security -
> Advanced - Auditing
> 
> You have to turn it on then set what is to be audited.
> 
> This is what a audit for a printer looks like
> 
> Object Open:
> Object Server: Spooler
> Object Type: Document
> Object Name: http://smh.com.au/news/opinion/webdiary/index.html?from=lhsnav
> Handle ID: 9487952
> Operation ID: {-,-}
> Process ID: 1020
> Image File Name: C:\WINDOWS\system32\spoolsv.exe
> Primary User Name: SERENITY$
> Primary Domain: WORKGROUP
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: David Candy
> Client Domain: SERENITY
> Client Logon ID: (0x0,0xE179)
> Accesses: READ_CONTROL
> %%6949
> Privileges: -
> Restricted Sid Count: 0
> For more information, see Help and Support Center at
> 
> Big companies have programs that look through these logs. You can use a
> spread***.
> 
> --
> ----------------------------------------------------------
> http://www.uscricket.com
> "Terry" <tllawton@prodigy.net> wrote in message
> news:OHDwDQy0EHA.3900@TK2MSFTNGP10.phx.gbl...
>> Well can you believe that? I tried the suggestion of "Bullwinkle" and
>> changed the file's properties to "read only" and it doesn't get deleted
> upon
>> boot. I'm flabbergasted that such a simple thing could resolve this
> deletion
>> problem! Even if the root cause of the original problem of the file being
>> deleted in the first place, is still unknown, at least I can live with it
>> until I can discover what caused it.
>> I've put this problem to all kind of places on the Web (I use both Terry
> and
>> Bud Norris) and even to my computer OEM (Gateway) and nobody ever thought
> of
>> changing the file's properties.
>> Many, many thanks to Bullwinkle!
>>
>> "Bud Norris" <bdev605@prodigy.net> wrote in message
>> news:uNYq88Y0EHA.1924@TK2MSFTNGP10.phx.gbl...
>>> Lots of luck Sebastion! If somehow you can replace the AUTOEXEC.NT file
> in
>>> your C:\WINNT\System32| folder AND keep it there, please let me know how
>> you
>>> managed it. Everytime I put the file into the system32 folder it is
>> deleted
>>> the next time I reboot. No body seems to know why this happens It's
>>> obviously something to do with the Windows XP file protection feature but
>> no
>>> one can tell me what to do to stop the deletion.
>>> Also when people tell you that the folder you are to put the AUTOEXEC.NT
>>> file in is your C:\Windows\System32\ folder they are incorrect. It's the
>>> C:\WINNT\System32| folder. People for some reason keep saying it's the
>>> C:\Windows|System32 folder. (Ido realize thats what the Microsoft
> articles
>>> say but ther're wrong)
>>> If any of these experts that answered your question can tell me how to
>> stop
>>> the deletion problem please do it!
>>>
>>> NevBud
>>>
>>> Sebastian <Sebastian@discussions.microsoft.com> wrote in message
>>> news:AC0C0803-9FC3-40F8-96BF-1CE6116CF993@microsoft.com...
>>> > "JerryM (ID)" wrote:
>>> > > The file is located in the Windows\system32 folder
>>> >
>>> > I didn't really phrase my question properly.  I had already discovered
>>> that
>>> > the file is missing from that directory and I was trying to locate
>> another
>>> > copy to put there.  As I understand it (you can see I'm a new user)
> this
>>> used
>>> > to be windows\driver cache\i386 and [since SP2]
>> windows\sustem32zdllcache.
>>> >
>>> > "Patti MacLeod" suggested two refences.  The second wasn't available,
>> the
>>> > first was helpful.
>>> >
>>> > Thanks for all clues - I'll have more if they're availabe because,
> being
>>> > naive, I keep thinking I might learn to understand all this stuff one
>> day.
>>> >
>>> >
>>>
>>>
>>
>>
> 
>