cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
182
Views
0
Helpful
1
Replies

HIDS 2.5.3 Event on w2k server

cweatherford
Level 1
Level 1

I have received the following event on a w2k server running exchange 5.5 but cannot find anything on the process that explains (if it could be a false positive or not). Can anyone tell me if they have seen this or where to go to look? Baiscally, should I be worried or is this normal?

This event indicates that a subkey of HKEY_LOCAL_MACHINE\Software\Microsoft\ has been deleted. This can cause a system to become impossible to configure or run. This can be a legal operation. An example of a false positive would be uninstalling Microsoft software from the system.

This event indicates that permissions for the Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg were modified. This key is associated with the Named Pipe used for Registry access, and the permissions defined for it determine which users, groups and services have access to the Registry over the network. An improper configuration of the permissions for this key can therefore render the system vulnerable to remote Registry access and modifications. In a secure environment, only Administrators and the System should have Full Control rights

This event indicates that the permissions for one of the EventLog registry keys were modified.

The EventLog registry keys are located under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog. The keys Application, Security, and System contain Application, Security, and System Event Logs settings and are found on every Windows machine. Other keys present are those for the Directory Service Log, the DNS Service Log, and other services.

A change in permission may result in modifications to these keys by an unprivileged user.

This event indicates that permissions for the Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg were modified. This key is associated with the Named Pipe used for Registry access, and the permissions defined for it determine which users, groups and services have access to the Registry over the network. An improper configuration of the permissions for this key can therefore render the system vulnerable to remote Registry access and modifications. In a secure environment, only Administrators and the System should have Full Control rights.

This event indicates that the permissions for one of the EventLog registry keys were modified.

The EventLog registry keys are located under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog. The keys Application, Security, and System contain Application, Security, and System Event Logs settings and are found on every Windows machine. Other keys present are those for the Directory Service Log, the DNS Service Log, and other services.

A change in permission may result in modifications to these keys by an unprivileged user.

These all happened within an hour. Is this a normal event?

1 Reply 1

cweatherford
Level 1
Level 1

Forgot to mention: the process was mad.exe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: