Windows XPPost your Windows XP related questions here.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
Is there somwhere that has a list of everything that should be on your computer when you have Winxp home?
Also if you have someone else controlling your computer and it is setup to migrate all of those files when you reinsall how can you ever get rid of them?
This computer is mine, a home computer and no one else uses it.
Right now even in safe mode builtin admin I don't have all admin powers.
Anyone have a way I can get this back?
Didn't find the information you thought to find? Check out these Similar Threads
I could delete the entire registry and restart the computer and it would still be fine.
I have seen in my security logs where the builtin admin is deleted after I reinstall.
I already have one computer in the shop and he has restored my admin power on that computer but I don't really have the money right now to have this one I am on now fixed too.
I guess my biggest question is where to find a list of everything that is in Winxp home.
I would love to be able to find a site that would tell me what each dll is for too. I do a search and all I ever find is long lists of dlls and not what each one can be used for.
As you can tell I know very little about computers.
Need some specifics to have a prayer of helping you out.
- What is not working right?
- Please post a copy of the Security Log you mentioned. If that is the standard Security log in your event viewer, open the event, click once on the icon below the up/down arrows (sends a text copy to your clipboard) and paste that here.
- You speak about someone else controlling your computer. Not sure what you mean.
I click on that icon and I get nothing. Clipbook is started in services.
Also if I open system information it tells me that it cannot collect information. I also have WMI Performance Adapter started and on automatic.
I have been having problems for over a year with this. I had my computer in to a repairman and he said that someone was messing with my computer and that I was basically a limited user with some admin controls.
Explanation
This event record indicates that an audit policy was changed. The actual changes are shown in the audit log file. Changing an audit policy can have serious security implications. Audit policies changed by a user who is not trusted can be a security risk.
User Action
The person with administrative rights for the computer should make sure the user is supposed to have the privilege to change audit policies. The audit log should be checked to make sure the audit change does not have an adverse impact.
Explanation
A change was made to the computer's audit policy. This can be a result of Group Policy obtained from Active Directory or from Local Computer Policy that is configured on the computer. The details of the audit policy change are described in the event message.
This message does not necessarily indicate a problem. However, an attacker may change audit policy as part of a system attack. If successful, an attacker can disable auditing during their attacks and thereby destroy part of the evidence of the attack.
User Action
Verify that the audit policy change is authorized. If it is an authorized change, no user action is required. If the change is unauthorized, identify the attack and attacker to mitigate the threat.
Explanation
This event record indicates that an audit policy was changed. The actual changes are shown in the audit log file. Changing an audit policy can have serious security implications. Audit policies changed by a user who is not trusted can be a security risk.
User Action
The person with administrative rights for the computer should make sure the user is supposed to have the privilege to change audit policies. The audit log should be checked to make sure the audit change does not have an adverse impact.
Explanation
A change was made to the computer's audit policy. This can be a result of Group Policy obtained from Active Directory or from Local Computer Policy that is configured on the computer. The details of the audit policy change are described in the event message.
This message does not necessarily indicate a problem. However, an attacker may change audit policy as part of a system attack. If successful, an attacker can disable auditing during their attacks and thereby destroy part of the evidence of the attack.
User Action
Verify that the audit policy change is authorized. If it is an authorized change, no user action is required. If the change is unauthorized, identify the attack and attacker to mitigate the threat.
Explanation
A logon session was successfully created for the user. The message contains the Logon ID, a number that is generated when a user logs on to a computer. The Logon ID is unique to that logon session until the computer is restarted, at which point the Logon ID may be reused. The Logon ID can be used to correlate a logon message with other messages, such as object access messages.
For logons that use Kerberos, the logon GUID can be used to associate a logon event on this computer with an account logon message on an authenticating computer, such as a domain controller.
This message includes the user name and the domain information for the user account that logged on, the name of the logon process that logged the user on, the type of authentication credentials that were presented, and a logon GUID (globally unique identifier).
This message also includes a logon type code. The logon type code indicates the manner in which the user logged on. The following table explains the logon type code:
Logon type Logon title Description
2 Interactive A user logged on to this computer at the console.
3 Network A user or computer logged on to this computer from the network.
4 Batch Batch logon type is used by batch servers, where processes might run on behalf of a user without the user's direct intervention.
5 Service A service was started by the Service Control Manager.
7 Unlock This workstation was unlocked.
8 NetworkCleartext A user logged on to a network and the user password was passed to the authentication package in its unhashed (plain text) form. It is possible that the unhashed password was passed across the network, for example, when IIS performed basic authentication.
9 NewCredentials A caller (process, thread, or program) cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections.
10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection.
11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
The Workstation name field specifies the NetBIOS name of the remote computer that originated the logon request. If no information is displayed in this field, either a Kerberos logon attempt failed because the ticket could not be decrypted, or a non-Windows NetBIOS implementation or utility did not supply the remote computer name in the logon request.
Explanation
This event is generated when a logon session is created for the user. The event contains the logon ID, a number that is generated when a user logs on to a computer. The logon ID that is assigned to a logon session is unique to that logon session until the computer is restarted, at which point the logon ID may be reused. The logon ID can be used to correlate a logon event with other events, such as object access events.
I will post more, I am not sure what the limit is here for each post
Explanation
This event indicates that a user account has been changed. There is no Failure Audit form for this audit event record. User account changes can have security implications.
Note that this event replaces Security event 626 and Security event 629.
User Action
The person with administrative rights for the computer should confirm that there are no security implications because of this change.
Version: 5.2
Symbolic Name: SE_AUDITID_USER_CHANGE
Message: User Account Changed:
Target Account Name: %2
Target Domain: %3
Target Account ID: %4
Caller User Name: %5
Caller Domain: %6
Caller Logon ID: %7
Privileges: %8
Changed Attributes:
Sam Account Name: %9
Display Name: %10
User Principal Name: %11
Home Directory: %12
Home Drive: %13
Script Path: %14
Profile Path: %15
User Workstations: %16
Password Last Set: %17
Account Expires: %18
Primary Group ID: %19
AllowedToDelegateTo: %20
Old UAC Value: %21
New UAC Value: %22
User Account Control: %23
User Parameters: %24
Sid History: %25
Logon Hours: %26
Explanation
A security-relevant property of the user account changed. The properties listed in the message after Changed Attributes are all security-relevant.
If a property changed, the new value is specified. Properties that display hyphens did not change.
The User Account Control (UAC) property is a bit list. There are two fields: one to specify the new value (New UAC Value) and the other to specify the old value (Old UAC Value). Use the following table for each of the UAC value bit lists to determine specific bits that were changed:
Flag Name Flag Value Description
USER_ACCOUNT_DISABLED (0x00000001) This account is disabled.
USER_HOME_DIRECTORY_REQUIRED (0x00000002) This account has a home directory.
USER_PASSWORD_NOT_REQUIRED (0x00000004) This account does not require a password.
USER_TEMP_DUPLICATE_ACCOUNT (0x00000008) This account is a domain local user account.
USER_INTERDOMAIN_TRUST_ACCOUNT (0x00000040) This account is used for a trust between domains.
USER_WORKSTATION_TRUST_ACCOUNT (0x00000080) This account is used for a trust from a workstation to a domain.
USER_SERVER_TRUST_ACCOUNT (0x00000100) This account is used for a domain controller.
USER_DONT_EXPIRE_PASSWORD (0x00000200) The password on this account never expires.
USER_ACCOUNT_AUTO_LOCKED (0x00000400) This account is locked because of repeated logon attempts using an incorrect password.
USER_SMARTCARD_REQUIRED (0x00001000) A smartcard must be used to log on with this account.
USER_TRUSTED_FOR_DELEGATION (0x00002000) This account can be used to do Kerberos delegation (typically a service account).
USER_USE_DES_KEY_ONLY ((0x00008000) This account can only use DES encryption types.
USER_DONT_REQUIRE_PREAUTH (0x00010000) Kerberos pre-authentication is not required for this account.
USER_PASSWORD_EXPIRED (0x00020000) The password for this account has expired.
Where do I find where they would list the numbers that they have above telling you what was done? It isn't in the alert that I see.
Explanation
This event indicates that the password for the specified user account (Target Account) was reset. The password of a user object can be reset only by someone who was granted the Reset Password right by the ACL on the user object, or who is a member of one of the following groups: Administrators, Account Operators, Domain Administrators, or Enterprise Administrators. This event might indicate that someone is trying to make changes without the appropriate permissions.
Explanation
The user account password was reset by another user who has permission to do so. The user who reset the password did not have to supply the old password.
The Caller User Name field specifies the person who reset the password.
The Target Account Name field specifies the person whose password was reset.
I did set a password
********************************************
Details
Product: Windows Operating System
ID: 626
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_USER_ENABLED
Message: User Account Enabled:
Target Account Name: %1
Target Domain: %2
Target Account ID: %3
Caller User Name: %4
Caller Domain: %5
Caller Logon ID: %6
Explanation
This event indicates that a disabled user account has been re-enabled. There can be security implications for this action.
On computers running Windows 2000 Server or later, this Security event and Security event 629 are replaced by Security event 642.
Explanation
This event indicates that a user account has been changed. There is no Failure Audit form for this audit event record. User account changes can have security implications.
Note that this event replaces Security event 626 and Security event 629.
User Action
The person with administrative rights for the computer should confirm that there are no security implications because of this change.
Version: 5.2
Symbolic Name: SE_AUDITID_USER_CHANGE
Message: User Account Changed:
Target Account Name: %2
Target Domain: %3
Target Account ID: %4
Caller User Name: %5
Caller Domain: %6
Caller Logon ID: %7
Privileges: %8
Changed Attributes:
Sam Account Name: %9
Display Name: %10
User Principal Name: %11
Home Directory: %12
Home Drive: %13
Script Path: %14
Profile Path: %15
User Workstations: %16
Password Last Set: %17
Account Expires: %18
Primary Group ID: %19
AllowedToDelegateTo: %20
Old UAC Value: %21
New UAC Value: %22
User Account Control: %23
User Parameters: %24
Sid History: %25
Logon Hours: %26
********************************************
Builtin Admin
Details
Product: Windows Operating System
ID: 636
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_LOCAL_GROUP_ADD
Message: Security Enabled Local Group Member Added:
Member Name: %1
Member ID: %2
Target Account Name: %3
Target Domain: %4
Target Account ID: %5
Caller User Name: %6
Caller Domain: %7
Caller Logon ID: %8
Privileges: %9
Explanation
This audit record indicates that a new member has been added to a local group. This event also occurs when a user account is created and added to the built-in None group used internally by Windows 2000. There is no Failure Audit form of this audit event record. Adding members to groups can have security implications. This is especially true when a user is added to the Administrator group.
User Action
The person with administrative rights for the computer should check to see who is being added to groups that have security implications. Make sure that users added to security sensitive groups really belong in the group.
Version: 5.2
Symbolic Name: SE_AUDITID_LOCAL_GROUP_ADD
Message: Security Enabled Local Group Member Added:
Member Name: %1
Member ID: %2
Target Account Name: %3
Target Domain: %4
Target Account ID: %5
Caller User Name: %6
Caller Domain: %7
Caller Logon ID: %8
Privileges: %9
Explanation
A user or group account was added to a local security group on the computer or on the domain.
The Member Name field specifies the user or group account that was added.
The Member ID field specifies the target account security identifier (SID), but this is displayed as the domain-qualified user name by Event Viewer.
The Target Account Name and Target Domain fields specify the group to which the user was added.
The Target Account ID specifies the security identifier (SID) of the group that was added.
The Caller User Name field specifies the user who made the change.
The Caller Logon ID field specifies the logon ID of the user who made the change.
The Privileges field for this event is usually empty.
***********************************************
This is where it looks like builtin admin was removed-Security Enabled Local Group Member Removed
Details
Product: Windows Operating System
ID: 637
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_LOCAL_GROUP_REM
Message: Security Enabled Local Group Member Removed:
Member Name: %1
Member ID: %2
Target Account Name: %3
Target Domain: %4
Target Account ID: %5
Caller User Name: %6
Caller Domain: %7
Caller Logon ID: %8
Privileges: %9
Explanation
This event record indicates that a member has been removed from a local group. This event also occurs when a user account is deleted and removed from the built-in None group used internally by Windows 2000. There is no Failure Audit form of this audit event record. Removing members from groups can have security implications. This is especially true when a user is removed from the Administrator group.
User Action
The person with administrative rights for the computer should check to see who is being removed from groups that have security implications. Make sure that users removed from security sensitive groups really should be removed.
Version: 5.2
Symbolic Name: SE_AUDITID_LOCAL_GROUP_REM
Message: Security Enabled Local Group Member Removed:
Member Name: %1
Member ID: %2
Target Account Name: %3
Target Domain: %4
Target Account ID: %5
Caller User Name: %6
Caller Domain: %7
Caller Logon ID: %8
Privileges: %9
**********************************************
Here is another removed
Details
Product: Windows Operating System
ID: 633
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_GLOBAL_GROUP_REM
Message: Security Enabled Global Group Member Removed:
Member Name: %1
Member ID: %2
Target Account Name: %3
Target Domain: %4
Target Account ID: %5
Caller User Name: %6
Caller Domain: %7
Caller Logon ID: %8
Privileges: %9
Explanation
This event record indicates that a member has been removed from a global group. This event also occurs when a user account is deleted and removed from the built-in None group used internally by Windows 2000. There is no Failure Audit form of this audit event record. Removing members from groups can have security implications. This is especially true when a user is removed from the Administrator group.
***********************************************
Also I have alerts that the support and help processes are created, given a password and then disabled.
I have tons and tons of processes that are given logon rights too. I will go through and write them down so I can type them all in. I really wish my copy and paste or the clipbook would work.
Hold off on any more info until Joe can take another look and comment.
To the best of my knowledge the auditing events you are reporting are not even available on XP-home and even on XP-pro are turned off by default when the operating system is loaded unless there is a domain policy that takes care of setting it up.
The %n% masking (where 'n' is a number) is more than a little strange as well but the pieces that are there look more like domain messages than stuff from a small home peer network.
I am so happy that someone might understand this. I have tons and tons more in my security alerts. I will type everyone out if anyone thinks it will help.
Do you type for a living? It would take me hours to type all that out. Did you try clicking the icon Newt mentioned and then just right clicking>paste in a reply window here. You said that nothing happens when you click the icon, but you wouldn't notice anything happen. Doesn't mean the info won't be there when you right click>paste.
Do you type for a living? It would take me hours to type all that out. Did you try clicking the icon Newt mentioned and then just right clicking>paste in a reply window here. You said that nothing happens when you click the icon, but you wouldn't notice anything happen. Doesn't mean the info won't be there when you right click>paste.
Ok that works. I guess that I don't know hardly anything about computers LMBO.
I didn't type all of it, I did the microsoft help and then copied and pasted. I was just going to type out lists of trusted logon processes and such.
Thanks
I am gonna post this one now because I believe this is from the first day we got the computer and it is the only alert from 2002 then they jump to last week when I reinstalled.
Explanation
This event record indicates that an audit policy was changed. The actual changes are shown in the audit log file. Changing an audit policy can have serious security implications. Audit policies changed by a user who is not trusted can be a security risk.
User Action
The person with administrative rights for the computer should make sure the user is supposed to have the privilege to change audit policies. The audit log should be checked to make sure the audit change does not have an adverse impact.
Explanation
A change was made to the computer's audit policy. This can be a result of Group Policy obtained from Active Directory or from Local Computer Policy that is configured on the computer. The details of the audit policy change are described in the event message.
This message does not necessarily indicate a problem. However, an attacker may change audit policy as part of a system attack. If successful, an attacker can disable auditing during their attacks and thereby destroy part of the evidence of the attack.
I click on that icon and I get nothing. Clipbook is started in services.
Did you try clicking the icon Newt mentioned and then just right clicking>paste in a reply window here. You said that nothing happens when you click the icon, but you wouldn't notice anything happen. Doesn't mean the info won't be there when you right click>paste.
Ok that works. I guess that I don't know hardly anything about computers LMBO.
