What is supposed to be in Win Xp Home

Is there somwhere that has a list of everything that should be on your computer when you have Winxp home?


Also if you have someone else controlling your computer and it is setup to migrate all of those files when you reinsall how can you ever get rid of them?

This computer is mine, a home computer and no one else uses it.

Right now even in safe mode builtin admin I don't have all admin powers.
Anyone have a way I can get this back?

 

Hmm. as i understand what you are saying, you are logging in using the built in account Administrator, and are experiencing permissions problems.

Can you give some examples of things that you are trying to do that are not functioning as expected?

 

I could delete the entire registry and restart the computer and it would still be fine.

I have seen in my security logs where the builtin admin is deleted after I reinstall.

I already have one computer in the shop and he has restored my admin power on that computer but I don't really have the money right now to have this one I am on now fixed too.

 

I guess my biggest question is where to find a list of everything that is in Winxp home.

I would love to be able to find a site that would tell me what each dll is for too. I do a search and all I ever find is long lists of dlls and not what each one can be used for.

As you can tell I know very little about computers.

Thanks for any help

 

Need some specifics to have a prayer of helping you out.

- What is not working right?

- Please post a copy of the Security Log you mentioned. If that is the standard Security log in your event viewer, open the event, click once on the icon below the up/down arrows (sends a text copy to your clipboard) and paste that here.

- You speak about someone else controlling your computer. Not sure what you mean.

 

I click on that icon and I get nothing. Clipbook is started in services.

Also if I open system information it tells me that it cannot collect information. I also have WMI Performance Adapter started and on automatic.

I have been having problems for over a year with this. I had my computer in to a repairman and he said that someone was messing with my computer and that I was basically a limited user with some admin controls.

 

Ok my clicking to go to microsoft help is working today so I will start and list some of the things in it. I just want to know if they are normal.

My computer is connected to a router, then a modem for cable. My husband has his computer going into it too but I cannot see his computer at all.

Details
Product: Windows Operating System
ID: 612
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_POLICY_CHANGE
Message: Audit Policy Change:
New Policy:
Success Failure
%3 %4 Logon/Logoff
%5 %6 Object Access
%7 %8 Privilege Use
%13 %14 Account Management
%11 %12 Policy Change
%1 %2 System
%9 %10 Detailed Tracking
%15 %16 Directory Service Access
%17 %18 Account Logon

Changed By:
User Name: %19
Domain Name: %20
Logon ID: %21

Explanation
This event record indicates that an audit policy was changed. The actual changes are shown in the audit log file. Changing an audit policy can have serious security implications. Audit policies changed by a user who is not trusted can be a security risk.


User Action
The person with administrative rights for the computer should make sure the user is supposed to have the privilege to change audit policies. The audit log should be checked to make sure the audit change does not have an adverse impact.



Version: 5.2
Symbolic Name: SE_AUDITID_POLICY_CHANGE
Message: Audit Policy Change:
New Policy:
Success Failure
%3 %4 Logon/Logoff
%5 %6 Object Access
%7 %8 Privilege Use
%13 %14 Account Management
%11 %12 Policy Change
%1 %2 System
%9 %10 Detailed Tracking
%15 %16 Directory Service Access
%17 %18 Account Logon

Changed By:
User Name: %19
Domain Name: %20
Logon ID: %21

Explanation
A change was made to the computer's audit policy. This can be a result of Group Policy obtained from Active Directory or from Local Computer Policy that is configured on the computer. The details of the audit policy change are described in the event message.

This message does not necessarily indicate a problem. However, an attacker may change audit policy as part of a system attack. If successful, an attacker can disable auditing during their attacks and thereby destroy part of the evidence of the attack.


User Action
Verify that the audit policy change is authorized. If it is an authorized change, no user action is required. If the change is unauthorized, identify the attack and attacker to mitigate the threat.


Details
Product: Windows Operating System
ID: 612
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_POLICY_CHANGE
Message: Audit Policy Change:
New Policy:
Success Failure
%3 %4 Logon/Logoff
%5 %6 Object Access
%7 %8 Privilege Use
%13 %14 Account Management
%11 %12 Policy Change
%1 %2 System
%9 %10 Detailed Tracking
%15 %16 Directory Service Access
%17 %18 Account Logon

Changed By:
User Name: %19
Domain Name: %20
Logon ID: %21

Explanation
This event record indicates that an audit policy was changed. The actual changes are shown in the audit log file. Changing an audit policy can have serious security implications. Audit policies changed by a user who is not trusted can be a security risk.


User Action
The person with administrative rights for the computer should make sure the user is supposed to have the privilege to change audit policies. The audit log should be checked to make sure the audit change does not have an adverse impact.



Version: 5.2
Symbolic Name: SE_AUDITID_POLICY_CHANGE
Message: Audit Policy Change:
New Policy:
Success Failure
%3 %4 Logon/Logoff
%5 %6 Object Access
%7 %8 Privilege Use
%13 %14 Account Management
%11 %12 Policy Change
%1 %2 System
%9 %10 Detailed Tracking
%15 %16 Directory Service Access
%17 %18 Account Logon

Changed By:
User Name: %19
Domain Name: %20
Logon ID: %21

Explanation
A change was made to the computer's audit policy. This can be a result of Group Policy obtained from Active Directory or from Local Computer Policy that is configured on the computer. The details of the audit policy change are described in the event message.

This message does not necessarily indicate a problem. However, an attacker may change audit policy as part of a system attack. If successful, an attacker can disable auditing during their attacks and thereby destroy part of the evidence of the attack.


User Action
Verify that the audit policy change is authorized. If it is an authorized change, no user action is required. If the change is unauthorized, identify the attack and attacker to mitigate the threat.

Details
Product: Windows Operating System
ID: 528
Source: Security
Version: 5.2
Symbolic Name: SE_AUDITID_SUCCESSFUL_LOGON
Message: Successful Logon:
User Name: %1
Domain: %2
Logon ID: %3
Logon Type: %4
Logon Process: %5
Authentication Package: %6
Workstation Name: %7
Logon GUID: %8
Caller User Name: %9
Caller Domain: %10
Caller Logon ID: %11
Caller Process ID: %12
Transited Services: %13
Source Network Address: %14
Source Port: %15


Explanation
A logon session was successfully created for the user. The message contains the Logon ID, a number that is generated when a user logs on to a computer. The Logon ID is unique to that logon session until the computer is restarted, at which point the Logon ID may be reused. The Logon ID can be used to correlate a logon message with other messages, such as object access messages.

For logons that use Kerberos, the logon GUID can be used to associate a logon event on this computer with an account logon message on an authenticating computer, such as a domain controller.

This message includes the user name and the domain information for the user account that logged on, the name of the logon process that logged the user on, the type of authentication credentials that were presented, and a logon GUID (globally unique identifier).

This message also includes a logon type code. The logon type code indicates the manner in which the user logged on. The following table explains the logon type code:

Logon type Logon title Description
2 Interactive A user logged on to this computer at the console.
3 Network A user or computer logged on to this computer from the network.
4 Batch Batch logon type is used by batch servers, where processes might run on behalf of a user without the user's direct intervention.
5 Service A service was started by the Service Control Manager.
7 Unlock This workstation was unlocked.
8 NetworkCleartext A user logged on to a network and the user password was passed to the authentication package in its unhashed (plain text) form. It is possible that the unhashed password was passed across the network, for example, when IIS performed basic authentication.
9 NewCredentials A caller (process, thread, or program) cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections.
10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection.
11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

The Workstation name field specifies the NetBIOS name of the remote computer that originated the logon request. If no information is displayed in this field, either a Kerberos logon attempt failed because the ticket could not be decrypted, or a non-Windows NetBIOS implementation or utility did not supply the remote computer name in the logon request.


User Action
No user action is required.



Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_SUCCESSFUL_LOGON
Message: Successful Logon:
User Name: %1
Domain: %2
Logon ID: %3
Logon Type: %4
Logon Process: %5
Authentication Package: %6
Workstation Name: %7

Explanation
This event is generated when a logon session is created for the user. The event contains the logon ID, a number that is generated when a user logs on to a computer. The logon ID that is assigned to a logon session is unique to that logon session until the computer is restarted, at which point the logon ID may be reused. The logon ID can be used to correlate a logon event with other events, such as object access events.


I will post more, I am not sure what the limit is here for each post

 

Well the alert says different things than the ms help page does. It would take me forever to type out the alerts.

Any ideas on what might be wrong with my clipbook to work?

 

Here are the MS help files for owner

Details
Product: Windows Operating System
ID: 624
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_USER_CREATED
Message: User Account Created:
New Account Name: %1
New Domain: %2
New Account ID: %3
Caller User Name: %4
Caller Domain: %5
Caller Logon ID: %6
Privileges %7

***********************************

Details
Product: Windows Operating System
ID: 642
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_USER_CHANGE
Message: User Account Changed:
%1
Target Account Name: %2
Target Domain: %3
Target Account ID: %4
Caller User Name: %5
Caller Domain: %6
Caller Logon ID: %7
Privileges: %8


Explanation
This event indicates that a user account has been changed. There is no Failure Audit form for this audit event record. User account changes can have security implications.

Note that this event replaces Security event 626 and Security event 629.


User Action
The person with administrative rights for the computer should confirm that there are no security implications because of this change.



Version: 5.2
Symbolic Name: SE_AUDITID_USER_CHANGE
Message: User Account Changed:
Target Account Name: %2
Target Domain: %3
Target Account ID: %4
Caller User Name: %5
Caller Domain: %6
Caller Logon ID: %7
Privileges: %8
Changed Attributes:
Sam Account Name: %9
Display Name: %10
User Principal Name: %11
Home Directory: %12
Home Drive: %13
Script Path: %14
Profile Path: %15
User Workstations: %16
Password Last Set: %17
Account Expires: %18
Primary Group ID: %19
AllowedToDelegateTo: %20
Old UAC Value: %21
New UAC Value: %22
User Account Control: %23
User Parameters: %24
Sid History: %25
Logon Hours: %26


Explanation
A security-relevant property of the user account changed. The properties listed in the message after Changed Attributes are all security-relevant.

If a property changed, the new value is specified. Properties that display hyphens did not change.

The User Account Control (UAC) property is a bit list. There are two fields: one to specify the new value (New UAC Value) and the other to specify the old value (Old UAC Value). Use the following table for each of the UAC value bit lists to determine specific bits that were changed:

Flag Name Flag Value Description
USER_ACCOUNT_DISABLED (0x00000001) This account is disabled.
USER_HOME_DIRECTORY_REQUIRED (0x00000002) This account has a home directory.
USER_PASSWORD_NOT_REQUIRED (0x00000004) This account does not require a password.
USER_TEMP_DUPLICATE_ACCOUNT (0x00000008) This account is a domain local user account.
USER_INTERDOMAIN_TRUST_ACCOUNT (0x00000040) This account is used for a trust between domains.
USER_WORKSTATION_TRUST_ACCOUNT (0x00000080) This account is used for a trust from a workstation to a domain.
USER_SERVER_TRUST_ACCOUNT (0x00000100) This account is used for a domain controller.
USER_DONT_EXPIRE_PASSWORD (0x00000200) The password on this account never expires.
USER_ACCOUNT_AUTO_LOCKED (0x00000400) This account is locked because of repeated logon attempts using an incorrect password.
USER_SMARTCARD_REQUIRED (0x00001000) A smartcard must be used to log on with this account.
USER_TRUSTED_FOR_DELEGATION (0x00002000) This account can be used to do Kerberos delegation (typically a service account).
USER_USE_DES_KEY_ONLY ((0x00008000) This account can only use DES encryption types.
USER_DONT_REQUIRE_PREAUTH (0x00010000) Kerberos pre-authentication is not required for this account.
USER_PASSWORD_EXPIRED (0x00020000) The password for this account has expired.

Where do I find where they would list the numbers that they have above telling you what was done? It isn't in the alert that I see.

*******************************************

Details
Product: Windows Operating System
ID: 628
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_USER_PWD_SET
Message: User Account password set:
Target Account Name: %1
Target Domain: %2
Target Account ID: %3
Caller User Name: %4
Caller Domain: %5
Caller Logon ID: %6


Explanation
This event indicates that the password for the specified user account (Target Account) was reset. The password of a user object can be reset only by someone who was granted the Reset Password right by the ACL on the user object, or who is a member of one of the following groups: Administrators, Account Operators, Domain Administrators, or Enterprise Administrators. This event might indicate that someone is trying to make changes without the appropriate permissions.


User Action
Review failure audits for this event.



Version: 5.2
Symbolic Name: SE_AUDITID_USER_PWD_SET
Message: User Account password set:
Target Account Name: %1
Target Domain: %2
Target Account ID: %3
Caller User Name: %4
Caller Domain: %5
Caller Logon ID: %6


Explanation
The user account password was reset by another user who has permission to do so. The user who reset the password did not have to supply the old password.


The Caller User Name field specifies the person who reset the password.
The Target Account Name field specifies the person whose password was reset.

I did set a password
********************************************
Details
Product: Windows Operating System
ID: 626
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_USER_ENABLED
Message: User Account Enabled:
Target Account Name: %1
Target Domain: %2
Target Account ID: %3
Caller User Name: %4
Caller Domain: %5
Caller Logon ID: %6


Explanation
This event indicates that a disabled user account has been re-enabled. There can be security implications for this action.

On computers running Windows 2000 Server or later, this Security event and Security event 629 are replaced by Security event 642.

*******************************************
Details
Product: Windows Operating System
ID: 642
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_USER_CHANGE
Message: User Account Changed:
%1
Target Account Name: %2
Target Domain: %3
Target Account ID: %4
Caller User Name: %5
Caller Domain: %6
Caller Logon ID: %7
Privileges: %8


Explanation
This event indicates that a user account has been changed. There is no Failure Audit form for this audit event record. User account changes can have security implications.

Note that this event replaces Security event 626 and Security event 629.


User Action
The person with administrative rights for the computer should confirm that there are no security implications because of this change.


Version: 5.2
Symbolic Name: SE_AUDITID_USER_CHANGE
Message: User Account Changed:
Target Account Name: %2
Target Domain: %3
Target Account ID: %4
Caller User Name: %5
Caller Domain: %6
Caller Logon ID: %7
Privileges: %8
Changed Attributes:
Sam Account Name: %9
Display Name: %10
User Principal Name: %11
Home Directory: %12
Home Drive: %13
Script Path: %14
Profile Path: %15
User Workstations: %16
Password Last Set: %17
Account Expires: %18
Primary Group ID: %19
AllowedToDelegateTo: %20
Old UAC Value: %21
New UAC Value: %22
User Account Control: %23
User Parameters: %24
Sid History: %25
Logon Hours: %26



********************************************

Builtin Admin

Details
Product: Windows Operating System
ID: 636
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_LOCAL_GROUP_ADD
Message: Security Enabled Local Group Member Added:
Member Name: %1
Member ID: %2
Target Account Name: %3
Target Domain: %4
Target Account ID: %5
Caller User Name: %6
Caller Domain: %7
Caller Logon ID: %8
Privileges: %9


Explanation
This audit record indicates that a new member has been added to a local group. This event also occurs when a user account is created and added to the built-in None group used internally by Windows 2000. There is no Failure Audit form of this audit event record. Adding members to groups can have security implications. This is especially true when a user is added to the Administrator group.


User Action
The person with administrative rights for the computer should check to see who is being added to groups that have security implications. Make sure that users added to security sensitive groups really belong in the group.



Version: 5.2
Symbolic Name: SE_AUDITID_LOCAL_GROUP_ADD
Message: Security Enabled Local Group Member Added:
Member Name: %1
Member ID: %2
Target Account Name: %3
Target Domain: %4
Target Account ID: %5
Caller User Name: %6
Caller Domain: %7
Caller Logon ID: %8
Privileges: %9


Explanation
A user or group account was added to a local security group on the computer or on the domain.


The Member Name field specifies the user or group account that was added.
The Member ID field specifies the target account security identifier (SID), but this is displayed as the domain-qualified user name by Event Viewer.
The Target Account Name and Target Domain fields specify the group to which the user was added.
The Target Account ID specifies the security identifier (SID) of the group that was added.
The Caller User Name field specifies the user who made the change.
The Caller Logon ID field specifies the logon ID of the user who made the change.
The Privileges field for this event is usually empty.

 

***********************************************
This is where it looks like builtin admin was removed-Security Enabled Local Group Member Removed
Details
Product: Windows Operating System
ID: 637
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_LOCAL_GROUP_REM
Message: Security Enabled Local Group Member Removed:
Member Name: %1
Member ID: %2
Target Account Name: %3
Target Domain: %4
Target Account ID: %5
Caller User Name: %6
Caller Domain: %7
Caller Logon ID: %8
Privileges: %9


Explanation
This event record indicates that a member has been removed from a local group. This event also occurs when a user account is deleted and removed from the built-in None group used internally by Windows 2000. There is no Failure Audit form of this audit event record. Removing members from groups can have security implications. This is especially true when a user is removed from the Administrator group.


User Action
The person with administrative rights for the computer should check to see who is being removed from groups that have security implications. Make sure that users removed from security sensitive groups really should be removed.



Version: 5.2
Symbolic Name: SE_AUDITID_LOCAL_GROUP_REM
Message: Security Enabled Local Group Member Removed:
Member Name: %1
Member ID: %2
Target Account Name: %3
Target Domain: %4
Target Account ID: %5
Caller User Name: %6
Caller Domain: %7
Caller Logon ID: %8
Privileges: %9

**********************************************

Here is another removed

Details
Product: Windows Operating System
ID: 633
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_GLOBAL_GROUP_REM
Message: Security Enabled Global Group Member Removed:
Member Name: %1
Member ID: %2
Target Account Name: %3
Target Domain: %4
Target Account ID: %5
Caller User Name: %6
Caller Domain: %7
Caller Logon ID: %8
Privileges: %9


Explanation
This event record indicates that a member has been removed from a global group. This event also occurs when a user account is deleted and removed from the built-in None group used internally by Windows 2000. There is no Failure Audit form of this audit event record. Removing members from groups can have security implications. This is especially true when a user is removed from the Administrator group.



***********************************************

Also I have alerts that the support and help processes are created, given a password and then disabled.


I have tons and tons of processes that are given logon rights too. I will go through and write them down so I can type them all in. I really wish my copy and paste or the clipbook would work.

 

Hold off on any more info until Joe can take another look and comment.

To the best of my knowledge the auditing events you are reporting are not even available on XP-home and even on XP-pro are turned off by default when the operating system is loaded unless there is a domain policy that takes care of setting it up.

The %n% masking (where 'n' is a number) is more than a little strange as well but the pieces that are there look more like domain messages than stuff from a small home peer network.

 

***Jumps up and down***

I am so happy that someone might understand this. I have tons and tons more in my security alerts. I will type everyone out if anyone thinks it will help.

 

Do you type for a living? It would take me hours to type all that out. Did you try clicking the icon Newt mentioned and then just right clicking>paste in a reply window here. You said that nothing happens when you click the icon, but you wouldn't notice anything happen. Doesn't mean the info won't be there when you right click>paste.

 

XP Home vs Pro

But from those event logs, someone or something is changing your password and admin rights. Rule out hubby, and we'll start on the computer.

Johanna

 

Ok that works. I guess that I don't know hardly anything about computers LMBO.

I didn't type all of it, I did the microsoft help and then copied and pasted. I was just going to type out lists of trusted logon processes and such.

Thanks

I am gonna post this one now because I believe this is from the first day we got the computer and it is the only alert from 2002 then they jump to last week when I reinstalled.

This is what I get when I use the paste

Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
- - Object Access
- - Privilege Use
+ + Account Management
+ + Policy Change
+ + System
- - Detailed Tracking
- - Directory Service Access
+ + Account Logon

Changed By:
User Name: MACHINENAME$
Domain Name:
Logon ID: (0x0,0x3E7)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

This is what microsoft says about it.

Details
Product: Windows Operating System
ID: 612
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_POLICY_CHANGE
Message: Audit Policy Change:
New Policy:
Success Failure
%3 %4 Logon/Logoff
%5 %6 Object Access
%7 %8 Privilege Use
%13 %14 Account Management
%11 %12 Policy Change
%1 %2 System
%9 %10 Detailed Tracking
%15 %16 Directory Service Access
%17 %18 Account Logon

Changed By:
User Name: %19
Domain Name: %20
Logon ID: %21

Explanation
This event record indicates that an audit policy was changed. The actual changes are shown in the audit log file. Changing an audit policy can have serious security implications. Audit policies changed by a user who is not trusted can be a security risk.


User Action
The person with administrative rights for the computer should make sure the user is supposed to have the privilege to change audit policies. The audit log should be checked to make sure the audit change does not have an adverse impact.



Version: 5.2
Symbolic Name: SE_AUDITID_POLICY_CHANGE
Message: Audit Policy Change:
New Policy:
Success Failure
%3 %4 Logon/Logoff
%5 %6 Object Access
%7 %8 Privilege Use
%13 %14 Account Management
%11 %12 Policy Change
%1 %2 System
%9 %10 Detailed Tracking
%15 %16 Directory Service Access
%17 %18 Account Logon

Changed By:
User Name: %19
Domain Name: %20
Logon ID: %21

Explanation
A change was made to the computer's audit policy. This can be a result of Group Policy obtained from Active Directory or from Local Computer Policy that is configured on the computer. The details of the audit policy change are described in the event message.

This message does not necessarily indicate a problem. However, an attacker may change audit policy as part of a system attack. If successful, an attacker can disable auditing during their attacks and thereby destroy part of the evidence of the attack.

 

Here's something to try.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode.

Logon to the administrator account. Go to start>run and type control userpasswords2 (make sure you leave a space), hit enter. Highlight your username in the list and click properties, then group membership tab. Make sure you are in 'other>administrator' and OK out.

Uncheck the box for /safeboot in msconfig and restart.

 

Ok, so im very very sorry to say that the majority of what you typed in is from the help file. All those %3 looking things are supposed to be populated with data, like in the very last post you made.

This is kind of odd, because this looks like someone is locking down your machine, like you were a part of a managed domain, which is impossible, being xp-home.

There is a great article from microsoft on how to reset the default permissions back the way they ship: http://support.microsoft.com/?id=313222

Give this a shot, and lets see if we can get back to where we were.

Also, i would note that this might be a good canidate to give Microsoft a call about. The cost of a support ticket with them would be money well spent. We can try our best to walk you thru undoing all this, but it might get prohibitivly tedious or complex to explain. I reserve the right to call uncle

We also need to investigate why/who the changes were made. Can you go back into your event viewer, and grab using paste (like you did the last time) the events you posted before? We do not need the info from the help screen, just hit that 'Copy' button (the third button after you double click on an event), on the Event Properties dialog box. Your results should look like this:

Event Type: Error
Event Source: Server
Event Category: None
Event ID: 2504
Date: 6/9/2004
Time: 9:09:35 AM
User: N/A
Computer: JOE
Description:
The server could not bind to the transport \Device\NetBT_Tcpip_{3EF6326D-DE55-40AE-BC78-365BE28B4C34}.
Data:
0000: aa 05 00 00 ª...

 

Well I would like to just say it isn't him that is doing this. I really don't know. He swears up and down that he isn't doing this and that he has no idea how to do this type of thing.

 

Ok I did this and it does say that I am other administror. Everything is made to look like I am an admin but I will try to do things step by step like you just showed me and I get that the item doesn't exsist or access denied. I would list those things but I have been dealing with this for over a year now. I never started to keep any sort of records until a few days ago. I will now keep all of my errors in a tablet.

Now when I did this I got a message from spybot that the registry was being changed but I assume that was because I changed the boot process.

Category: System startup global entry change :
value added
new data D:\\Windows Pchealth\HelpCtrl\Binaries\M (couldn't get the rest of it, I couldn't copy over it to make it more, or make the box bigger)

If that seems odd I can try and find the log for that and see what it is.

 

Ok this is from the beginning. I will go to microsofts article next.

Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 612
Date: 9/12/2002
Time: 10:07:53 PM
User: NT AUTHORITY\SYSTEM
Computer: MACHINENAME
Description:
Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
- - Object Access
- - Privilege Use
+ + Account Management
+ + Policy Change
+ + System
- - Detailed Tracking
- - Directory Service Access
+ + Account Logon

Changed By:
User Name: MACHINENAME$
Domain Name:
Logon ID: (0x0,0x3E7)

***************
Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 520
Date: 6/9/2004
Time: 3:19:41 AM
User: NT AUTHORITY\SYSTEM
Computer: MACHINENAME
Description:
The system time was changed.
Process ID: 268
Process Name: D:\WINDOWS\System32\setup.exe
Primary User Name: MACHINENAME$
Primary Domain:
Primary Logon ID: (0x0,0x3E7)
Client User Name: MACHINENAME$
Client Domain:
Client Logon ID: (0x0,0x3E7)
Previous Time: 2:20:01 AM 9/13/2002
New Time: 3:19:41 AM 6/9/2004

*******************
Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 612
Date: 6/9/2004
Time: 3:19:41 AM
User: NT AUTHORITY\SYSTEM
Computer: MACHINENAME
Description:
Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
- - Object Access
- - Privilege Use
+ + Account Management
+ + Policy Change
+ + System
- - Detailed Tracking
- - Directory Service Access
+ + Account Logon

Changed By:
User Name: MACHINENAME$
Domain Name:
Logon ID: (0x0,0x3E7)

*****************************

Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 612
Date: 6/9/2004
Time: 3:19:57 AM
User: NT AUTHORITY\SYSTEM
Computer: MACHINENAME
Description:
Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
- - Object Access
- - Privilege Use
+ + Account Management
+ + Policy Change
+ + System
- - Detailed Tracking
- - Directory Service Access
+ + Account Logon

Changed By:
User Name: MACHINENAME$
Domain Name:
Logon ID: (0x0,0x3E7)

*************************************
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 6/9/2004
Time: 3:20:13 AM
User: NT AUTHORITY\LOCAL SERVICE
Computer: MACHINENAME
Description:
Successful Logon:
User Name: LOCAL SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E5)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}

**************************************

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 6/9/2004
Time: 3:20:13 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: MACHINENAME
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}