|
Next: Adding a group to local admin group
|
| Author |
Message |
External
Since: Nov 05, 2005
Posts: 22
|
(Msg. 1) Posted: Sun Sep 30, 2007 9:15 am
Post subject: Security log full, why?
Archived from groups: microsoft>public>windowsxp>security_admin (more info?)
|
|
|
I am getting warnings on my DELL Dimension desktop running XP SP2 when
I log on using RDP. The warning is about the security log being full
and that an administrator should fix it...
After I use Event Viewer to clear all log entries it only takes a
short time until it fills up with new entries again. Almost all of
them are titled "Failure Audit". The text in the listbox when I open
one of these is:
The Windows Firewall has detected an application listening for
incoming traffic.
Name: -
Path: C:\WINDOWS\system32\svchost.exe
Process identifier: 1416
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 1219
Allowed: No
User notified: No
If I use Taskmanager to find svchost.exe I find no less than 7 of
them. One of these stands out among the others because it has used
lots of CPU time (right now 0:05:52, whereas all others are below a
minute) and I/O Read Bytes is over 2.2 Gbytes and counting. This one
also has the PID mentioned in the event log.
When I use ProcessExplorer from SysInternals I get more info:
"Generic Host Process for Win32 Services"
Command line of process: C:\WINDOWS\System32\svchost.exe -k netsvcs
If I look in the Services tab I find no less than 30 entries...
How can I find out what is causing this audit failure and why?
And how can I stop it from doing whatever it is doing?
BTW: "Tasklist /SVC" gives the following output related to svchost:
Image Name PID Services
------------------------------------------
svchost.exe 1124 DcomLaunch, TermService
svchost.exe 1284 RpcSs
svchost.exe 1416 AppMgmt, AudioSrv, BITS, Browser, CryptSvc,
Dhcp, dmserver, ERSvc, EventSystem, helpsvc,
HidServ, lanmanserver, lanmanworkstation,
Messenger, Netman, Nla, RasMan, Schedule,
seclogon, SENS, SharedAccess,
ShellHWDetection, srservice, TapiSrv,
Themes, TrkWks, w32time, winmgmt, wuauserv,
WZCSVC
svchost.exe 1528 Dnscache
svchost.exe 1700 LmHosts, RemoteRegistry, SSDPSRV, WebClient
svchost.exe 3048 stisvc
svchost.exe 5268 HTTPFilter
Bo Berglund
bo.berglund(at)nospam.telia.com |
|
| Back to top |
|
 | |
External
Since: Nov 18, 2005
Posts: 64
|
(Msg. 2) Posted: Sun Sep 30, 2007 4:11 pm
Post subject: Re: Security log full, why? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
"Bo Berglund" <boberglund DeleteThis @home.se> wrote in message
news:prhuf3p69tc05irc8mbnmnkp11lem6gqg7@4ax.com...
>I am getting warnings on my DELL Dimension desktop running XP SP2 when
> I log on using RDP. The warning is about the security log being full
> and that an administrator should fix it...
>
> After I use Event Viewer to clear all log entries it only takes a
> short time until it fills up with new entries again. Almost all of
> them are titled "Failure Audit". The text in the listbox when I open
> one of these is:
>
> The Windows Firewall has detected an application listening for
> incoming traffic.
>
> Name: -
> Path: C:\WINDOWS\system32\svchost.exe
> Process identifier: 1416
> User account: SYSTEM
> User domain: NT AUTHORITY
> Service: Yes
> RPC server: No
> IP version: IPv4
> IP protocol: UDP
> Port number: 1219
> Allowed: No
> User notified: No
>
> If I use Taskmanager to find svchost.exe I find no less than 7 of
> them. One of these stands out among the others because it has used
> lots of CPU time (right now 0:05:52, whereas all others are below a
> minute) and I/O Read Bytes is over 2.2 Gbytes and counting. This one
> also has the PID mentioned in the event log.
>
> When I use ProcessExplorer from SysInternals I get more info:
> "Generic Host Process for Win32 Services"
> Command line of process: C:\WINDOWS\System32\svchost.exe -k netsvcs
> If I look in the Services tab I find no less than 30 entries...
>
> How can I find out what is causing this audit failure and why?
> And how can I stop it from doing whatever it is doing?
>
> BTW: "Tasklist /SVC" gives the following output related to svchost:
> Image Name PID Services
> ------------------------------------------
> svchost.exe 1124 DcomLaunch, TermService
> svchost.exe 1284 RpcSs
> svchost.exe 1416 AppMgmt, AudioSrv, BITS, Browser, CryptSvc,
> Dhcp, dmserver, ERSvc, EventSystem, helpsvc,
> HidServ, lanmanserver, lanmanworkstation,
> Messenger, Netman, Nla, RasMan, Schedule,
> seclogon, SENS, SharedAccess,
> ShellHWDetection, srservice, TapiSrv,
> Themes, TrkWks, w32time, winmgmt, wuauserv,
> WZCSVC
> svchost.exe 1528 Dnscache
> svchost.exe 1700 LmHosts, RemoteRegistry, SSDPSRV, WebClient
> svchost.exe 3048 stisvc
> svchost.exe 5268 HTTPFilter
>
>
> Bo Berglund
> bo.berglund(at)nospam.telia.com
Svchost.exe is a general purpose program which can be used for quite a few
different processes. It is not unusual to find 7 different processes
executing this program.
If I had your problem, the first thing I would do is to perforam a thorough
malware test. It does seem likely that you have a bad case of infestation.
The second thing I would do is dependent on what the results of the first
test are.
Jim |
|
| Back to top |
|
| |
External
Since: Nov 05, 2005
Posts: 22
|
(Msg. 3) Posted: Sun Sep 30, 2007 8:18 pm
Post subject: Re: Security log full, why? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
On Sun, 30 Sep 2007 16:11:06 GMT, "Jim" <j.n.DeleteThis@nospam.com> wrote:
>
>Svchost.exe is a general purpose program which can be used for quite a few
>different processes. It is not unusual to find 7 different processes
>executing this program.
>
>If I had your problem, the first thing I would do is to perforam a thorough
>malware test. It does seem likely that you have a bad case of infestation.
>
>The second thing I would do is dependent on what the results of the first
>test are.
>
Thanks,
I have a fully up to date Symantec AntiVirus Corporate Edition v
10.1.3.B4000 running on this PC, so I'd assume it would find and
disable any spy/malware infestations...
But I don't know at which level it is able to detect these. Do you
have a suggestion on how to go about checking this?
And I forgot to say that the PC is part of a domain, but I only
occationally connect to the network where the domain controller
resides via VPN. I don't know if this is an issue, but I thought that
I should mention it.
Bo Berglund |
|
| Back to top |
|
| |
External
Since: Nov 18, 2005
Posts: 64
|
(Msg. 4) Posted: Sun Sep 30, 2007 11:40 pm
Post subject: Re: Security log full, why? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
"Bo Berglund" <boberglund.RemoveThis@home.se> wrote in message
news:1qpvf3929jqjsot01oivk7t42fajs9k9vj@4ax.com...
> On Sun, 30 Sep 2007 16:11:06 GMT, "Jim" <j.n.RemoveThis@nospam.com> wrote:
>
>>
>>Svchost.exe is a general purpose program which can be used for quite a few
>>different processes. It is not unusual to find 7 different processes
>>executing this program.
>>
>>If I had your problem, the first thing I would do is to perforam a
>>thorough
>>malware test. It does seem likely that you have a bad case of
>>infestation.
>>
>>The second thing I would do is dependent on what the results of the first
>>test are.
>>
>
> Thanks,
> I have a fully up to date Symantec AntiVirus Corporate Edition v
> 10.1.3.B4000 running on this PC, so I'd assume it would find and
> disable any spy/malware infestations...
> But I don't know at which level it is able to detect these. Do you
> have a suggestion on how to go about checking this?
>
> And I forgot to say that the PC is part of a domain, but I only
> occationally connect to the network where the domain controller
> resides via VPN. I don't know if this is an issue, but I thought that
> I should mention it.
>
>
> Bo Berglund
I would not assume anything. What it can detect and how you know what it
can detect should be covered in the fine manual.
Do you know for a fact that the database is current?
My next step would be to get and run David Lipman's Multi_Av.exe package
(sorry, I don't have a url for it handy).
Jim |
|
| Back to top |
|
| |
| Related Topics: | Security oops - WINXP Pro - No one has Full Access - Hi everyone, I am in the process of setting up folder structures for our small company. In my testing I created a folder, gave PERMISSIONs to the appropriate users and groups but the I went to the SECURITY tab and added administrator. I did not see that...
Drive C/ is Full - XP Professional The C drive on my PC is getting full and although I try to keep deleting stuff it needs more space. It is 10GB and I only have around 750MB left. The PC was set up with another 4 drives. and they have plenty of space on them i.e. 9.6GB....
Need to do an FULL Restore ??! - Gateway has advised that I execute a FULL Restore on my 3 mth old machine (dual core AMD job). The Restore points do not work at all. Starting the machine, whether a cold boot or a simple/warm Restart is a continuing problem.... requires many..
Full Color in XP? - my Windows XP themes only give me the options of green, blue or silver. I miss red! Is there any way to get a full color spectrum theme especially for the games?
Full screen DOS prog - Is there any way to make a full screened DOS program _not_ run half screen? No matter what font I select it only fills the top half of the screen. JimL -- |
|
You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum
|
|
|
|
Hot
Bloated Email? DetachPipe for Outlook
Mac
Linux
Games
PDA
Mobile
FAQ
Search
Profile
Private Messages
Log in
Windows Forums
RSS