I´m on a single Asus(8RAM i7-4710HQ 2.50GHz) lap-top alone(no lan) behind a router not using fileprinter-sharing(ever). Running Win 10 Home upgraded from 8.1. Experiencing since long some noticeable effects(not big but still very changed without reason really) regarding system start-up and close-down times(also confirmed by Event Viewer-logs). Running Firefox with 3-4 very popular add-ons but browser needs 450 Mb "in idle" with only 1 tab open. FF is rel. slow here but maybe normal. System shows noticeable time-delays also when not using internet-connected software or browsing. Memory-leaking(corrupted file-system) and/or external use of my computer(-resources) as client/server?
Due to the above I started to look more deeply into MS-logs:
1. Got a Warning from EV 2016-09-28 (MS Anniversary Update(date)) telling me that the source; SMBServer(ID1025), recognised that registry-key HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters been changed(this day or only a notice due to security-uppdate by MS?). Standardvalues are "empty" but here NullSessionPipes, NullSessionShares. Explicitly the Warning says I am allowing anonymous users access to the server(my computer). Have I got a Server? Pretty new info also!!
2. Still I am told Firewall-ports are closed for file/printer-sharing(ID 1027) which would imply SMB-traffic would not be able to run through my FW(I am not
3. An Endpoint have been added(ID 1010); Domainname "Workgroup", Transportname; \Device\NetbiosSmb. Am I part to a Workgroup now?
4. My "Server"-resources have been activated(ID 1023) for accessbased enumeration. This will be done either by Server-manager or by Windows PowerShell-cmdlet Set-SmbShare.
5. Networkname-info have been added(ID 1012) for my ISP-IP-Address and Router/Computer; Added; Netname: " * ".
Above 1-5 on the same day 2016-09-28 out of the SMBServer-Operational-log. Logged activities are registred until 2017-01-03.
From the SMBServer-Connectivity-log ID 1022 on the 2016-10-18 registred that a Firewallrule for File- and Printer-Sharing has been activated. The operational log(ID 1001) said: A client tried to connect to server with SMB1 but was denied by an Administrator(that´s me I guess). SMB1-filesharing has been inactivated or uninstalled. What I did was that I deactivated the Windows service; Server(old Lanmanserver). Right or wrong? I was uncomfortable.
SMBClient-Connectivity logs (from 2016-09-28 and ends 2016-01-03) TCP/IP interface-transactions.
As a "security"-response I have also inactivated the Windows service; Workstation(set to manual today)
1. Got a Warning 2016-09-28(same as above) telling me PS Scriptblock´s were Executing Remote Commands.
This has been going on ever since in certain time-intervals. Could there be a connection between SMB-logs and PS-logs?
From some of the PS Scriptblocks I noticed the filename "Windows\TEMP\SDIAG.......... .js1". This gave me the clue that maybe
we are talking Microsoft doing Diagnostics on my system? I have then tried to search the internet on this subject correlating to
the SMB-protocol and/or MS using PowerShell-coding BUT found nothing at all. The thing is MS allowed the user to uninstall
PowerShell in prior versions of WindowOS(i.e. Win7, Vista etc). With Win 10 Home that is not an option anymore. Why? Or
why does not MS tell their customer the reason? PowerShell can be used for exploitation as can the SMB-protocol. That´s why
I want to close these options. Yesterday a script run that collected Accessrights i.e. I checked the date/time matching it with MS
tasks scheduled in Task Scheduler but found null. Just as an paranthesis I can tell you how I changed PowerShell-permissions
to make the software unusable. What happened later? A hidden start-up command during booting; "powershell.exe -noexit
-command Set-Location '%V'" popped up probably making someone(MS)to run powershell on my computer but executing line
by line remotely??
Am I paranoid and compromized or is MS been given the admission to take whatever they want without permission or even telling
us about it?
ps! I have the dxgkrnl.sys startup-problem. The file + another one is wanted multiple times.
not yet solved ds!
Thanks for letting me posting