Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Event Logs - I don't like what I'm seeing


  • Please log in to reply
2 replies to this topic

#1 cooljay

cooljay

  • Members
  • 188 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:13 PM

Posted 08 July 2018 - 06:35 PM

I never knew about event logs until very recently and now I can't stop looking.

 

Still dealing with connectivity issues, so it makes sense to play detective, but there is one particular thing which freaks me out.

 

A while ago, I noticed in Firefox properties that there is an entity there that is very mysterious.

 

Now it turns out that this S 1-5-8 etc. is a Microsoft Security Check that is CONSTANTLY logging in and out, and I don't like it one bit.

First of all, it doesn't have authorization to access my computer, I checked on that. It only accesses through Firefox. (No, I haven't contacted Mozilla about it, but I will.) When I discovered it a couple of months ago it had authority to read, write, etc. which I immediately relieved it of. But it still has "special" powers, whatever that means.

 

But that's not all. There are also event logs from System, id# 1530, like this:

 

Log Name:      Application
Source:        Microsoft-Windows-User Profiles Service
Date:          7/8/2018 5:28:49 PM
Event ID:      1530
Task Category: None
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      HP-Laptop
Description:
Windows detected your registry file is still in use by other applications

or services. The file will be unloaded now. The applications or services

that hold your registry file may not function properly afterwards.  


 DETAIL -
 1 user registry handles leaked from \Registry\User\S-1-5-21-

1382324992-2956011349-958396782-500:

Process 944 (\Device

\HarddiskVolume2\Windows\System32\svchost.exe) has opened key

\REGISTRY\USER\S-1-5-21-1382324992-2956011349-958396782-500

Event Xml:
<Event

xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-User Profiles Service"

Guid="{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}" />
    <EventID>1530</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2018-07-08T21:28:49.133184500Z" />
    <EventRecordID>153946</EventRecordID>
    <Correlation />
    <Execution ProcessID="944" ThreadID="7764" />
    <Channel>Application</Channel>
    <Computer>HP-Laptop</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData Name="EVENT_HIVE_LEAK">
    <Data Name="Detail">1 user registry handles leaked from \Registry

\User\S-1-5-21-1382324992-2956011349-958396782-500:
Process 944

(\Device\HarddiskVolume2\Windows\System32\svchost.exe) has

opened key \REGISTRY\USER\S-1-5-21-1382324992-2956011349-


958396782-500
</Data>
  </EventData>
</Event>

 

Am I overreacting only is this as freaky as it looks?

 

In the advanced firewall settings I don't have Remote Access allowed at all. So I don't know how this is even possible, but there you have it. It happens, and I wish I knew what it means and how to stop it, if necessary.

 

Any ideas? I would appreciate your input on this.

 

Thanks.

 

(I would upload an image of "S" from Firefox Properties, but I don't see where I could do that.)

 

 

 



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:13 AM

Posted 09 July 2018 - 11:28 AM

Security ID S-1-5-18 is the local system:

https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

 

All Windows machines use this SID, it's normal that you see plenty of Windows events logs with this SID.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 cooljay

cooljay
  • Topic Starter

  • Members
  • 188 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:13 PM

Posted 17 July 2018 - 10:34 PM

Thanks, Didier.

 

As to the larger issue of dozens and dozens of "Security Audits" per day - I'm fed up with this nonsense. This is just an old laptop I use around the house. We are not talking about a network of a billion dollar corporation. It's ridiculous, really, and I want it to stop.

 

I tried, logged in as admin, to revoke these permissions, but they somehow return unscathed. Any ideas, anybody, what I can do to stop this? Do other people have this going on, do you think this is normal? Does it bother you? I'm talking about an entity, supposedly Microsoft, taking on the identity of the users of this laptop, to gain access and do what it wants to do, and afterwards destroying the login session. (Yes, that's logged too.)

 

This totally rubs me the wrong way.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users