-----Original Message-----
Thanks steve,
Your quick ,valuable and correct guidance is appricieated.
I have enabled auditing for that folder.as well as for
desktop folder also.
i have checked there is no virus/troja. did MBSA test.
checked processes in task manager evrything is normal.
I will get back to you after log check.
-----Original Message-----
Enabling auditing of object access generates a lot of system events such as those
below. I would be looking for an Event ID 560 for the parent folder where the
questionable folder is being created, but you first need to enable auditing of that
specific folder for write of folder and files. That
folder [parent] would then appear
in the field for Object Name when write access to it has occurred. Username BN$ is a
computer name. You may or may not be able to find a correlating process in the
security log when that happens but it is worth a try. If you have another like
configured domain controller you might try to examine
the
processes running on it via
Task Manager, etc. to see if there is an additional
process running on the one where
the mystery folder is appearing that may help pin it down. I am assuming a
virus/trojan scan did not find anything. --- Steve
Hello Steve..
i went through logs as per your suggestion. i found
following two logs of time of floder creation.
Can you tell me what is that username BN$ id dont have
such user.
administrators,administrator and system user were for that
folder.
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 11/1/2003
Time: 4:36:03 PM
User: NT AUTHORITY\SYSTEM
Computer: BN
Description:
Handle Closed:
Object Server: Security Account Manager
Handle ID: 17544048
Process ID: 264
----------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 11/1/2003
Time: 4:36:03 PM
User: NT AUTHORITY\SYSTEM
Computer: BN6
Description:
Object Open:
Object Server: Security Account Manager
Object Type: SAM_SERVER
Object Name: SAM
New Handle ID: 17544048
Operation ID: {0,99972121}
Process ID: 264
Primary User Name: BN$
Primary Domain: BAL.localhost
Primary Logon ID: (0x0,0x3E7)
Client User Name: BN$
Client Domain: BAL.localhost
Client Logon ID: (0x0,0x3E7)
Accesses EnumerateDomains
LookupDomain
Privileges -
I am not getting any idea to tack this.
your valuable thoughts would be appricieated .
Thanks
-----Original Message-----
Sorry I misunderstood. I would check the properties of
the shortcut to see the
path it maps to for a clue as to what it belongs to or
application it may be
associated with. Though it will generate a lot of events
in the security log,
it might help to enable auditing of object access and
process tracking. Then you
could audit write access to the desktop folder it is
being created in and
possibly correlate the write event to a process which
would have the same time.
The folder properties would have a created time/date that
would help you narrow
down the search in the security log. --- Steve
Hello Steve,
Thanks,
but what i see on my desktop is not tild ( ~)sign.
its a folder named s character. and repeatedly i
see
it
on
desktop even i deleted that folder.
is this is too due to update 330994 ?
-----Original Message-----
It is a bug caused by an MS update 330994. See links
below. --- Steve
http://www.nhyrvana.com/~e2c/glitch_ab.html
http://computing.net/windowsxp/wwwboard/forum/66903.html
is
.
