IPSec monitor snap-in

[William B. Lurie]

I find the following failure repeatedly in my Event Monitor.
Could someone lead me to its resolution? Thank you.

Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 3/2/2010
Time: 6:51:08 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: COMPAQ-2006
Description:
IPSec Services: IPSec Services failed to get the complete list of
network interfaces on the machine. This can be a potential security
hazard to the machine since some of the network interfaces may not get
the protection as desired by the applied IPSec filters. Please run IPSec
monitor snap-in to further diagnose the problem.



For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

[William B. Lurie]

I find the following failure repeatedly in my Event Monitor.
Could someone lead me to its resolution? Thank you.

Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 3/2/2010
Time: 6:51:08 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: COMPAQ-2006
Description:
IPSec Services: IPSec Services failed to get the complete list of
network interfaces on the machine. This can be a potential security
hazard to the machine since some of the network interfaces may not get
the protection as desired by the applied IPSec filters. Please run IPSec
monitor snap-in to further diagnose the problem.



For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

*******************************************************
I searched and found, downloaded, and installed IPSec Diagnostic Tool.
I executed it, but it told me nothing and gave no report........
What's next?

 

[John John - MVP]

I find the following failure repeatedly in my Event Monitor.
Could someone lead me to its resolution? Thank you.

Event Type: Failure Audit
Event Source: Security
Event Category: Policy Change
Event ID: 615
Date: 3/2/2010
Time: 6:51:08 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: COMPAQ-2006
Description:
IPSec Services: IPSec Services failed to get the complete list of
network interfaces on the machine. This can be a potential security
hazard to the machine since some of the network interfaces may not get
the protection as desired by the applied IPSec filters. Please run IPSec
monitor snap-in to further diagnose the problem.

XP Home or XP Pro? Is the machine part of a network or is it a stand
alone? Do you VPN into a server with this machine?

John

 

[William B. Lurie]

XP Home or XP Pro? Is the machine part of a network or is it a stand
alone? Do you VPN into a server with this machine?

John

See my later message about IPSec, John. I tried the test
and got no results at all.

It is XP Home/SP2 (SP3 is the same). It is a one-user-desktop, hardwired
to Ethernet/DSL line.

 

[John John - MVP]

See my later message about IPSec, John. I tried the test
and got no results at all.

It is XP Home/SP2 (SP3 is the same). It is a one-user-desktop, hardwired
to Ethernet/DSL line.

I'm not really sure why you would be getting these failure audits on
policy changes on a Windows XP Home machine. I don't think that these
settings can be enabled via the registry and the XP Home version has no
Local Security Policy tool, and it doesn't have a Group Policy snap-in
so I'm not sure how you managed to enable the "Audit policy change"
feature on your machine.

Unless IPSEC is configured the error is benign, you might have 'phantom'
adapters on your machine, verify and make sure that no phantom adapters
are present.

http://support.microsoft.com/kb/315539
Device Manager does not display devices that are not connected to the
Windows XP-based computer

If you aren't making VPN connections then there is little to no
likelihood that IPSEC is configured or even used on your machine, set
the IPSEC service to Manual and see if these errors persist.

John

 

[William B. Lurie]

I'm not really sure why you would be getting these failure audits on
policy changes on a Windows XP Home machine. I don't think that these
settings can be enabled via the registry and the XP Home version has no
Local Security Policy tool, and it doesn't have a Group Policy snap-in
so I'm not sure how you managed to enable the "Audit policy change"
feature on your machine.

Unless IPSEC is configured the error is benign, you might have 'phantom'
adapters on your machine, verify and make sure that no phantom adapters
are present.

http://support.microsoft.com/kb/315539
Device Manager does not display devices that are not connected to the
Windows XP-based computer

If you aren't making VPN connections then there is little to no
likelihood that IPSEC is configured or even used on your machine, set
the IPSEC service to Manual and see if these errors persist.

John

I'd be glad to try that, John. But can you lead me to it?

 

[John John - MVP]

I'd be glad to try that, John. But can you lead me to it?

In the Start menu Run box enter the following command:

services.msc

this will open the Services management console. Go down the list to the
"IPSEC Services" and double click on it and in the drop down box change
the "Startup type" to "Manual". Don't forget to click on the "Apply"
button to commit the changes.

John

 

[William B. Lurie]

In the Start menu Run box enter the following command:

services.msc

this will open the Services management console. Go down the list to the
"IPSEC Services" and double click on it and in the drop down box change
the "Startup type" to "Manual". Don't forget to click on the "Apply"
button to commit the changes.

John

That was easy, John. Preliminary checks seem to indicate that the error
doesn't show up again in the Events Viewer. I'll check it some more.
Now if I could get the ATI errors and anomalies to go away, that would
be nice, too. I wonder how many other things are starting up, and
slowing my startup up every time, that are totally superfluous.

 

[John John - MVP]

That was easy, John. Preliminary checks seem to indicate that the error
doesn't show up again in the Events Viewer. I'll check it some more.
Now if I could get the ATI errors and anomalies to go away, that would
be nice, too. I wonder how many other things are starting up, and
slowing my startup up every time, that are totally superfluous.

Start a new thread for your ATI errors and problems. To get an idea of
what is running when the computer is booted you can run two Windows
utilities and then search the internet for advice on the processes and
processes that are running.

First you can run the Tasklist command. Tasklist is included with
Windows XP Pro but not with XP Home, XP Home users can download
Tasklist.exe here: http://www.computerhope.com/download/winxp.htm
Download it and put it in your Windows\System32 folder.

Reboot your computer and allow it to settle down and then run these
commands at the Command Prompt:

tasklist /svc >C:\startlist.txt
net start >>C:\startlist.txt

Note the double redirector (>>) in the second command, the double
redirector instructs the command to append the output to the already
existing startlist.txt file. After you run the commands you can open
the c:\startlist.txt file and use it for your research.

These tools can help you find programs or services that automatically
start when the computer is booted:

CodeStuff Starter
http://codestuff.tripod.com/

Autoruns for Windows
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Be very careful with Autoruns! Don't disable things that you are unsure
of! Do your homework before you disable things.

You will have to do a bit of research and decide for yourself what you
want or need to have running for your particular use of the computer.
Do a search on the internet for the running processes and find out what
they are for. Sites like these have good information on a number of
processes:

Answers That Work - Task List Programs
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

Windows XP x86 (32-bit) Service Pack 3 Service Configurations by Black Viper
http://www.blackviper.com/WinXP/servicecfg.htm

Services Guide for Windows XP
http://www.theeldergeek.com/services_guide.htm

Runscanner Public process list
http://www.runscanner.net/filelist.aspx?l=a

Startup Applications List
http://www.sysinfo.org/startuplist.php

John

 

[William B. Lurie]

Start a new thread for your ATI errors and problems. To get an idea of
what is running when the computer is booted you can run two Windows
utilities and then search the internet for advice on the processes and
processes that are running.

First you can run the Tasklist command. Tasklist is included with
Windows XP Pro but not with XP Home, XP Home users can download
Tasklist.exe here: http://www.computerhope.com/download/winxp.htm
Download it and put it in your Windows\System32 folder.

Reboot your computer and allow it to settle down and then run these
commands at the Command Prompt:

tasklist /svc >C:\startlist.txt
net start >>C:\startlist.txt

Note the double redirector (>>) in the second command, the double
redirector instructs the command to append the output to the already
existing startlist.txt file. After you run the commands you can open
the c:\startlist.txt file and use it for your research.

These tools can help you find programs or services that automatically
start when the computer is booted:

CodeStuff Starter
http://codestuff.tripod.com/

Autoruns for Windows
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Be very careful with Autoruns! Don't disable things that you are unsure
of! Do your homework before you disable things.

You will have to do a bit of research and decide for yourself what you
want or need to have running for your particular use of the computer.
Do a search on the internet for the running processes and find out what
they are for. Sites like these have good information on a number of
processes:

Answers That Work - Task List Programs
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

Windows XP x86 (32-bit) Service Pack 3 Service Configurations by Black
Viper
http://www.blackviper.com/WinXP/servicecfg.htm

Services Guide for Windows XP
http://www.theeldergeek.com/services_guide.htm

Runscanner Public process list
http://www.runscanner.net/filelist.aspx?l=a

Startup Applications List
http://www.sysinfo.org/startuplist.php

John

John, I responded to this an hour ago but the message went
I know not where.

I tried to do the tasklist download, from a link which
seemed to say tasklist, but couldn't get any tasklist.exe
to execute. If seemed to be the right place but everything
came up Safexp and so on. Simply changing the names didn't
seem to work. May I bother you again to refine the above
instructions? Thank you......

 

[John John - MVP]

John, I responded to this an hour ago but the message went
I know not where.

I tried to do the tasklist download, from a link which
seemed to say tasklist, but couldn't get any tasklist.exe
to execute. If seemed to be the right place but everything
came up Safexp and so on. Simply changing the names didn't
seem to work. May I bother you again to refine the above
instructions? Thank you......

Direct download link to Tasklist.exe:

http://www.computerhope.com/download/winxp/tasklist.exe

Download it and place it in your C:\Windows\System32 folder then run the
commands as instructed in the earlier post.

John

 

[William B. Lurie]

Direct download link to Tasklist.exe:

http://www.computerhope.com/download/winxp/tasklist.exe

Download it and place it in your C:\Windows\System32 folder then run the
commands as instructed in the earlier post.

John

John, sorry to be a bother..... by the time your redirection info
arrived, I had already corrected my error, downloaded tasklist.exe,
saved it in C:\windows\system32, verified that it is there, and executed
what you said, from the cmd prompt.

It asked me about running a program from an unknown source, which
I allowed it to do. I then followed your instructions but couldn't
find the .TXT file...... I did, however, find a new file HPWebHelper.log
of about 345K size. May I have your further advice?

 

[John John - MVP]

John, sorry to be a bother..... by the time your redirection info
arrived, I had already corrected my error, downloaded tasklist.exe,
saved it in C:\windows\system32, verified that it is there, and executed
what you said, from the cmd prompt.

It asked me about running a program from an unknown source, which
I allowed it to do. I then followed your instructions but couldn't
find the .TXT file...... I did, however, find a new file HPWebHelper.log
of about 345K size. May I have your further advice?

??? I just downloaded and ran the Tasklist.exe utility from the direct
download link provided and it runs here without any problems.

You have to run these commands from the Command Prompt. If you ran the
commands properly the startlist.txt file will be in the root of the C:
drive, search for the file or try entering this in the Start menu Run box:

C:\startlist.txt

John

 

[William B. Lurie]

??? I just downloaded and ran the Tasklist.exe utility from the direct
download link provided and it runs here without any problems.

You have to run these commands from the Command Prompt. If you ran the
commands properly the startlist.txt file will be in the root of the C:
drive, search for the file or try entering this in the Start menu Run box:

C:\startlist.txt

John

Sorry, John. I've been *extra* careful to do exactly what you said.
I did a complete search, and startlist.txt just doesn't get created.
And it asks permission to execute tasklist.exe every time. Is there
some workaround? Can I somehow execute it from other than the
command prompt?

 

[John John - MVP]

Sorry, John. I've been *extra* careful to do exactly what you said.
I did a complete search, and startlist.txt just doesn't get created.
And it asks permission to execute tasklist.exe every time. Is there
some workaround? Can I somehow execute it from other than the
command prompt?

These commands are meant to be run from the command prompt (or in
scripts and batch files).

Forget the Tasklist command for the time being and try it with the net
start command, the Net command is already included in your XP Home
installation and it should run without problems, try this simple command:

net start

the command should return a list of running services on the machine.
Capturing the the output of the command to a text file will make it
easier to research the services and processes and keep track of changes
that you want to make. To capture the output and redirect to a text
file use the > redirector:

net start >c:\test.txt


Using double >> redirectors appends the output to the end of the file
without deleting the already existing contents of the file:

net start >>c:\test.txt


Run the net start commands above and see if you can find the output
file. You should be able to do the same thing with the Tasklist command.

The message you get with the downloaded Tasklist is caused by security
settings on your computer. Streams" are added to files downloaded from
the internet, when you try to execute the downloaded file the stream is
detected and you are asked to confirm your action. Streams (properly
called Alternate Data Streams) are an NTFS only feature, they are only
available on NTFS drives. When you are sure that a downloaded file is
safe you can get rid of the stream by copying the file to non NTFS media
like a FAT diskette, a FAT32 thumb drive or burn it to a CD and the
stream will be stripped, you can then just copy the file back to the
NTFS drive, the streams will be stripped but the actual contents of the
file will remain unchanged.

John

 

[William B. Lurie]

These commands are meant to be run from the command prompt (or in
scripts and batch files).

Forget the Tasklist command for the time being and try it with the net
start command, the Net command is already included in your XP Home
installation and it should run without problems, try this simple command:

net start

the command should return a list of running services on the machine.
Capturing the the output of the command to a text file will make it
easier to research the services and processes and keep track of changes
that you want to make. To capture the output and redirect to a text
file use the > redirector:

net start >c:\test.txt


Using double >> redirectors appends the output to the end of the file
without deleting the already existing contents of the file:

net start >>c:\test.txt


Run the net start commands above and see if you can find the output
file. You should be able to do the same thing with the Tasklist command.

The message you get with the downloaded Tasklist is caused by security
settings on your computer. Streams" are added to files downloaded from
the internet, when you try to execute the downloaded file the stream is
detected and you are asked to confirm your action. Streams (properly
called Alternate Data Streams) are an NTFS only feature, they are only
available on NTFS drives. When you are sure that a downloaded file is
safe you can get rid of the stream by copying the file to non NTFS media
like a FAT diskette, a FAT32 thumb drive or burn it to a CD and the
stream will be stripped, you can then just copy the file back to the
NTFS drive, the streams will be stripped but the actual contents of the
file will remain unchanged.

John

No sweat, John. net start alone gave me the file test.txt, and
the >> gave me the same thing twice.

I don't know why tasklist.exe doesn't play. That command line
has more to it, though.

So now I have the list, and I can decide which of those files
I really don't want; that's the next game, right?

 

[William B. Lurie]

No sweat, John. net start alone gave me the file test.txt, and
the >> gave me the same thing twice.

I don't know why tasklist.exe doesn't play. That command line
has more to it, though.

So now I have the list, and I can decide which of those files
I really don't want; that's the next game, right?

FYI, John, here's the fat list of test.txt:
These Windows services are started:

Application Layer Gateway Service
Ati HotKey Poller
Automatic Updates
COM+ Event System
Cryptographic Services
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
DNS Client
Event Log
Fast User Switching Compatibility
Help and Support
LexBce Server
lxct_device
Machine Debug Manager
Network Connections
Network Location Awareness (NLA)
Norton AntiVirus
Norton Save and Restore
Norton UnErase Protection
Pervasive PSQL Workgroup Engine
Plug and Play
Print Spooler
Protected Storage
Remote Access Connection Manager
Remote Procedure Call (RPC)
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
Speed Disk service
SSDP Discovery Service
System Event Notification
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Terminal Services
Themes
Universal Plug and Play Device Host
Viewpoint Manager Service
WebClient
Windows Audio
Windows Firewall/Internet Connection Sharing (ICS)
Windows Image Acquisition (WIA)
Windows Management Instrumentation
Windows Time
Wireless Zero Configuration
Workstation

The command completed successfully.

 

[John John - MVP]

No sweat, John. net start alone gave me the file test.txt, and
the >> gave me the same thing twice.

You only have one half of the list... if even that much. The net start
command will only give you the list of running services, I'll bet $5 to
$1 that you have at twice as many processes running as you do services!
Not to mention that services are usually much better behaved than
processes so processes are usually more likely to bog down a machine
than services.

I don't know why tasklist.exe doesn't play. That command line
has more to it, though.

Look at the list of processes in the Task Manager, Tasklist gives you
this information (and more) and allows you to capture the list to an
output file. You need to strip the streams from the file, I think that
when you execute the command and are prompted to confirm the command is
relaunched minus any switches or redirection operators.

So now I have the list, and I can decide which of those files
I really don't want; that's the next game, right?

Well, yes... sort of. You have the list of services, you set the
unnecessary services to Manual start. A few of them you set to
Disabled, there aren't many services that should be disabled, setting
unwanted services to Manual start is usually the way to handle
unnecessary services. If you want you can post the list of services and
we might suggest obvious candidates for the removal list.

John

 

[John John - MVP]

[snip]

FYI, John, here's the fat list of test.txt:
These Windows services are started:

Application Layer Gateway Service
Ati HotKey Poller
Automatic Updates
COM+ Event System
Cryptographic Services
DCOM Server Process Launcher
DHCP Client
Distributed Link Tracking Client
DNS Client
Event Log
Fast User Switching Compatibility
Help and Support
LexBce Server
lxct_device
Machine Debug Manager
Network Connections
Network Location Awareness (NLA)
Norton AntiVirus
Norton Save and Restore
Norton UnErase Protection
Pervasive PSQL Workgroup Engine
Plug and Play
Print Spooler
Protected Storage
Remote Access Connection Manager
Remote Procedure Call (RPC)
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
Speed Disk service
SSDP Discovery Service
System Event Notification
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Terminal Services
Themes
Universal Plug and Play Device Host
Viewpoint Manager Service
WebClient
Windows Audio
Windows Firewall/Internet Connection Sharing (ICS)
Windows Image Acquisition (WIA)
Windows Management Instrumentation
Windows Time
Wireless Zero Configuration
Workstation

The command completed successfully.

It's a desktop, you are the sole user and it is a stand alone? Do you
share files with others on the internet (with things like Limewire)? Do
you have/use a wireless router?

John

 

[William B. Lurie]

You only have one half of the list... if even that much. The net start
command will only give you the list of running services, I'll bet $5 to
$1 that you have at twice as many processes running as you do services!
Not to mention that services are usually much better behaved than
processes so processes are usually more likely to bog down a machine
than services.



Look at the list of processes in the Task Manager, Tasklist gives you
this information (and more) and allows you to capture the list to an
output file. You need to strip the streams from the file, I think that
when you execute the command and are prompted to confirm the command is
relaunched minus any switches or redirection operators.
*******************************

******************************
John, I think you're right about the command not relaunching with
switches, and I'd like to do it fully, but is there another
workaround? I'm in this so deep, I'd love to pursue it further
and maybe speed up the boot process, and get rid of unnecessary
churning of the CPU and hard drive.
*************************************
*************************************