SERVICES.EXE Mystery

  • Thread starter Thread starter Jay Somerset
  • Start date Start date
J

Jay Somerset

Every couple of hours, services.exe tries to add the same two keys to my
WIN2K registry. I am running WIN2K/SP4 with the latest MS patches. The
system is not part of a domain.

The keys being rewritten are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"legalnoticecaption"=""
"legalnoticetext"=""

Why is this happening? I have checked services.exe for any virus, and it is
clean. Is this normal WIN2K behavior? Should I be concerned?
-Jay-
 
I don't know where you got that info but those two strings are populated via
your domain policy.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect
 
From: "Jay Somerset >" <<[email protected]>

| Every couple of hours, services.exe tries to add the same two keys to my
| WIN2K registry. I am running WIN2K/SP4 with the latest MS patches. The
| system is not part of a domain.
|
| The keys being rewritten are:
|
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
| "legalnoticecaption"=""
| "legalnoticetext"=""
|
| Why is this happening? I have checked services.exe for any virus, and it is
| clean. Is this normal WIN2K behavior? Should I be concerned?
| -Jay-

And the NEW added/modified text is... ?
 
From: "Jay Somerset >" <<[email protected]>

| Every couple of hours, services.exe tries to add the same two keys to my
| WIN2K registry. I am running WIN2K/SP4 with the latest MS patches. The
| system is not part of a domain.
|
| The keys being rewritten are:
|
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
| "legalnoticecaption"=""
| "legalnoticetext"=""
|
| Why is this happening? I have checked services.exe for any virus, and it is
| clean. Is this normal WIN2K behavior? Should I be concerned?
| -Jay-

And the NEW added/modified text is... ?
Click to expand...

Exactly as described above. The fields are both set to blank ("").
-Jay-
 
I don't know where you got that info but those two strings are populated via
your domain policy.
Click to expand...

I am running Kaspersky Labs AntiVirus 6, which can trap out changes to the
registry and permit them to be accepted or rejected. KLAV provided the
info.

I do not have a "domain policy" -- the system has never been configured to
be part of a domain.
-Jay-
 
|
| Exactly as described above. The fields are both set to blank ("").
| -Jay-

So what's the problem if the text is NULL, blank ?
 
It could be malware related but it isn't services.exe specifically. Have you
run rsop.msc to see what policy has been applied?

Computer Configuration\Windows Settings \Security Settings\Local
Policies\Security Options
Interactive logon: Message title for users attempting to log on
Interactive logon: Message text for users attempting to log on

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect
 
From: "Dave Patrick" <[email protected]>

| It could be malware related but it isn't services.exe specifically. Have you
| run rsop.msc to see what policy has been applied?
|
| Computer Configuration\Windows Settings \Security Settings\Local
| Policies\Security Options
| Interactive logon: Message title for users attempting to log on
| Interactive logon: Message text for users attempting to log on
|

I doubt it is malware related unless it actually put text into those fields.
Since Jay has indicated they are NULL, then I think the OS touched those Registry settings
an Kaspersky over exuberantly made false declaration of a Registry change.
 
|
| Exactly as described above. The fields are both set to blank ("").
| -Jay-

So what's the problem if the text is NULL, blank ?
Click to expand...

It may not present a security problem, per se, but the system shouldn't be
trying to rewrite these values, even with a null string, every 90-120
minutes.
 
I assumed null because his AV disallowed the changes.
Click to expand...

Not so. Before I blocked furher attemps, they went through. The result is
a reapeated attempt to rewrite as null.

Doesn't make sense, and it's anomalous behavior, so I wondered if anyone had
ever seen this before, or had an expanation as to why services .exe was
trying to do this.
-Jay-
 
From: "Jay Somerset >" <<[email protected]>


|
| It may not present a security problem, per se, but the system shouldn't be
| trying to rewrite these values, even with a null string, every 90-120
| minutes.

I don't know. I haven't monitored that Registry key.

You say it is SERVICES.EXE. Ok, what is the fully qualified path to the SERVICES.EXE file
attempting these changes ?
 
It could be malware related but it isn't services.exe specifically. Have you
run rsop.msc to see what policy has been applied?

Computer Configuration\Windows Settings \Security Settings\Local
Policies\Security Options
Interactive logon: Message title for users attempting to log on
Interactive logon: Message text for users attempting to log on
Click to expand...

I know what the entries are, and their purpose. What I don't understand is
why services.exe is repeatedly trying to add these keys to the Registry.

Also, rsop.msc is not on my system. How can I install it? A google search
yielded no information on how to obtain and install this snap-in.
-Jay-
 
From: "Jay Somerset >" <<[email protected]>


|
| It may not present a security problem, per se, but the system shouldn't be
| trying to rewrite these values, even with a null string, every 90-120
| minutes.

I don't know. I haven't monitored that Registry key.

You say it is SERVICES.EXE. Ok, what is the fully qualified path to the SERVICES.EXE file
attempting these changes ?
Click to expand...

C:\WINNT\system32\services.exe
 
From: "Jay Somerset >" <<[email protected]>


|
| C:\WINNT\system32\services.exe

That's the legitimate location. Again this points away from malware.

The ONLY thing left is it may be a RootKit that is plugging into SERVICES.EXE

I suggest using the following anti RootKit Utility.
G.m.e.r. { Name & URL obfuscated due to a severe DDoS attack on mirrors }

h**p://www.young-andersen.dk/gamer/gamer.htm
 
Jay Somerset > said:
I am running Kaspersky Labs AntiVirus 6, which can trap out changes to the
registry and permit them to be accepted or rejected. KLAV provided the
info.

I do not have a "domain policy" -- the system has never been configured to
be part of a domain.
-Jay-
Click to expand...

But you do have a Local Security Policy that by default has these two
strings set to NULL. IIRC policy settings are *automatically* refreshed
every 90 minutes (with a 30 min random factor added in) and I suspect you
are catching this refresh process, although why it would try to update these
strings if they're not changing I don't know.
 
But you do have a Local Security Policy that by default has these two
strings set to NULL. IIRC policy settings are *automatically* refreshed
every 90 minutes (with a 30 min random factor added in) and I suspect you
are catching this refresh process, although why it would try to update these
strings if they're not changing I don't know.
Click to expand...

Thanks for the info. That certainly explains what is happening. I was not
aware of any deliberate automatic refreshment of the policy settings --
seems kind of lame-brained to me.

As it appears to be innocuous (even if annoying) behavior, I have set up a
rule in Kasperky AV to allow this to continue without notification.
-Jay-
 
Jay Somerset > said:
Thanks for the info. That certainly explains what is happening. I was
not
aware of any deliberate automatic refreshment of the policy settings --
seems kind of lame-brained to me.

As it appears to be innocuous (even if annoying) behavior, I have set up a
rule in Kasperky AV to allow this to continue without notification.
-Jay-
Click to expand...

In a single computer or non-domain situation the automatic refresh probably
is bit over the top but in a domain with server(s) and (many) client PCs a
policy may be changed centrally and the automatic refresh ensures changes
are promulgated without waiting for users to logoff and or reboot. :)
 
Back
Top