missing key/value in registry of w2k server - hot to track it?



kono
07-09-2005, 10:53 PM
wi there,
Recently I have a problem that the key included the value in registry had
been deleted / missing but I can not find why or by who? My question is
perharps there is a way to zoom in why it could be happened and how to track
the causing of missing key/value in registry. Is there any tools to help it
out? Thanks for your help.....

Roger Abell [MVP]
07-09-2005, 10:53 PM
The main way to uncover such things is the event log if there was
auditing configured before the event occurred. After it is done and
the change has happened there is little trace that remains, but one
can always examine the system for unknown/suspect software.

--
Roger Abell
Microsoft MVP (Windows Server: Security)

"kono" <kono@discussions.microsoft.com> wrote in message
news:B8A63223-0A8A-41EB-90F5-468450A5BA44@microsoft.com...
> wi there,
> Recently I have a problem that the key included the value in registry had
> been deleted / missing but I can not find why or by who? My question is
> perharps there is a way to zoom in why it could be happened and how to
> track
> the causing of missing key/value in registry. Is there any tools to help
> it
> out? Thanks for your help.....

kono
07-09-2005, 10:53 PM
Hi Roger,
The event log didn't cater when the problem was occured since I found that
the oldest system/security event log was cleaned up and remain only 3 days
ago. The problem was encountered 6 days ago.....please advise...

"Roger Abell [MVP]" wrote:

> The main way to uncover such things is the event log if there was
> auditing configured before the event occurred. After it is done and
> the change has happened there is little trace that remains, but one
> can always examine the system for unknown/suspect software.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server: Security)
>
> "kono" <kono@discussions.microsoft.com> wrote in message
> news:B8A63223-0A8A-41EB-90F5-468450A5BA44@microsoft.com...
> > wi there,
> > Recently I have a problem that the key included the value in registry had
> > been deleted / missing but I can not find why or by who? My question is
> > perharps there is a way to zoom in why it could be happened and how to
> > track
> > the causing of missing key/value in registry. Is there any tools to help
> > it
> > out? Thanks for your help.....
>
>
>

Roger Abell
07-09-2005, 10:53 PM
If the disappearing key/value is recurring, happening over
and over each time you reestablish the key/value, then you
could consider increasing the size of the security log, making
sure that the auditing ACL of the relevant key is set to record
any change events for Everyone, and that the audit policy is
set to record success and failure for object access.

Other than that there really is no record of what has happened,
at least not in a standard fashion (ex. some software may have
written a custom log file).

--
Roger Abell
Microsoft MVP (Windows Security)

"kono" <kono@discussions.microsoft.com> wrote in message
news:F720537B-641E-4A55-84B6-30AB99AF2BC9@microsoft.com...
> Hi Roger,
> The event log didn't cater when the problem was occured since I found that
> the oldest system/security event log was cleaned up and remain only 3 days
> ago. The problem was encountered 6 days ago.....please advise...
>
> "Roger Abell [MVP]" wrote:
>
> > The main way to uncover such things is the event log if there was
> > auditing configured before the event occurred. After it is done and
> > the change has happened there is little trace that remains, but one
> > can always examine the system for unknown/suspect software.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Server: Security)
> >
> > "kono" <kono@discussions.microsoft.com> wrote in message
> > news:B8A63223-0A8A-41EB-90F5-468450A5BA44@microsoft.com...
> > > wi there,
> > > Recently I have a problem that the key included the value in registry
had
> > > been deleted / missing but I can not find why or by who? My question
is
> > > perharps there is a way to zoom in why it could be happened and how to
> > > track
> > > the causing of missing key/value in registry. Is there any tools to
help
> > > it
> > > out? Thanks for your help.....
> >
> >
> >


missing key/value in registry of w2k server - hot to track it?