February 11th, 2011, 06:42 PM
Well this has been happening to a co-worker for about 2 years. It happens with XP, Vista, and Win 7.
While he is in the middle of doing things machine would blue screen then reboot. Upon inspection the windows folder is totally empty. He would reinstall (he even tryed using a virtual machine on a linux box) and it would eventually happen again.
Now I am unable to reproduce it... meaning I am unable to delete the contents of the windows folder (locally and remotely) as I get the file is in use error on a lot of them and when I try on the dll cache the File Protection window pops up (never happens on his machine).
I have even tried Unlocker remotely thinking someone was selecting all the files from a admin share and using Unlocker to unlock files and mark them for deletion on a reboot which of course didn't work.
I have had his event logs going to our Syslog server and after it happened the log doesn't show anything suspicious... it even has the blue screen event.
I am at my whits end trying to figure it out... I am fairly certain someone is doing it because it only happens to him and only his login.
We are operating on a Windows 2003 AD domain (one thing we tried was removing all his admin credentials and changing all Domain Admin passwords to a 20 character random with numbers and characters and yes it still happens).
I am not sure where to start looking or trying to figure this out.
Any ideas on how someone or something is deleteing all the contents of the windows folder?
February 11th, 2011, 07:43 PM
February 11th, 2011, 09:44 PM
It's a generic 0xf4 (google says check hardware) which it isn't hardware because it happens on whatever machine he is logged into (some being Virtual Box installs.
I was thinking the same thing you suggested. Gonna basically mimic his environment (machine name as well as log in) on a honey pot and see what happens from there.
February 11th, 2011, 09:58 PM
That's a weird one. Maybe a driver for one of his apps, peripherals, etc?
Originally Posted by Pclinuxguru
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
February 11th, 2011, 09:58 PM
See if the users account is in the Domain Guests security group.
If it is, remove and reinstall the OS - Problem will go bye-bye
February 11th, 2011, 10:09 PM
No Domain Guests is empty except a local guest account that is disabled.
As for the error I assume it is because some how everything is deleted or missing from the windows folder hence the bsod (all the drivers and registry are stored in there).
I am not sure how that is even possible even after trying it on a test machine. I was able to delete a lot of files and upon reboot I get the error that hal.dll is missing but booting from a flash drive still shows files inside the windows folder. For the machine in question it is literally empty.
February 12th, 2011, 01:05 PM
It could be his user profile I suppose. I am not sure why, but a corrupted profile can cause all sorts of weird things to happen.
It sounds very much like something he is carrying around with him like a roaming profile? or even something physical like an authentication token, USB drive or whatever.
You say it happens with XP, Vista and 7, so the only consistency would be his server record?.............or something physical.
I still think that it is time he was "born again" but do try to do it from scratch or you will risk copying the problem. Do you have another worker you could copy identical settings from?
Very interesting, please let us know what happens.
February 16th, 2011, 04:31 AM
Pebkac or a new Windows feature.
You asked for any advice.
Computers do not have problems, they have users.
February 16th, 2011, 03:40 PM
Last edited by nihil; February 16th, 2011 at 03:42 PM.
February 16th, 2011, 04:33 PM
I am curious now. Since it's a screwed box anyway, log onto the box as local admin.
go to the offending users profile and delete NTUSER.* You may have to muck about permissions to do this...
Reboot and try to log on as offending user.
Either the thing wont boot fully into windows or ???
By LiquidFlame in forum Newbie Security Questions
Last Post: February 14th, 2008, 11:33 AM
By Jazzmaster in forum Training/Conference Reviews
Last Post: December 4th, 2006, 08:12 AM
By domtheboy in forum Web Security
Last Post: July 15th, 2004, 01:52 PM
By Viper2026 in forum AntiOnline's General Chit Chat
Last Post: December 2nd, 2003, 04:53 PM
By Remote_Access_ in forum Security Archives
Last Post: January 8th, 2002, 09:58 AM