Any advice
Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Any advice

  1. #1
    Member
    Join Date
    Oct 2001
    Posts
    31

    Any advice

    Well this has been happening to a co-worker for about 2 years. It happens with XP, Vista, and Win 7.

    While he is in the middle of doing things machine would blue screen then reboot. Upon inspection the windows folder is totally empty. He would reinstall (he even tryed using a virtual machine on a linux box) and it would eventually happen again.

    Now I am unable to reproduce it... meaning I am unable to delete the contents of the windows folder (locally and remotely) as I get the file is in use error on a lot of them and when I try on the dll cache the File Protection window pops up (never happens on his machine).

    I have even tried Unlocker remotely thinking someone was selecting all the files from a admin share and using Unlocker to unlock files and mark them for deletion on a reboot which of course didn't work.

    I have had his event logs going to our Syslog server and after it happened the log doesn't show anything suspicious... it even has the blue screen event.

    I am at my whits end trying to figure it out... I am fairly certain someone is doing it because it only happens to him and only his login.

    We are operating on a Windows 2003 AD domain (one thing we tried was removing all his admin credentials and changing all Domain Admin passwords to a 20 character random with numbers and characters and yes it still happens).

    I am not sure where to start looking or trying to figure this out.

    Any ideas on how someone or something is deleteing all the contents of the windows folder?

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Try creating a new user...............don't tell anyone

    Give him a new machine..............no copy or transfer...........just like the old one died in action?

    Totally new everything, with nothing copied.

    Get HR to send a memo to all staff.............usual stuff.........you will instantly dismiss anyone found pissing with your system.......no references other than the truth...total application of the law..........you know it's the BIG HOUSE folks!!! Might also be an idea to send that as a letter to all employees........he can leave it lying around at home???

    He must surrender all external media.

    Then see if it happens?

    If it does, then what you have is probably living on your server.............have fun with that

    Unless, of course this is a laptop that he takes away with him.................???

    What exactly are the blue screen messages?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Member
    Join Date
    Oct 2001
    Posts
    31
    It's a generic 0xf4 (google says check hardware) which it isn't hardware because it happens on whatever machine he is logged into (some being Virtual Box installs.

    I was thinking the same thing you suggested. Gonna basically mimic his environment (machine name as well as log in) on a honey pot and see what happens from there.

  4. #4
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Quote Originally Posted by Pclinuxguru View Post
    It's a generic 0xf4 (google says check hardware) which it isn't hardware because it happens on whatever machine he is logged into (some being Virtual Box installs.

    I was thinking the same thing you suggested. Gonna basically mimic his environment (machine name as well as log in) on a honey pot and see what happens from there.
    That's a weird one. Maybe a driver for one of his apps, peripherals, etc?
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  5. #5
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,247
    See if the users account is in the Domain Guests security group.

    If it is, remove and reinstall the OS - Problem will go bye-bye
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  6. #6
    Member
    Join Date
    Oct 2001
    Posts
    31
    No Domain Guests is empty except a local guest account that is disabled.

    As for the error I assume it is because some how everything is deleted or missing from the windows folder hence the bsod (all the drivers and registry are stored in there).

    I am not sure how that is even possible even after trying it on a test machine. I was able to delete a lot of files and upon reboot I get the error that hal.dll is missing but booting from a flash drive still shows files inside the windows folder. For the machine in question it is literally empty.

  7. #7
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    It could be his user profile I suppose. I am not sure why, but a corrupted profile can cause all sorts of weird things to happen.

    It sounds very much like something he is carrying around with him like a roaming profile? or even something physical like an authentication token, USB drive or whatever.

    You say it happens with XP, Vista and 7, so the only consistency would be his server record?.............or something physical.

    I still think that it is time he was "born again" but do try to do it from scratch or you will risk copying the problem. Do you have another worker you could copy identical settings from?

    Very interesting, please let us know what happens.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  8. #8
    Senior Member Cope57's Avatar
    Join Date
    Nov 2003
    Posts
    184
    Pebkac or a new Windows feature.

    You asked for any advice.
    Computers do not have problems, they have users.
    ~Cope57

  9. #9
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Pebkac or a new Windows feature.


    1. I can't be the user as you don't have enough authority, even as administrator.

    2. Not a corrupt Windows installation as it happens with three different versions. Nor a hardware driver problem for the same reason........it would hardly provoke the same problem in different versions

    3. Not a malicious person as they wouldn't (shouldn't?) have that level of authority (also see #1).

    4. "New Windows Feature"..........yay!!! I'll buy that one .........M$ have kept it hidden from potential users since XP..............."Bad Microsoft!"

    At the end of the day it has to be something that Windows is doing as it closes down, or reboots after a crash (you can check that by rebooting to a live Linux CD/DVD and looking at the folder then).

    This is one I would certainly pass on to M$, as it is obviously inherent in Windows per se (XP, Vista, 7) and might be a potential attack vector?

    I still go for user profile and or a user specific physical device? but have absolutely no idea how or why

    Last edited by nihil; February 16th, 2011 at 02:42 PM.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  10. #10
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,247
    I am curious now. Since it's a screwed box anyway, log onto the box as local admin.

    go to the offending users profile and delete NTUSER.* You may have to muck about permissions to do this...

    Reboot and try to log on as offending user.

    Either the thing wont boot fully into windows or ???
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

Similar Threads

  1. Need Advice For Getting Into Network Security Field
    By LiquidFlame in forum Newbie Security Questions
    Replies: 5
    Last Post: February 14th, 2008, 10:33 AM
  2. Need help advice in certification.
    By Jazzmaster in forum Training/Conference Reviews
    Replies: 4
    Last Post: December 4th, 2006, 07:12 AM
  3. Advice on protecting a new website
    By domtheboy in forum Web Security
    Replies: 10
    Last Post: July 15th, 2004, 12:52 PM
  4. Need some advice for a topic for my term paper (and maybe a thesis too)
    By Viper2026 in forum AntiOnline's General Chit Chat
    Replies: 9
    Last Post: December 2nd, 2003, 03:53 PM
  5. FBI Advice For Win Usrs
    By Remote_Access_ in forum Security Archives
    Replies: 7
    Last Post: January 8th, 2002, 08:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides