[Samba] Migration: server with smb 2.2 -> new server, 2.2 too,
weird issues
Alejandro Hernández
alejandro.hernandez at ibi.mju.es
Thu Jul 7 10:12:53 GMT 2005
Hello all at the samba list.
The other day there was a migration of server; the old one had Samba 2.2
(.6) working normally. Every user logged in the domain without problems,
their SIDs and the domain SID were right, everything was ideal. But a
server update was needed, and a new server was installed, also with
Samba 2.2 (.12). The difference in version is not important this time as
other steps have come from far older versions.
They have chosen not to use Samba 3. Don't ask me why, they don't want
Samba 3.
We have a mechanism of transparent domain migration that implies zero
notices to the user. It consists on re-creation, on unix level, of the
same accounts existing on the old server: user & machine names, IDs,
homes, shell, etc. via a script shell that exports and imports passwd
file values. Then, at Samba level, the server is configured with the
same values it had on the older server at smb.conf, another few values
put, and finally the old server secrets.tdb and smbpasswd files are
copied and left alone. They never know we change servers. Only if they
notice more speed, and they never tell us.
But this time something went wrong. First of all, we didn't do the
migration and were not asked to intervene in the migration. Thus, they
used their own method. They overwrote the new /etc/passwd file with the
old /etc/passwd (a typical cp). The old one used shadow, the new
doesn't. It took the teams involved (we were called later in the
process) 3 hours to minimally correct the accounts so anyone could log
in without problems.
It's clear it was not correct right from this moment onwards. At this
stage, nobody could join the domain. I was not at work (my mates left at
2:00 AM) so next day I could correct it. Just by putting the two main
Samba files a lot of machines & users (from 300 machines in total),
about 100, could start working. After some hours of tuning and
correcting smb files more than 200 could finally work. The problem lays
in the rest; they are not a lot but critical.
Before I put back the couple of samba files, the message they were
getting was that of "the domain is unavailable or the machine account
does not exist" or something like that. Seen it thousands of times but
can't remember. After putting the files, the message was something "User
or password incorrect, check caps lock key, or try to type better, etc".
You may know the message, again I can't remember.
The password and user is not for sure. I tested with one user, changing
her password. Nothing. Unconceivable. This last step is never needed.
Between this and that, restarting samba 3 or 5 times (I know 99% of the
time it's not needed and in these cases it isn't but...). I even brought
MACHINE.SID. Nothing at all. Once, I can't remember well, the user
logged in with the old password re-set (sure the MACHINE.SID and a samba
restart had to do) but couldn't use the remote profile (the typical
messages... again very seen) that gets corrected with "profile acls =
yes" and by changing the marvellous setting MS put on recent SPs of
their fabulous OS. Users could use their profiles. So I won a dozen more
or so and the defective number was decreasing but not disappearing.
It was ok for an user. For the rest of network users on the machine
(local profiles are used), no solution. None can log in the domain.
None. In other machines, no user can log in anyhow, and of course it
happens in the most important. Make it or not the trick of before. The
message I get is it of the "User or password incorrect" which is not
true. It must refer to something deeeeeep in.
It may be by the differences between PCs... but they are all "kits"
designed here so they all have the same configuration. Worth another
look into anyway.
Before going into logs and config files, has anybody suffered from
something like this? Is or has been there anybody with the same
headaches? Should I use only roaming profiles with no local storing?
I have attached some files: smb.conf, some smb.log of users (traces
varied from 1 to 3 with no explicit at all messages, like other cases
that helped me a lot) and a regmon (sysinternals.com) log file that has
given me some clues.
############ SMB.CONF
# Global parameters
[global]
workgroup = SERVER_SMB
netbios name = SERVER
encrypt passwords = Yes
null passwords = Yes
smb passwd file = /etc/samba/lib/smbpasswd
log file = /tmp/%m_%U
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8576 SO_SNDBUF=8576
add user script = /etc/samba/bin/crea_maquina.sh %m
logon script = %G.bat
logon path = \\SERVER\perfiles\%G\%U
logon drive = C:
domain logons = Yes
os level = 64
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
lock dir = /var/opt/samba/locks
include = /etc/samba/lib/LOCAL_smb.conf
.
.
.
[perfiles]
path = /path/perfiles
read only = No
create mask = 0777
directory mask = 0777
browseable = No
profile acls = yes
##################### USER LOG FILE
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7267 of length 152
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBsesssetupX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/reply.c:(893)
Domain=[] NativeOS=[Windows 2002 2600 Service Pack 1]
NativeLanMan=[Windows 2002 5.1]
[2005/07/05 15:35:23, 3] smbd/reply.c:(904)
sesssetupX:name=[]
[2005/07/05 15:35:23, 3] param/loadparm.c:(1307)
Initialising global parameters
[2005/07/05 15:35:23, 3] param/params.c:(626)
params.c:pm_process() - Processing configuration file
"/etc/opt/samba/smb.conf"
[2005/07/05 15:35:23, 3] param/loadparm.c:(3102)
Processing section "[global]"
[2005/07/05 15:35:23, 3] param/params.c:(626)
params.c:pm_process() - Processing configuration file
"/etc/samba/lib/DECAPM0_smb.conf"
[2005/07/05 15:35:23, 3] param/loadparm.c:(3102)
Processing section "[global]"
[2005/07/05 15:35:23, 1] lib/debug.c:(256)
INFO: Debug class all level = 3 (pid 26434 from pid 26434)
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[perfiles]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[netlogon]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[perfiles]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[HOMES]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[grupo]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[comun]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[logon]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[W]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[das]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[etc]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[mindocu]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[minforms]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[docu]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[forms]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[we]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[printers]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[jetadmin]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[inventario]"
[2005/07/05 15:35:23, 2] param/loadparm.c:(3120)
Processing section "[logs]"
[2005/07/05 15:35:23, 3] param/loadparm.c:(2075)
adding IPC service IPC$
[2005/07/05 15:35:23, 3] param/loadparm.c:(2075)
adding IPC service ADMIN$
[2005/07/05 15:35:23, 3] param/loadparm.c:(2109)
adding printer service guardia2
[2005/07/05 15:35:23, 3] param/loadparm.c:(2109)
adding printer service guardia1
[2005/07/05 15:35:23, 3] param/loadparm.c:(2109)
adding printer service jddva1
[2005/07/05 15:35:23, 2] lib/interface.c:(81)
added interface ip=10.44.36.13 bcast=10.44.37.255 nmask=255.255.254.0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(296)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/uid.c:(285)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(172)
get_current_groups: user is in 2 groups: 50, 6
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(435)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(172)
get_current_groups: user is in 2 groups: 50, 6
[2005/07/05 15:35:23, 3] smbd/uid.c:(590)
fetch sid from uid cache 512 ->
S-1-5-21-1517441303-804621452-1457755469-2024
[2005/07/05 15:35:23, 3] smbd/uid.c:(666)
fetch sid from gid cache 50 ->
S-1-5-21-1517441303-804621452-1457755469-1101
[2005/07/05 15:35:23, 3] smbd/uid.c:(666)
fetch sid from gid cache 6 ->
S-1-5-21-1517441303-804621452-1457755469-1013
[2005/07/05 15:35:23, 3] smbd/password.c:(336)
uid 512 registered to name gerencia
[2005/07/05 15:35:23, 3] smbd/password.c:(338)
Clearing default real name
[2005/07/05 15:35:23, 3] smbd/password.c:(340)
User name: gerencia Real name: Usuario LIBRA
[2005/07/05 15:35:23, 3] smbd/process.c:(1003)
Chained message
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBtconX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/password.c:(576)
Account for user 'gerencia' has no password and null passwords are
allowed.
[2005/07/05 15:35:23, 3] smbd/password.c:(774)
authorise_login: ACCEPTED: given username (gerencia) password ok
[2005/07/05 15:35:23, 3] smbd/service.c:(487)
Connect path is /tmp
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(296)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/uid.c:(285)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(172)
get_current_groups: user is in 2 groups: 50, 6
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(435)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(172)
get_current_groups: user is in 2 groups: 50, 6
[2005/07/05 15:35:23, 3] smbd/uid.c:(590)
fetch sid from uid cache 512 ->
S-1-5-21-1517441303-804621452-1457755469-2024
[2005/07/05 15:35:23, 3] smbd/uid.c:(666)
fetch sid from gid cache 50 ->
S-1-5-21-1517441303-804621452-1457755469-1101
[2005/07/05 15:35:23, 3] smbd/uid.c:(666)
fetch sid from gid cache 6 ->
S-1-5-21-1517441303-804621452-1457755469-1013
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(273)
se_access_check: user sid is
S-1-5-21-1517441303-804621452-1457755469-2024
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
se_access_check: also S-1-5-21-1517441303-804621452-1457755469-1101
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
se_access_check: also S-1-5-21-1517441303-804621452-1457755469-1013
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
se_access_check: also S-1-1-0
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
se_access_check: also S-1-5-2
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
se_access_check: also S-1-5-32-546
[2005/07/05 15:35:23, 3] smbd/vfs.c:(123)
Initialising default vfs hooks
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
setting sec ctx (512, 50) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(334)
2 user groups:
50 6
[2005/07/05 15:35:23, 3] smbd/vfs.c:(600)
vfs_ChDir to /tmp
[2005/07/05 15:35:23, 3] smbd/service.c:(636)
xba0687 (10.44.37.199) connect to service IPC$ as user gerencia
(uid=512, gid=50) (pid 26434)
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/reply.c:(396)
tconX service=ipc$ user=gerencia
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7268 of length 97
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBntcreateX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
setting sec ctx (512, 50) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(334)
2 user groups:
50 6
[2005/07/05 15:35:23, 3] smbd/nttrans.c:(559)
nt_open_pipe: Known pipe NETLOGON opening.
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7269 of length 140
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(796)
api_pipe_bind_req: \PIPE\NETLOGON -> \PIPE\lsass
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
writeX-IPC pnum=74a9 nwritten=72
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7270 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
readX-IPC pnum=74a9 min=1024 max=1024 nread=68
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7271 of length 364
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1195)
Doing \PIPE\NETLOGON
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1227)
api_rpcTNP: pipe 29865 rpc command: NET_SAMLOGON
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
free_pipe_context: destroying talloc pool of size 668
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
writeX-IPC pnum=74a9 nwritten=296
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7272 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
readX-IPC pnum=74a9 min=1024 max=1024 nread=56
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7273 of length 45
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBclose (pid 26434)
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7274 of length 97
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBntcreateX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/nttrans.c:(559)
nt_open_pipe: Known pipe NETLOGON opening.
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7275 of length 140
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(796)
api_pipe_bind_req: \PIPE\NETLOGON -> \PIPE\lsass
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
writeX-IPC pnum=74aa nwritten=72
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7276 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
readX-IPC pnum=74aa min=1024 max=1024 nread=68
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7277 of length 164
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1195)
Doing \PIPE\NETLOGON
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1227)
api_rpcTNP: pipe 29866 rpc command: NET_REQCHAL
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(296)
push_sec_ctx(512, 50) : sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/uid.c:(285)
push_conn_ctx(117) : conn_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(435)
pop_sec_ctx (512, 50) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
free_pipe_context: destroying talloc pool of size 36
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
writeX-IPC pnum=74aa nwritten=96
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7278 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
readX-IPC pnum=74aa min=1024 max=1024 nread=36
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7279 of length 200
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1195)
Doing \PIPE\NETLOGON
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
writeX-IPC pnum=74aa nwritten=132
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7280 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
readX-IPC pnum=74aa min=1024 max=1024 nread=32
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7281 of length 200
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1195)
Doing \PIPE\NETLOGON
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1227)
api_rpcTNP: pipe 29866 rpc command: NET_AUTH2
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
free_pipe_context: destroying talloc pool of size 54
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
writeX-IPC pnum=74aa nwritten=132
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7282 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
readX-IPC pnum=74aa min=1024 max=1024 nread=40
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7283 of length 152
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBsesssetupX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/reply.c:(893)
Domain=[] NativeOS=[Windows 2002 2600 Service Pack 1]
NativeLanMan=[Windows 2002 5.1]
[2005/07/05 15:35:23, 3] smbd/reply.c:(904)
sesssetupX:name=[]
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(296)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/uid.c:(285)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(172)
get_current_groups: user is in 2 groups: 50, 6
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(435)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(172)
get_current_groups: user is in 2 groups: 50, 6
[2005/07/05 15:35:23, 3] smbd/uid.c:(590)
fetch sid from uid cache 512 ->
S-1-5-21-1517441303-804621452-1457755469-2024
[2005/07/05 15:35:23, 3] smbd/uid.c:(666)
fetch sid from gid cache 50 ->
S-1-5-21-1517441303-804621452-1457755469-1101
[2005/07/05 15:35:23, 3] smbd/uid.c:(666)
fetch sid from gid cache 6 ->
S-1-5-21-1517441303-804621452-1457755469-1013
[2005/07/05 15:35:23, 3] smbd/password.c:(336)
uid 512 registered to name gerencia
[2005/07/05 15:35:23, 3] smbd/password.c:(338)
Clearing default real name
[2005/07/05 15:35:23, 3] smbd/password.c:(340)
User name: gerencia Real name: Usuario LIBRA
[2005/07/05 15:35:23, 3] smbd/process.c:(1003)
Chained message
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBtconX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/password.c:(576)
Account for user 'gerencia' has no password and null passwords are
allowed.
[2005/07/05 15:35:23, 3] smbd/password.c:(774)
authorise_login: ACCEPTED: given username (gerencia) password ok
[2005/07/05 15:35:23, 3] smbd/service.c:(487)
Connect path is /tmp
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(296)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/uid.c:(285)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(172)
get_current_groups: user is in 2 groups: 50, 6
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(435)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(172)
get_current_groups: user is in 2 groups: 50, 6
[2005/07/05 15:35:23, 3] smbd/uid.c:(590)
fetch sid from uid cache 512 ->
S-1-5-21-1517441303-804621452-1457755469-2024
[2005/07/05 15:35:23, 3] smbd/uid.c:(666)
fetch sid from gid cache 50 ->
S-1-5-21-1517441303-804621452-1457755469-1101
[2005/07/05 15:35:23, 3] smbd/uid.c:(666)
fetch sid from gid cache 6 ->
S-1-5-21-1517441303-804621452-1457755469-1013
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(273)
se_access_check: user sid is
S-1-5-21-1517441303-804621452-1457755469-2024
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
se_access_check: also S-1-5-21-1517441303-804621452-1457755469-1101
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
se_access_check: also S-1-5-21-1517441303-804621452-1457755469-1013
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
se_access_check: also S-1-1-0
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
se_access_check: also S-1-5-2
[2005/07/05 15:35:23, 3] lib/util_seaccess.c:(276)
se_access_check: also S-1-5-32-546
[2005/07/05 15:35:23, 3] smbd/vfs.c:(123)
Initialising default vfs hooks
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
setting sec ctx (512, 50) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(334)
2 user groups:
50 6
[2005/07/05 15:35:23, 3] smbd/service.c:(636)
xba0687 (10.44.37.199) connect to service IPC$ as user gerencia
(uid=512, gid=50) (pid 26434)
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/reply.c:(396)
tconX service=ipc$ user=gerencia
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7284 of length 95
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBntcreateX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
setting sec ctx (512, 50) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(334)
2 user groups:
50 6
[2005/07/05 15:35:23, 3] smbd/nttrans.c:(559)
nt_open_pipe: Known pipe lsarpc opening.
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7285 of length 140
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(796)
api_pipe_bind_req: \PIPE\lsarpc -> \PIPE\lsass
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
writeX-IPC pnum=74ab nwritten=72
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7286 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
readX-IPC pnum=74ab min=1024 max=1024 nread=68
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7287 of length 156
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1195)
Doing \PIPE\lsarpc
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1227)
api_rpcTNP: pipe 29867 rpc command: LSA_OPENPOLICY2
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
free_pipe_context: destroying talloc pool of size 20
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
writeX-IPC pnum=74ab nwritten=88
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7288 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
readX-IPC pnum=74ab min=1024 max=1024 nread=48
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7289 of length 120
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1195)
Doing \PIPE\lsarpc
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1227)
api_rpcTNP: pipe 29867 rpc command: LSA_ENUMTRUSTDOM
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
writeX-IPC pnum=74ab nwritten=52
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7290 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
readX-IPC pnum=74ab min=1024 max=1024 nread=40
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7291 of length 112
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1195)
Doing \PIPE\lsarpc
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1227)
api_rpcTNP: pipe 29867 rpc command: LSA_CLOSE
[2005/07/05 15:35:23, 3] rpc_server/srv_lsa_hnd.c:(197)
Closed policy
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
writeX-IPC pnum=74ab nwritten=44
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7292 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
readX-IPC pnum=74ab min=1024 max=1024 nread=48
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7293 of length 45
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBclose (pid 26434)
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7294 of length 364
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBwriteX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
setting sec ctx (512, 50) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(334)
2 user groups:
50 6
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
free_pipe_context: destroying talloc pool of size 0
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1195)
Doing \PIPE\NETLOGON
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe.c:(1227)
api_rpcTNP: pipe 29866 rpc command: NET_SAMLOGON
[2005/07/05 15:35:23, 3] rpc_server/srv_netlog_nt.c:(618)
SAM Logon (Interactive). Domain:[DECAPM0_MJU_SMB]. User:[paula]
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(296)
push_sec_ctx(512, 50) : sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/uid.c:(285)
push_conn_ctx(117) : conn_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/07/05 15:35:23, 3] smbd/sec_ctx.c:(435)
pop_sec_ctx (512, 50) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:23, 3] rpc_server/srv_util.c:(187)
domain group access 513/7 granted
[2005/07/05 15:35:23, 3] rpc_server/srv_pipe_hnd.c:(444)
free_pipe_context: destroying talloc pool of size 4788
[2005/07/05 15:35:23, 3] smbd/pipes.c:(197)
writeX-IPC pnum=74aa nwritten=296
[2005/07/05 15:35:23, 3] smbd/process.c:(858)
Transaction 7295 of length 63
[2005/07/05 15:35:23, 3] smbd/process.c:(696)
switch message SMBreadX (pid 26434)
[2005/07/05 15:35:23, 3] smbd/pipes.c:(238)
readX-IPC pnum=74aa min=1024 max=1024 nread=616
[2005/07/05 15:35:34, 3] smbd/process.c:(858)
Transaction 7296 of length 43
[2005/07/05 15:35:34, 3] smbd/process.c:(696)
switch message SMBulogoffX (pid 26434)
[2005/07/05 15:35:34, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:34, 3] smbd/reply.c:(1838)
ulogoffX vuid=118
[2005/07/05 15:35:34, 3] smbd/process.c:(858)
Transaction 7297 of length 39
[2005/07/05 15:35:34, 3] smbd/process.c:(696)
switch message SMBtdis (pid 26434)
[2005/07/05 15:35:34, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:34, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:34, 3] smbd/service.c:(675)
xba0687 (10.44.37.199) closed connection to service IPC$
[2005/07/05 15:35:34, 3] smbd/connection.c:(48)
Yielding connection to IPC$
[2005/07/05 15:35:34, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:34, 3] smbd/vfs.c:(600)
vfs_ChDir to /
[2005/07/05 15:35:53, 3] smbd/process.c:(858)
Transaction 7298 of length 45
[2005/07/05 15:35:53, 3] smbd/process.c:(696)
switch message SMBclose (pid 26434)
[2005/07/05 15:35:53, 3] smbd/sec_ctx.c:(328)
setting sec ctx (512, 50) - sec_ctx_stack_ndx = 0
[2005/07/05 15:35:53, 3] smbd/sec_ctx.c:(334)
2 user groups:
50 6
[2005/07/05 15:35:53, 3] smbd/vfs.c:(600)
vfs_ChDir to /tmp
[2005/07/05 15:36:04, 3] smbd/process.c:(858)
Transaction 7299 of length 43
[2005/07/05 15:36:04, 3] smbd/process.c:(696)
switch message SMBulogoffX (pid 26434)
[2005/07/05 15:36:04, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:36:04, 3] smbd/reply.c:(1838)
ulogoffX vuid=117
[2005/07/05 15:36:04, 3] smbd/process.c:(858)
Transaction 7300 of length 39
[2005/07/05 15:36:04, 3] smbd/process.c:(696)
switch message SMBtdis (pid 26434)
[2005/07/05 15:36:04, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:36:04, 3] smbd/sec_ctx.c:(328)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/07/05 15:36:04, 3] smbd/service.c:(675)
xba0687 (10.44.37.199) closed connection to service IPC$
[2005/07/05 15:36:04, 3] smbd/connection.c:(48)
################### SYSINTERNALS.COM REGMON LOG
It's an attached file.
-------------- next part --------------
Sysinternals.com regmon is the program I use to monitor registry activity on processes. I managed to log the Windoze authentication process with 2 tries of one user (I only show the first as the second puts the same values) and another, successful, and I have compared the data. There are some distinctive keys and values and what the system gets from them.
It seems to me that in the Cache keys it looks for a certain SID. I think something could be written or modified there (I might be crazy, of course, but when the issue is so bitchy that a flamethrower is behind you, what can you try to do?), so I need some kind of clue here.
This log file has been cut by some fields and of course from a lot of lines. The original is 988KB size and this one is about 26KB. I still maintain the big one in case somebody could help me with this issue and wants information of it. Some data like real domain name or real users has been modified for anonimity reasons.
### Here it seems the authentication process starts...
lsass.exe:568 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$3 SUCCESS 0E 00 1E 00 0E 00 00 00 ...
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$2 SUCCESS 0E 00 1E 00 0E 00 1A 00 ...
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$1 SUCCESS 0C 00 1E 00 0C 00 1A 00 ...
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$10 SUCCESS 0E 00 1E 00 0E 00 00 00 ...
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$9 SUCCESS 0C 00 1E 00 0C 00 1A 00 ...
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$8 BUFFER OVERFLOW
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$8 SUCCESS 0E 00 1E 00 0E 00 44 00 ...
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$7 SUCCESS 0C 00 1E 00 0C 00 1A 00 ...
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$6 SUCCESS 06 00 1E 00 06 00 1A 00 ...
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$5 SUCCESS 0C 00 1E 00 0C 00 1A 00 ...
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$4 BUFFER OVERFLOW
### It has searched in every node of Cache and seems it hasn't found anything...
### And now, some (?) less important keys...
lsass.exe:568 CloseKey HKLM\SECURITY\Policy SUCCESS
winlogon.exe:512 OpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Access: 0x1
winlogon.exe:512 QueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceFriendlyUI NOT FOUND
winlogon.exe:512 CloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS
winlogon.exe:512 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system SUCCESS Access: 0x1
winlogon.exe:512 QueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ForceFriendlyUI NOT FOUND
winlogon.exe:512 CloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system SUCCESS
### lsass returns and does some more checking.... The keys and values seem interesting...
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$4 SUCCESS 0E 00 1E 00 0E 00 44 00 ...
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS Access: 0x1
lsass.exe:568 QueryValue HKLM\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous SUCCESS 0x0
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC SUCCESS Access: 0x2001F
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal\(Default) BUFFER OVERFLOW
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal SUCCESS
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal\(Default) SUCCESS NONE
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal SUCCESS
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal\(Default) SUCCESS NONE
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CurrVal SUCCESS
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\OldVal SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\OldVal\(Default) BUFFER OVERFLOW
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\OldVal SUCCESS
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\OldVal SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\OldVal\(Default) SUCCESS NONE
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\OldVal SUCCESS
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\OldVal SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\OldVal\(Default) SUCCESS NONE
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\OldVal SUCCESS
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CupdTime SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CupdTime\(Default) SUCCESS NONE
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC\CupdTime SUCCESS
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC SUCCESS
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS Access: 0x1
lsass.exe:568 QueryValue HKLM\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous SUCCESS 0x0
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName ACCESS DENIED Access: 0x20019
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ACCESS DENIED Access: 0x20019
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS Access: 0x1
lsass.exe:568 QueryValue HKLM\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous SUCCESS 0x0
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS Access: 0x20019
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName SUCCESS "XBA0668"
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Hostname SUCCESS "XBA0668"
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters SUCCESS
lsass.exe:568 OpenKey HKLM\Software\Policies\Microsoft\System\DNSclient NOT FOUND
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domain SUCCESS ""
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters SUCCESS
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS Access: 0x1
lsass.exe:568 QueryValue HKLM\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous SUCCESS 0x0
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS
### You see it's repeating the process, quite typical of their programming... :/
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$3 SUCCESS 0E 00 1E 00 0E 00 00 00 ...
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$2 SUCCESS 0E 00 1E 00 0E 00 1A 00 ...
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$1 SUCCESS 0C 00 1E 00 0C 00 1A 00 ...
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$10 SUCCESS 0E 00 1E 00 0E 00 00 00 ...
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$9 SUCCESS 0C 00 1E 00 0C 00 1A 00 ...
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$8 BUFFER OVERFLOW
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$8 SUCCESS 0E 00 1E 00 0E 00 44 00 ...
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$7 SUCCESS 0C 00 1E 00 0C 00 1A 00 ...
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$6 SUCCESS 06 00 1E 00 06 00 1A 00 ...
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$5 SUCCESS 0C 00 1E 00 0C 00 1A 00 ...
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$4 BUFFER OVERFLOW
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$4 SUCCESS 0E 00 1E 00 0E 00 44 00 ...
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS Access: 0x20019
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName SUCCESS "XBA0668"
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS Access: 0x20019
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName SUCCESS "XBA0668"
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS
### Here looks for one user. It is the one with problems. It's curious none of the names are found.
lsass.exe:568 OpenKey HKLM\SAM\SAM\DOMAINS\Builtin\Groups\Names\juans NOT FOUND
lsass.exe:568 OpenKey HKLM\SAM\SAM\DOMAINS\Builtin\Aliases\Names\juans NOT FOUND
lsass.exe:568 OpenKey HKLM\SAM\SAM\DOMAINS\Builtin\Users\Names\juans NOT FOUND
lsass.exe:568 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\Names\juans NOT FOUND
lsass.exe:568 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\Names\juans NOT FOUND
lsass.exe:568 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\Names\juans NOT FOUND
lsass.exe:568 CloseKey HKLM\SECURITY\Policy SUCCESS
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS Access: 0x20019
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName SUCCESS "XBA0668"
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS
lsass.exe:568 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
lsass.exe:568 OpenKey HKLM\SAM\SAM\DOMAINS\Builtin\Groups\Names\juans NOT FOUND
lsass.exe:568 OpenKey HKLM\SAM\SAM\DOMAINS\Builtin\Aliases\Names\juans NOT FOUND
lsass.exe:568 OpenKey HKLM\SAM\SAM\DOMAINS\Builtin\Users\Names\juans NOT FOUND
lsass.exe:568 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Groups\Names\juans NOT FOUND
lsass.exe:568 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Aliases\Names\juans NOT FOUND
lsass.exe:568 OpenKey HKLM\SAM\SAM\DOMAINS\Account\Users\Names\juans NOT FOUND
lsass.exe:568 CloseKey HKLM\SECURITY\Policy SUCCESS
### Here comes a definitive data: the user SID of the old domain.
lsass.exe:568 OpenKey HKLM\Security\Recovery\S-1-5-21-1517441303-804621452-1457755469-2368 NOT FOUND
### As it fails, it looks like lsass "gives up". Returns user and password incorrect and then the system
### continues its way.
winlogon.exe:512 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS
winlogon.exe:512 OpenKey HKCU SUCCESS Access: 0x80000000
winlogon.exe:512 CloseKey HKCU SUCCESS
winlogon.exe:512 OpenKey HKCU SUCCESS Access: 0x80000000
winlogon.exe:512 CloseKey HKCU SUCCESS
svchost.exe:792 OpenKey HKLM\Software\Microsoft\COM3 SUCCESS Access: 0x20019
svchost.exe:792 QueryValue HKLM\Software\Microsoft\COM3\REGDBVersion SUCCESS 07 00 00 00 00 00 00 00
svchost.exe:792 CloseKey HKLM\Software\Microsoft\COM3 SUCCESS
svchost.exe:792 OpenKey HKLM\Software\Microsoft\COM3 SUCCESS Access: 0x20019
.
.
.
.
.
### Blah blah blah. Next cut is the result of a successful login. There are plenty of differences.
lsass.exe:568 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
lsass.exe:568 CloseKey HKLM\SECURITY\Policy SUCCESS
winlogon.exe:512 OpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Access: 0x1
winlogon.exe:512 QueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceFriendlyUI NOT FOUND
winlogon.exe:512 CloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS
winlogon.exe:512 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system SUCCESS Access: 0x1
winlogon.exe:512 QueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ForceFriendlyUI NOT FOUND
winlogon.exe:512 CloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system SUCCESS
winlogon.exe:512 OpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Access: 0x1
winlogon.exe:512 QueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\NoDomainUI NOT FOUND
winlogon.exe:512 CloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS
winlogon.exe:512 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Access: 0x80000000
winlogon.exe:512 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\RasDisable NOT FOUND
winlogon.exe:512 QueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD SUCCESS 0x0
winlogon.exe:512 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System SUCCESS Access: 0x20019
winlogon.exe:512 QueryValue HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD NOT FOUND
winlogon.exe:512 CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System SUCCESS
lsass.exe:568 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
lsass.exe:568 CloseKey HKLM\SECURITY\Policy SUCCESS
winlogon.exe:512 OpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Access: 0x1
winlogon.exe:512 QueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceFriendlyUI NOT FOUND
winlogon.exe:512 CloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS
winlogon.exe:512 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system SUCCESS Access: 0x1
winlogon.exe:512 QueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ForceFriendlyUI NOT FOUND
winlogon.exe:512 CloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system SUCCESS
### It seems it's an important data. While in the previous test lsass looks in each key of 'cache',
### here it does it only once. Looks like he is happy with what he has found.
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$3 SUCCESS 0E 00 1E 00 0E 00 00 00 ...
### Then, lsass starts to act as usual.
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner SUCCESS 0x1
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS Access: 0x20019
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName SUCCESS "XBA0668"
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS
### Winlogon gets everything he wants so the system knows this user really exists and has everything he needs
### to let the user log on.
winlogon.exe:512 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList SUCCESS Access: 0x20019
winlogon.exe:512 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3737319058-609539873-3195808661-1368 SUCCESS Access: 0x2001F
winlogon.exe:512 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3737319058-609539873-3195808661-1368\NextLogonCacheable NOT FOUND
winlogon.exe:512 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList SUCCESS
winlogon.exe:512 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3737319058-609539873-3195808661-1368 SUCCESS
winlogon.exe:512 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon SUCCESS Access: 0x20019
winlogon.exe:512 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\SyncForegroundPolicy NOT FOUND
winlogon.exe:512 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon SUCCESS
winlogon.exe:512 OpenKey HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\winlogon NOT FOUND
winlogon.exe:512 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3737319058-609539873-3195808661-1368 SUCCESS Access: 0x20019
winlogon.exe:512 QueryValue HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3737319058-609539873-3195808661-1368\NextRefreshMode SUCCESS 0x2
winlogon.exe:512 QueryValue HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3737319058-609539873-3195808661-1368\NextRefreshReason SUCCESS 0x0
winlogon.exe:512 CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3737319058-609539873-3195808661-1368 SUCCESS
winlogon.exe:512 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3737319058-609539873-3195808661-1368 SUCCESS Access: 0x20019
winlogon.exe:512 QueryValue HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3737319058-609539873-3195808661-1368\NextRefreshMode SUCCESS 0x2
winlogon.exe:512 QueryValue HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3737319058-609539873-3195808661-1368\NextRefreshReason SUCCESS 0x0
winlogon.exe:512 CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3737319058-609539873-3195808661-1368 SUCCESS
### lsass gets some policies and values...
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS Access: 0x1
lsass.exe:568 QueryValue HKLM\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous SUCCESS 0x0
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS
lsass.exe:568 QueryValue HKLM\SECURITY\Cache\NL$3 SUCCESS 0E 00 1E 00 0E 00 00 00 ...
lsass.exe:568 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
lsass.exe:568 CloseKey HKLM\SECURITY\Policy SUCCESS
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner SUCCESS 0x1
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\Lsa SUCCESS
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS Access: 0x20019
lsass.exe:568 OpenKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName SUCCESS "XBA0668"
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName SUCCESS
lsass.exe:568 CloseKey HKLM\System\CurrentControlSet\Control\ComputerName SUCCESS
### ... and winlogon gets more values.
winlogon.exe:512 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList SUCCESS Access: 0x20019
winlogon.exe:512 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3737319058-609539873-3195808661-1368 SUCCESS Access: 0x2001F
winlogon.exe:512 SetValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3737319058-609539873-3195808661-1368\OptimizedLogonStatus SUCCESS 0x8
winlogon.exe:512 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList SUCCESS
winlogon.exe:512 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3737319058-609539873-3195808661-1368 SUCCESS
winlogon.exe:512 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System SUCCESS Access: 0x20019
winlogon.exe:512 QueryValue HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption NOT FOUND
winlogon.exe:512 CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System SUCCESS
winlogon.exe:512 QueryKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon BUFFER OVERFLOW
winlogon.exe:512 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\RestrictShell NOT FOUND
winlogon.exe:512 QueryKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon BUFFER OVERFLOW
winlogon.exe:512 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption SUCCESS "0"
winlogon.exe:512 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS
winlogon.exe:512 CreateKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Access: 0x2000F
### here it goes. The user name.
winlogon.exe:512 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName BUFFER OVERFLOW
winlogon.exe:512 SetValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName SUCCESS "username"
winlogon.exe:512 QueryKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon BUFFER OVERFLOW
winlogon.exe:512 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName BUFFER OVERFLOW
winlogon.exe:512 SetValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName SUCCESS "DOMAIN_SMB"
winlogon.exe:512 SetValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultUserName SUCCESS "username"
winlogon.exe:512 QueryKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon BUFFER OVERFLOW
winlogon.exe:512 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultDomainName BUFFER OVERFLOW
winlogon.exe:512 SetValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultDomainName SUCCESS "DOMAIN_SMB"
winlogon.exe:512 QueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD SUCCESS 0x0
winlogon.exe:512 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System SUCCESS Access: 0x20019
winlogon.exe:512 QueryValue HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD NOT FOUND
winlogon.exe:512 CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System SUCCESS
lsass.exe:568 OpenKey HKLM\SECURITY\Policy SUCCESS Access: 0x2001F
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
lsass.exe:568 OpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Access: 0x20019
lsass.exe:568 QueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS NONE
lsass.exe:568 CloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
lsass.exe:568 CloseKey HKLM\SECURITY\Policy SUCCESS
winlogon.exe:512 OpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Access: 0x1
winlogon.exe:512 QueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceFriendlyUI NOT FOUND
winlogon.exe:512 CloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS
winlogon.exe:512 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system SUCCESS Access: 0x1
winlogon.exe:512 QueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ForceFriendlyUI NOT FOUND
winlogon.exe:512 CloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system SUCCESS
winlogon.exe:512 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Access: 0x2000000
winlogon.exe:512 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning SUCCESS 0xE
winlogon.exe:512 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS
winlogon.exe:512 OpenKey HKCU NOT FOUND
winlogon.exe:512 OpenKey HKU\.Default SUCCESS Access: 0x2000000
winlogon.exe:512 CreateKey HKU\.Default\Software\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Access: 0x2001F
winlogon.exe:512 QueryValue HKU\.Default\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ReportDC SUCCESS 0x0
winlogon.exe:512 SetValue HKU\.Default\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ReportDC SUCCESS 0x0
winlogon.exe:512 CloseKey HKU\.Default\Software\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS
winlogon.exe:512 CloseKey HKU\.Default SUCCESS
### I think the rest is not relevant. The system allows the log on and builds the environment.
### I chose the previous lines because of all the registry I have seen (and I have seen A LOT!)
### these values pose a weird thing to me.
More information about the samba
mailing list