none
the system cannot find the file specified

    Domanda

  • Buongiorno ragazzi! Ho un problemino(alla faccia dell'ino) su di un server.

    Quando vado a lanciare un qualsiasi file con Run As mi risponde il messaggio in oggetto, sia che lo faccia da GUI sia che lo lanci da cmd.

    Ho letto l'articolo MS a riguardo, mi dice di verificare la presenza di una chiave di registro di HKLM\OFTWARE\Microsoft\Ole. Si, ma quale?! Ce ne sono 4 o 5.

    Non posso formattare il server, ha delle applicazioni importanti per la mia azienda.


    Grazie mille
    giovedì 10 maggio 2012 07:18

Tutte le risposte

  • nella cartella %windir%\system32 ha il file runas.exe ?


    Edoardo Benussi
    Microsoft MVP - Management Infrastructure
    edo[at]mvps[dot]org

    giovedì 10 maggio 2012 08:29
  • Ebbene si, e se lo lancio da shell funziona.

    Grazie mille!!

    giovedì 10 maggio 2012 10:06
  • Che sistema operativo è installato? Windows Server 2003?

    giovedì 10 maggio 2012 12:51
  • Server 2003 con SP2

    Grazie grazie

    giovedì 10 maggio 2012 12:53
  • Hai provato ad eseguire il comando anche su file locali? Potrebbe essere normale quel messaggio di errore se ti trovi ad esempio in un percorso di rete (il percorso del file non viene passato all'eseguibile in maniera corretta).
    giovedì 10 maggio 2012 13:50
  • Anche su file locali, ma anche se lancio CMD!
    giovedì 10 maggio 2012 14:02
  • A questo punto sei sicuro che il file runas.exe non sia stato sostituito? Questo potrebbe succedere ad esempio a causa di un malware.

    giovedì 10 maggio 2012 14:40
  • Prendo un runas da un altro server?
    giovedì 10 maggio 2012 15:17
  • Oppure lo ripristini dal CD di installazione utilizzando il comando "expand" ( http://technet.microsoft.com/en-us/library/cc722332(v=ws.10).aspx ).
    giovedì 10 maggio 2012 16:11
  • Copiato e incollato da un altro server funzionante ... niente! :(
    venerdì 11 maggio 2012 07:30
  • io credo che il problema sia dovuto ad una chiave di registro errata ossia quella che gestisce l' open -> runas  penso non sia settata per usare il file runas.exe in %windir%\system32 ma qualcos'altro.

    Edoardo Benussi
    Microsoft MVP - Management Infrastructure
    edo[at]mvps[dot]org

    venerdì 11 maggio 2012 07:47
  • Hai idea di quale sia la chiave o di dove possa trovare un elenco?

    Grazie mille

    venerdì 11 maggio 2012 07:58
  • Non ho capito bene una cosa però...se lanci c:\windows\system32\runas.exe dal prompt funziona correttamente? Mi sembra che ci siano risposte contrastanti.

    venerdì 11 maggio 2012 08:13
  • Non ho capito bene una cosa però...se lanci c:\windows\system32\runas.exe dal prompt funziona correttamente? Mi sembra che ci siano risposte contrastanti.

    Il comando viene riconosciuto, se lancio "runas /?" nessun problema, mi mostra l'help. Quando però provo ad eseguire: "runas /user:Administrator cmd" mi compare l'errore: "the system cannot find the file specified".

    Spero di essermi spiegato bene adesso.

    Ciao e grazie anche a te, ragazzi, che community, tutti gentilissimi ... e quanti! :D

    GRAZIE A TUTTI!

    venerdì 11 maggio 2012 08:18
  • Allora a mio parere non può essere solo un problema di menu contestuale, per sicurezza controlla per bene tutte le variabili di ambiente secondo me manca qualcosa. In particolare controlla il contenuto della variabile PATH.

    Qui trovi tutti i valori predefiniti: http://best-windows.vlaurie.com/environment-variables.html


    venerdì 11 maggio 2012 09:03
  • Prova ad eseguire questo comando esattamente come scritto: 

     c:\windows\system32\runas.exe  runas /user:Administrator "c:\windows\system32\cmd.exe" 

    poi prova se funziona shellrunas ( proviamo un workaround)

    http://technet.microsoft.com/en-us/sysinternals/cc300361


    Gastone Canali >http://www.armadillo.it

    Se alcuni post rispondono al tuo quesito (non necessariamente i miei), ricorda di contrassegnarli come risposta e non dimenticare di contrassegnare anche i post utili . GRAZIE!

    venerdì 11 maggio 2012 09:42
  • le variavili sono OK, te le scrivo:

    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    APPDATA=C:\Documents and Settings\MIAMATRICOLA\Application Data
    CLIENTNAME=PIPPO-C9FFFB4
    ClusterLog=C:\WINDOWS\Cluster\cluster.log
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=RM9VL20WS102
    ComSpec=C:\WINDOWS\system32\cmd.exe
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=\Documents and Settings\MIAMATRICOLA
    LOGONSERVER=\\NOMELOGONSERVER
    NUMBER_OF_PROCESSORS=1
    OS=Windows_NT
    Path=D:\ORACLE\ORA92\bin;C:\Program Files\Oracle\jre\1.3.1\bin;C:\Program Files\Oracle\jre\1.1.8\bin;F:\oracle\ora92\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
    PROCESSOR_LEVEL=15
    PROCESSOR_REVISION=0403
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    SESSIONNAME=RDP-Tcp#79
    SystemDrive=C:
    SystemRoot=C:\WINDOWS
    TEMP=C:\DOCUME~1\MIAMATRICOLA\LOCALS~1\Temp
    TMP=C:\DOCUME~1\MIAMATRICOLA\LOCALS~1\Temp
    USERDNSDOMAIN=DOMINIODELLAAZIENDA.LOCAL
    USERDOMAIN=DOMINIODELLAAZIENDA
    USERNAME=MIAMATRICOLA
    USERPROFILE=C:\Documents and Settings\MIAMATRICOLA
    WF_RESOURCES=D:\ORACLE\ORA92\WF\RES\WFus.RES
    windir=C:\WINDOWS

    venerdì 11 maggio 2012 10:23
  • Si, sembrano ok. Direi allora di fare un test con il ShellRunAs consigliato da Gastone per vedere se l'errore è indipendente.

    venerdì 11 maggio 2012 10:31
  • Stessissimo errore:

    venerdì 11 maggio 2012 11:49
  • Se gli passi c:\windows\system32\cmd.exe come parametro invece cosa succede?
    venerdì 11 maggio 2012 12:39
  • Mi prompta la richiesta di credenziali, una volta inserite, stesso errore.
    venerdì 11 maggio 2012 12:43
  • A questo punto prova per prima cosa con runas.exe da prompt ad utilizzare anche il parametro "/env": http://codeimprovements.wordpress.com/2012/03/26/runas-cant-execute-the-copy-command-the-system-cannot-find-the-file-specified/

    Se ancora non va prova ad utilizzare il comando da un altro profilo utente. Sono state impostate delle group policy?

    • Contrassegnato come risposta Andrea(ilcress) giovedì 17 maggio 2012 10:13
    • Contrassegno come risposta annullato Andrea(ilcress) giovedì 17 maggio 2012 10:14
    sabato 12 maggio 2012 16:52
  • Prova il seguente comando che userà le variabili di ambiente dell'utente corrente (quelle precedentemente postate a chi apprtenevano?) e  non caricherà il profilo:

    runas /env /noprofile  /user:administrator  c:\windows\system32\cmd.exe

    Se compare il solito "not found",  proverei a monitorare con procmon per vedere che  cosa cerca e cosa non trova.


    Gastone Canali >http://www.armadillo.it

    Se alcuni post rispondono al tuo quesito (non necessariamente i miei), ricorda di contrassegnarli come risposta e non dimenticare di contrassegnare anche i post utili . GRAZIE!

    sabato 12 maggio 2012 17:58
  • Nessun risultato:


    Effettivamente ti avevo allegato le variabili del mio profilo(che pippa), ecco quelle di Administrator:

    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    APPDATA=C:\Documents and Settings\Administrator\Application Data
    CLIENTNAME=CLIENT_CONNESSO
    ClusterLog=C:\WINDOWS\Cluster\cluster.log
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=HOSTNAME_DEL_SERVER
    ComSpec=C:\WINDOWS\system32\cmd.exe
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=\Documents and Settings\Administrator
    LOGONSERVER=\\HOSTNAME_DEL_SERVER
    NUMBER_OF_PROCESSORS=1
    OS=Windows_NT
    Path=D:\ORACLE\ORA92\bin;C:\Program Files\Oracle\jre\1.3.1\bin;C:\Program Files\Oracle\jre\1.1.8\bin;F:\oracle\ora92\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
    PROCESSOR_LEVEL=15
    PROCESSOR_REVISION=0403
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    SESSIONNAME=RDP-Tcp#3
    SystemDrive=C:
    SystemRoot=C:\WINDOWS
    TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
    TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
    USERDOMAIN=HOSTNAME_DEL_SERVER
    USERNAME=Administrator
    USERPROFILE=C:\Documents and Settings\Administrator
    WF_RESOURCES=D:\ORACLE\ORA92\WF\RES\WFus.RES
    windir=C:\WINDOWS
    giovedì 17 maggio 2012 10:13
  • A questo punto prova per prima cosa con runas.exe da prompt ad utilizzare anche il parametro "/env": http://codeimprovements.wordpress.com/2012/03/26/runas-cant-execute-the-copy-command-the-system-cannot-find-the-file-specified/

    Se ancora non va prova ad utilizzare il comando da un altro profilo utente. Sono state impostate delle group policy?

    Si, ma su altre macchine agganciate alla stessa OU non ci sono problemi.
    giovedì 17 maggio 2012 10:14
  • Con un differente profilo utente sulla stessa macchina funziona correttamente? Fai anche una prova con l'utente corrente su una macchina che funziona correttamente.
    giovedì 17 maggio 2012 10:17
  • Con un differente profilo utente sulla stessa macchina funziona correttamente? Fai anche una prova con l'utente corrente su una macchina che funziona correttamente.

    No

    Non posso, utilizzo admiistrator. "La" administrator funziona

    giovedì 17 maggio 2012 10:19
  • Se con un utente diverso sulla stessa macchina hai lo stesso problema direi che si può escludere un problema di profilo utente. Hai provato anche ad accedere su quella macchina con un utente di test non collegato ad alcuna GPO? Giusto per capire se può essere un comportamento anomalo delle policy quando vengono applicate su quel computer.
    giovedì 17 maggio 2012 10:40
  • Se con un utente diverso sulla stessa macchina hai lo stesso problema direi che si può escludere un problema di profilo utente. Hai provato anche ad accedere su quella macchina con un utente di test non collegato ad alcuna GPO? Giusto per capire se può essere un comportamento anomalo delle policy quando vengono applicate su quel computer.
    Ahimè non posso usare altre utenze, l'azienda per la quale lavoro è molto grande e ha policy di sicurezza molto stringenti. :(
    giovedì 17 maggio 2012 11:28
  • Ahimè non posso usare altre utenze, l'azienda per la quale lavoro è molto grande e ha policy di sicurezza molto stringenti. :(

    Quindi non hai il permesso di creare un utente di test sul dominio o di gestire le group policy?
    giovedì 17 maggio 2012 11:32
  • Ahimè non posso usare altre utenze, l'azienda per la quale lavoro è molto grande e ha policy di sicurezza molto stringenti. :(


    Quindi non hai il permesso di creare un utente di test sul dominio o di gestire le group policy?

    Allora, le GPO posso leggerle e modificarle. Non tutte.

    Per le utenze non posso crearle.

    giovedì 17 maggio 2012 11:43
  • Sicuramente è stato già verificato, ma il servizio "Accesso secondario" è in esecuzione?
    giovedì 17 maggio 2012 11:58
  • Sicuramente è stato già verificato, ma il servizio "Accesso secondario" è in esecuzione?
    YES!
    giovedì 17 maggio 2012 12:12
  • Penso ti rimanga solo il debug...

    "proverei a monitorare con procmon per vedere che  cosa cerca e cosa non trova"


    Gastone Canali >http://www.armadillo.it

    Se alcuni post rispondono al tuo quesito (non necessariamente i miei), ricorda di contrassegnarli come risposta e non dimenticare di contrassegnare anche i post utili . GRAZIE!

    venerdì 18 maggio 2012 12:25
  • Penso ti rimanga solo il debug...

    "proverei a monitorare con procmon per vedere che  cosa cerca e cosa non trova"


    Gastone Canali >http://www.armadillo.it

    Se alcuni post rispondono al tuo quesito (non necessariamente i miei), ricorda di contrassegnarli come risposta e non dimenticare di contrassegnare anche i post utili . GRAZIE!

    Ok, puoi aiutarmi ad utilizzare il tool per favore? Mi restituisce una valanga di dati.

    Grazie

    martedì 22 maggio 2012 07:48
  • Devi escludere tutti i processi che non ti interessano, prova a a partire da qui

    Gastone Canali >http://www.armadillo.it

    Se alcuni post rispondono al tuo quesito (non necessariamente i miei), ricorda di contrassegnarli come risposta e non dimenticare di contrassegnare anche i post utili . GRAZIE!

    martedì 22 maggio 2012 12:46
  • Dici che questi bastano?

    "Time of Day","Process Name","PID","Operation","Path","Result","Detail"
    "5:15:06.6950603 PM","runas.exe","2232","CloseFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770_x-ww_05FDF087","SUCCESS",""
    "5:15:06.6952550 PM","runas.exe","2232","RegOpenKey","HKLM\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize","SUCCESS",""
    "5:15:06.6953131 PM","runas.exe","2232","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles","NAME NOT FOUND","Length: 20"
    "5:15:06.6953290 PM","runas.exe","2232","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize","SUCCESS",""
    "5:15:06.6954162 PM","runas.exe","2232","Thread Exit","","SUCCESS","Thread ID: 2248, User Time: 0.0000000, Kernel Time: 0.0156250"
    "5:15:06.6956388 PM","runas.exe","2232","Process Exit","","SUCCESS","Exit Status: 1, User Time: 0.0000000 seconds, Kernel Time: 0.0156250 seconds, Private Bytes: 679,936, Peak Private Bytes: 688,128, Working Set: 2,977,792, Peak Working Set: 3,076,096"
    "5:15:06.6956553 PM","runas.exe","2232","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options","SUCCESS",""
    "5:15:06.6956712 PM","runas.exe","2232","RegCloseKey","HKCU","SUCCESS",""
    "5:15:06.6956916 PM","runas.exe","2232","CloseFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770_x-ww_05FDF087","SUCCESS",""
    "5:15:06.6957302 PM","runas.exe","2232","CloseFile","C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770_x-ww_05FDF087","SUCCESS",""
    "5:15:06.6957704 PM","runas.exe","2232","RegCloseKey","HKLM","SUCCESS",""
    "5:15:06.6957891 PM","runas.exe","2232","RegCloseKey","HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions","SUCCESS",""
    "5:15:06.6958274 PM","runas.exe","2232","CloseFile","C:\","SUCCESS",""
    "5:15:06.6963803 PM","cmd.exe","1720","RegOpenKey","HKCU","SUCCESS",""
    "5:15:06.6964063 PM","cmd.exe","1720","RegOpenKey","HKCU\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT FOUND",""
    "5:15:06.6964258 PM","cmd.exe","1720","RegOpenKey","HKCU\Control Panel\Desktop","SUCCESS",""
    "5:15:06.6964482 PM","cmd.exe","1720","RegQueryValue","HKCU\Control Panel\Desktop\MultiUILanguageId","NAME NOT FOUND","Length: 256"
    "5:15:06.6964686 PM","cmd.exe","1720","RegCloseKey","HKCU\Control Panel\Desktop","SUCCESS",""
    "5:15:06.6964817 PM","cmd.exe","1720","RegCloseKey","HKCU","SUCCESS",""

    Grazie mille

    lunedì 28 maggio 2012 15:19
  • Ho guardato le righe, ma è molto diificile fare il debug... da remoto peggio, a naso mi sembrano anche poche le righe ...

    devi porre attenzione solo ai  ...NOT FOUND.. ...ACCESS DENIED... scarta i SUCCESS


    Gastone Canali >http://www.armadillo.it

    Se alcuni post rispondono al tuo quesito (non necessariamente i miei), ricorda di contrassegnarli come risposta e non dimenticare di contrassegnare anche i post utili . GRAZIE!

    venerdì 1 giugno 2012 09:24
  • Ecco a te, e scusa il ritardo:

    «INIZIO PARTE 1/4»
    
    1:27:18.6320447 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:18.6323180 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:18.6325328 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:19.1187633 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:19.1194349 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:19.1208446 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:19.1213106 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:19.1910264 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:19.1929283 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:19.1935580 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:19.1940206 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:19.9126002 PM	ccApp.exe	6908	RegOpenKey	HKLM\Software\Symantec\Common Client\WorkingSetGarbageCollector	NAME NOT FOUND	
    1:27:20.2278448 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:20.2285057 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:20.2297380 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:20.2302113 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:20.2643371 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:20.2650065 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:20.2663826 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:20.2668517 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:20.4156628 PM	cmd.exe	7240	RegOpenKey	HKCU\Software\Policies\Microsoft\Control Panel\Desktop	NAME NOT FOUND	
    1:27:20.4178077 PM	cmd.exe	7240	RegQueryValue	HKCU\Control Panel\Desktop\MultiUILanguageId	NAME NOT FOUND	Length: 256
    1:27:20.4194697 PM	cmd.exe	7240	QueryDirectory	C:\Documents and Settings\MIA_MATRICOLA\runas.*	NO SUCH FILE	Filter: runas.*
    1:27:20.4201536 PM	cmd.exe	7240	QueryDirectory	C:\Documents and Settings\MIA_MATRICOLA\runas	NO SUCH FILE	Filter: runas
    1:27:20.4209973 PM	cmd.exe	7240	QueryDirectory	D:\ORACLE\ORA92\bin\runas.*	NO SUCH FILE	Filter: runas.*
    1:27:20.4216778 PM	cmd.exe	7240	QueryDirectory	D:\ORACLE\ORA92\bin\runas	NO SUCH FILE	Filter: runas
    1:27:20.4225656 PM	cmd.exe	7240	QueryDirectory	C:\Program Files\Oracle\jre\1.3.1\bin\runas.*	NO SUCH FILE	Filter: runas.*
    1:27:20.4235716 PM	cmd.exe	7240	QueryDirectory	C:\Program Files\Oracle\jre\1.3.1\bin\runas	NO SUCH FILE	Filter: runas
    1:27:20.4255557 PM	cmd.exe	7240	QueryDirectory	C:\Program Files\Oracle\jre\1.1.8\bin\runas.*	NO SUCH FILE	Filter: runas.*
    1:27:20.4267050 PM	cmd.exe	7240	QueryDirectory	C:\Program Files\Oracle\jre\1.1.8\bin\runas	NO SUCH FILE	Filter: runas
    1:27:20.4290254 PM	cmd.exe	7240	QueryDirectory	C:\WINDOWS\system32\runas.COM	NO SUCH FILE	Filter: runas.COM
    1:27:20.4331901 PM	cmd.exe	7240	RegOpenKey	HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls	REPARSE	
    1:27:20.4332186 PM	cmd.exe	7240	RegOpenKey	HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls	NAME NOT FOUND	
    1:27:20.4362612 PM	svchost.exe	812	CreateFile	C:\WINDOWS\AppPatch\systest.sdb	NAME NOT FOUND	Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, Impersonating: company\MIA_MATRICOLA
    1:27:20.4404316 PM	svchost.exe	812	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\WINDOWS\system32\runas.exe	NAME NOT FOUND	Length: 1,024
    1:27:20.4416594 PM	svchost.exe	812	RegOpenKey	HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers	NAME NOT FOUND	
    1:27:20.4416842 PM	svchost.exe	812	RegOpenKey	HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\runas.exe	NAME NOT FOUND	
    1:27:20.4463340 PM	svchost.exe	812	RegOpenKey	HKCU\Software\Policies\Microsoft\Control Panel\Desktop	NAME NOT FOUND	
    1:27:20.4469070 PM	svchost.exe	812	RegQueryValue	HKCU\Control Panel\Desktop\MultiUILanguageId	NAME NOT FOUND	Length: 256
    1:27:20.4475367 PM	svchost.exe	812	RegOpenKey	HKCU\Software\Policies\Microsoft\Control Panel\Desktop	NAME NOT FOUND	
    1:27:20.4480325 PM	svchost.exe	812	RegQueryValue	HKCU\Control Panel\Desktop\MultiUILanguageId	NAME NOT FOUND	Length: 256
    1:27:20.4532547 PM	svchost.exe	812	RegOpenKey	HKCU\Software\Policies\Microsoft\Control Panel\Desktop	NAME NOT FOUND	
    1:27:20.4532947 PM	svchost.exe	812	RegQueryValue	HKCU\Control Panel\Desktop\MultiUILanguageId	NAME NOT FOUND	Length: 256
    1:27:20.4545029 PM	svchost.exe	812	RegOpenKey	HKCU\Software\Policies\Microsoft\Control Panel\Desktop	NAME NOT FOUND	
    1:27:20.4559078 PM	svchost.exe	812	RegQueryValue	HKCU\Control Panel\Desktop\MultiUILanguageId	NAME NOT FOUND	Length: 256
    1:27:20.4579318 PM	svchost.exe	812	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\{a378915e-1ce4-46c9-bdaf-01a67bccbddf}	NAME NOT FOUND	Length: 1,024
    1:27:20.4593960 PM	svchost.exe	812	RegOpenKey	HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags	NAME NOT FOUND	
    1:27:20.4597547 PM	cmd.exe	7240	RegOpenKey	HKLM\System\CurrentControlSet\Control\SafeBoot\Option	REPARSE	
    1:27:20.4612420 PM	cmd.exe	7240	RegOpenKey	HKLM\System\CurrentControlSet\Control\SafeBoot\Option	NAME NOT FOUND	
    1:27:20.4619279 PM	cmd.exe	7240	RegQueryValue	HKLM\SOFTWARE\Policies\Microsoft\windows\safer\codeidentifiers\TransparentEnabled	NAME NOT FOUND	Length: 80
    1:27:20.4623609 PM	cmd.exe	7240	RegOpenKey	HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	NAME NOT FOUND	
    1:27:20.4623883 PM	cmd.exe	7240	RegOpenKey	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runas.exe	NAME NOT FOUND	
    1:27:20.4632088 PM	cmd.exe	7240	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest	NAME NOT FOUND	Length: 20
    1:27:20.4637510 PM	cmd.exe	7240	CreateFile	C:\WINDOWS\system32\runas.exe.Manifest	NAME NOT FOUND	Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
    1:27:20.4638957 PM	cmd.exe	7240	RegOpenKey	HKLM\System\CurrentControlSet\Control\Session Manager	REPARSE	
    1:27:20.4645338 PM	cmd.exe	7240	RegQueryValue	HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode	NAME NOT FOUND	Length: 16
    1:27:20.4733519 PM	cmd.exe	7240	QueryNameInformationFile	C:\WINDOWS\system32\runas.exe	BUFFER OVERFLOW	Name: \W
    1:27:20.4831320 PM	runas.exe	8188	RegOpenKey	HKLM\System\CurrentControlSet\Control\Session Manager	REPARSE	
    1:27:20.4831862 PM	runas.exe	8188	RegQueryValue	HKLM\System\CurrentControlSet\Control\Session Manager\CWDIllegalInDLLSearch	NAME NOT FOUND	Length: 1,024
    1:27:20.4846919 PM	runas.exe	8188	QueryOpen	C:\WINDOWS\system32\runas.exe.Local	NAME NOT FOUND	
    1:27:20.4910467 PM	runas.exe	8188	RegOpenKey	HKLM\System\CurrentControlSet\Control\SafeBoot\Option	REPARSE	
    1:27:20.4915794 PM	runas.exe	8188	RegOpenKey	HKLM\System\CurrentControlSet\Control\SafeBoot\Option	NAME NOT FOUND	
    1:27:20.4919630 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Policies\Microsoft\windows\safer\codeidentifiers\TransparentEnabled	NAME NOT FOUND	Length: 80
    1:27:20.4920060 PM	runas.exe	8188	RegOpenKey	HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers	NAME NOT FOUND	
    1:27:20.5036575 PM	runas.exe	8188	RegOpenKey	HKLM\System\CurrentControlSet\Control\SafeBoot\Option	REPARSE	
    1:27:20.5040290 PM	runas.exe	8188	RegOpenKey	HKLM\System\CurrentControlSet\Control\SafeBoot\Option	NAME NOT FOUND	
    1:27:20.5040508 PM	runas.exe	8188	RegOpenKey	HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatibility	REPARSE	
    1:27:20.5040709 PM	runas.exe	8188	RegOpenKey	HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatibility	NAME NOT FOUND	
    1:27:20.5044017 PM	runas.exe	8188	RegOpenKey	HKLM\Software\Policies\Microsoft\Windows\AppCompat	NAME NOT FOUND	
    1:27:20.5055974 PM	runas.exe	8188	CreateFile	C:\WINDOWS\AppPatch\systest.sdb	NAME NOT FOUND	Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a
    1:27:20.5057116 PM	runas.exe	8188	RegOpenKey	HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags	NAME NOT FOUND	
    1:27:20.5063749 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\msvcrt.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.5077865 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\Secur32.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.5089425 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\RPCRT4.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.5089802 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ADVAPI32.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.5102242 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LeakTrack	NAME NOT FOUND	Length: 144
    1:27:20.5115481 PM	runas.exe	8188	RegOpenKey	HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics	NAME NOT FOUND	
    1:27:20.5127606 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\GDI32.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.5127846 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\USER32.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.5139448 PM	runas.exe	8188	RegOpenKey	HKLM\System\CurrentControlSet\Control\Error Message Instrument	REPARSE	
    1:27:20.5139674 PM	runas.exe	8188	RegOpenKey	HKLM\System\CurrentControlSet\Control\Error Message Instrument	NAME NOT FOUND	
    1:27:20.5148120 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles	NAME NOT FOUND	Length: 20
    1:27:20.5154445 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility32\runas	NAME NOT FOUND	Length: 172
    1:27:20.5165985 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IME Compatibility\runas	NAME NOT FOUND	Length: 172
    1:27:20.5179308 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\SHLWAPI.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.5185538 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\SHELL32.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.5198065 PM	runas.exe	8188	RegOpenKey	HKCU\Software\Policies\Microsoft\Control Panel\Desktop	NAME NOT FOUND	
    1:27:20.5198470 PM	runas.exe	8188	RegQueryValue	HKCU\Control Panel\Desktop\MultiUILanguageId	NAME NOT FOUND	Length: 256
    1:27:20.5216983 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest	NAME NOT FOUND	Length: 20
    1:27:20.5222291 PM	runas.exe	8188	CreateFile	C:\WINDOWS\system32\SHELL32.dll.124.Config	NAME NOT FOUND	Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
    1:27:20.5228353 PM	csrss.exe	6788	CreateFile	C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_en-US_580A28FF	NAME NOT FOUND	Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: company\MIA_MATRICOLA
    1:27:20.5229555 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\_en-US_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.dll	PATH NOT FOUND	
    1:27:20.5231521 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\system32\en-US	NAME NOT FOUND	
    1:27:20.5238070 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_en-US_F6B1E800.manifest	NAME NOT FOUND	
    1:27:20.5238992 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls\6.0.0.0_en-US_6595b64144ccf1df\Microsoft.Windows.Common-Controls.DLL	PATH NOT FOUND	
    1:27:20.5244615 PM	csrss.exe	6788	CreateFile	C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_en_66C5EEE6	NAME NOT FOUND	Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: company\MIA_MATRICOLA
    1:27:20.5245626 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\_en_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.dll	PATH NOT FOUND	
    1:27:20.5247155 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_en_5CCE9BD9.manifest	NAME NOT FOUND	
    1:27:20.5248037 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls\6.0.0.0_en_6595b64144ccf1df\Microsoft.Windows.Common-Controls.DLL	PATH NOT FOUND	
    1:27:20.5251035 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls.DLL	NAME NOT FOUND	
    

    venerdì 15 giugno 2012 12:07
  • «INIZIO PARTE 2/4»
    1:27:20.5252689 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls.MANIFEST	NAME NOT FOUND	
    1:27:20.5253234 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls\Microsoft.Windows.Common-Controls.DLL	PATH NOT FOUND	
    1:27:20.5253787 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls\Microsoft.Windows.Common-Controls.MANIFEST	PATH NOT FOUND	
    1:27:20.5261480 PM	csrss.exe	6788	QueryDirectory	C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5DDAD775	NO MORE FILES	
    1:27:20.5268669 PM	csrss.exe	6788	QueryAllInformationFile	C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5DDAD775\6.0.3790.4770.policy	BUFFER OVERFLOW	CreationTime: 11/18/2011 1:17:15 PM, LastAccessTime: 6/15/2012 1:26:14 PM, LastWriteTime: 11/18/2011 1:17:15 PM, ChangeTime: 11/18/2011 1:17:15 PM, FileAttributes: A, AllocationSize: 4,096, EndOfFile: 621, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x7000000005349, EaSize: 0, Access: Generic Read, Position: 0, Mode: Sequential Access, Synchronous IO Non-Alert, AlignmentRequirement: Word
    1:27:20.5274152 PM	csrss.exe	6788	ReadFile	C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5DDAD775\6.0.3790.4770.policy	END OF FILE	Offset: 621, Length: 8,178
    1:27:20.5281002 PM	csrss.exe	6788	CreateFile	C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_en-US_186470EC	NAME NOT FOUND	Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: company\MIA_MATRICOLA
    1:27:20.5282813 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\_en-US_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.mui.dll	PATH NOT FOUND	
    1:27:20.5284372 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_6.0.3790.4770_en-US_EE9322D0.manifest	NAME NOT FOUND	
    1:27:20.5285266 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls.mui\6.0.3790.4770_en-US_6595b64144ccf1df\Microsoft.Windows.Common-Controls.mui.DLL	PATH NOT FOUND	
    1:27:20.5290951 PM	csrss.exe	6788	CreateFile	C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_en_272036D3	NAME NOT FOUND	Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: company\MIA_MATRICOLA
    1:27:20.5292001 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\_en_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.mui.dll	PATH NOT FOUND	
    1:27:20.5293621 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_6.0.3790.4770_en_54AFD6A9.manifest	NAME NOT FOUND	
    1:27:20.5295583 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls.mui\6.0.3790.4770_en_6595b64144ccf1df\Microsoft.Windows.Common-Controls.mui.DLL	PATH NOT FOUND	
    1:27:20.5298485 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls.mui.DLL	NAME NOT FOUND	
    1:27:20.5300237 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls.mui.MANIFEST	NAME NOT FOUND	
    1:27:20.5300787 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls.mui\Microsoft.Windows.Common-Controls.mui.DLL	PATH NOT FOUND	
    1:27:20.5301354 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\system32\en\Microsoft.Windows.Common-Controls.mui\Microsoft.Windows.Common-Controls.mui.MANIFEST	PATH NOT FOUND	
    1:27:20.5310048 PM	csrss.exe	6788	QueryAllInformationFile	C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770_x-ww_05FDF087.manifest	BUFFER OVERFLOW	CreationTime: 11/18/2011 1:17:15 PM, LastAccessTime: 6/15/2012 1:27:20 PM, LastWriteTime: 11/18/2011 1:17:15 PM, ChangeTime: 11/18/2011 1:17:15 PM, FileAttributes: A, AllocationSize: 4,096, EndOfFile: 1,862, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x5000000005347, EaSize: 0, Access: Generic Read, Position: 0, Mode: Sequential Access, Synchronous IO Non-Alert, AlignmentRequirement: Word
    1:27:20.5318574 PM	csrss.exe	6788	ReadFile	C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770_x-ww_05FDF087.manifest	END OF FILE	Offset: 1,862, Length: 8,178
    1:27:20.5332029 PM	runas.exe	8188	RegOpenKey	HKLM\System\CurrentControlSet\Control\Session Manager	REPARSE	
    1:27:20.5336266 PM	runas.exe	8188	RegQueryValue	HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode	NAME NOT FOUND	Length: 16
    1:27:20.5336772 PM	runas.exe	8188	RegOpenKey	HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots	NAME NOT FOUND	
    1:27:20.5340376 PM	runas.exe	8188	QueryOpen	C:\WINDOWS\system32\runas.exe.Local	NAME NOT FOUND	
    1:27:20.5363482 PM	Explorer.EXE	5324	RegOpenKey	HKCU\Software\Classes\Applications\cmd.exe	NAME NOT FOUND	
    1:27:20.5363681 PM	Explorer.EXE	5324	RegOpenKey	HKCR\Applications\cmd.exe	NAME NOT FOUND	
    1:27:20.5394981 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\comctl32.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.5409477 PM	runas.exe	8188	RegOpenKey	HKCU\Software\Policies\Microsoft\Control Panel\Desktop	NAME NOT FOUND	
    1:27:20.5422585 PM	runas.exe	8188	RegQueryValue	HKCU\Control Panel\Desktop\MultiUILanguageId	NAME NOT FOUND	Length: 256
    1:27:20.5457299 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest	NAME NOT FOUND	Length: 20
    1:27:20.5461235 PM	runas.exe	8188	CreateFile	C:\WINDOWS\WindowsShell.Config	NAME NOT FOUND	Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
    1:27:20.5468339 PM	csrss.exe	6788	CreateFile	C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_en-US_580A28FF	NAME NOT FOUND	Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: company\MIA_MATRICOLA
    1:27:20.5469515 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\_en-US_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.dll	PATH NOT FOUND	
    1:27:20.5470943 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\en-US	NAME NOT FOUND	
    1:27:20.5473368 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\en	NAME NOT FOUND	
    1:27:20.5476379 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_en-US_F6B1E800.manifest	NAME NOT FOUND	
    1:27:20.5477237 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls\6.0.0.0_en-US_6595b64144ccf1df\Microsoft.Windows.Common-Controls.DLL	PATH NOT FOUND	
    1:27:20.5482928 PM	csrss.exe	6788	CreateFile	C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_en_66C5EEE6	NAME NOT FOUND	Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: company\MIA_MATRICOLA
    1:27:20.5483975 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\_en_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.dll	PATH NOT FOUND	
    1:27:20.5485609 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_en_5CCE9BD9.manifest	NAME NOT FOUND	
    1:27:20.5487593 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls\6.0.0.0_en_6595b64144ccf1df\Microsoft.Windows.Common-Controls.DLL	PATH NOT FOUND	
    1:27:20.5496535 PM	csrss.exe	6788	QueryDirectory	C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5DDAD775	NO MORE FILES	
    1:27:20.5503643 PM	csrss.exe	6788	QueryAllInformationFile	C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5DDAD775\6.0.3790.4770.policy	BUFFER OVERFLOW	CreationTime: 11/18/2011 1:17:15 PM, LastAccessTime: 6/15/2012 1:27:20 PM, LastWriteTime: 11/18/2011 1:17:15 PM, ChangeTime: 11/18/2011 1:17:15 PM, FileAttributes: A, AllocationSize: 4,096, EndOfFile: 621, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x7000000005349, EaSize: 0, Access: Generic Read, Position: 0, Mode: Sequential Access, Synchronous IO Non-Alert, AlignmentRequirement: Word
    1:27:20.5507797 PM	csrss.exe	6788	ReadFile	C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5DDAD775\6.0.3790.4770.policy	END OF FILE	Offset: 621, Length: 8,178
    1:27:20.5515664 PM	csrss.exe	6788	CreateFile	C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_en-US_186470EC	NAME NOT FOUND	Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: company\MIA_MATRICOLA
    1:27:20.5516745 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\_en-US_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.mui.dll	PATH NOT FOUND	
    1:27:20.5518343 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_6.0.3790.4770_en-US_EE9322D0.manifest	NAME NOT FOUND	
    1:27:20.5519242 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls.mui\6.0.3790.4770_en-US_6595b64144ccf1df\Microsoft.Windows.Common-Controls.mui.DLL	PATH NOT FOUND	
    1:27:20.5526017 PM	csrss.exe	6788	CreateFile	C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_en_272036D3	NAME NOT FOUND	Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: company\MIA_MATRICOLA
    1:27:20.5527025 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\_en_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.mui.dll	PATH NOT FOUND	
    1:27:20.5528545 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_6.0.3790.4770_en_54AFD6A9.manifest	NAME NOT FOUND	
    1:27:20.5529336 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls.mui\6.0.3790.4770_en_6595b64144ccf1df\Microsoft.Windows.Common-Controls.mui.DLL	PATH NOT FOUND	
    1:27:20.5538264 PM	csrss.exe	6788	QueryAllInformationFile	C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770_x-ww_05FDF087.manifest	BUFFER OVERFLOW	CreationTime: 11/18/2011 1:17:15 PM, LastAccessTime: 6/15/2012 1:27:20 PM, LastWriteTime: 11/18/2011 1:17:15 PM, ChangeTime: 11/18/2011 1:17:15 PM, FileAttributes: A, AllocationSize: 4,096, EndOfFile: 1,862, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x5000000005347, EaSize: 0, Access: Generic Read, Position: 0, Mode: Sequential Access, Synchronous IO Non-Alert, AlignmentRequirement: Word
    1:27:20.5547777 PM	csrss.exe	6788	ReadFile	C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770_x-ww_05FDF087.manifest	END OF FILE	Offset: 1,862, Length: 8,178
    1:27:20.5578180 PM	runas.exe	8188	RegQueryValue	HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips	NAME NOT FOUND	Length: 144
    1:27:20.5589631 PM	runas.exe	8188	RegEnumValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack	NO MORE ENTRIES	Index: 0, Length: 220
    1:27:20.5595442 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ntdll.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.5595682 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\kernel32.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.5600445 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\credui.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.5600652 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\MSASN1.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.5607591 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\CRYPT32.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.5607809 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\NETAPI32.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.5612927 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\apphelp.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.5613140 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ShimEng.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.5620358 PM	runas.exe	8188	RegOpenKey	HKCU\Software\Policies\Microsoft\Control Panel\Desktop	NAME NOT FOUND	
    1:27:20.5625577 PM	runas.exe	8188	RegQueryValue	HKCU\Control Panel\Desktop\MultiUILanguageId	NAME NOT FOUND	Length: 256
    1:27:20.5663196 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest	NAME NOT FOUND	Length: 20
    1:27:20.5669231 PM	runas.exe	8188	CreateFile	C:\WINDOWS\WindowsShell.Config	NAME NOT FOUND	Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a
    1:27:20.5677056 PM	csrss.exe	6788	CreateFile	C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_en-US_580A28FF	NAME NOT FOUND	Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: company\MIA_MATRICOLA
    1:27:20.5678533 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\_en-US_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.dll	PATH NOT FOUND	
    1:27:20.5680076 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\en-US	NAME NOT FOUND	
    1:27:20.5681305 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\en	NAME NOT FOUND	
    1:27:20.5686420 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_en-US_F6B1E800.manifest	NAME NOT FOUND	
    1:27:20.5687331 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls\6.0.0.0_en-US_6595b64144ccf1df\Microsoft.Windows.Common-Controls.DLL	PATH NOT FOUND	
    1:27:20.5691055 PM	csrss.exe	6788	CreateFile	C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_en_66C5EEE6	NAME NOT FOUND	Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: company\MIA_MATRICOLA
    1:27:20.5692108 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls\_en_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.dll	PATH NOT FOUND	
    1:27:20.5693672 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_en_5CCE9BD9.manifest	NAME NOT FOUND	
    1:27:20.5695572 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls\6.0.0.0_en_6595b64144ccf1df\Microsoft.Windows.Common-Controls.DLL	PATH NOT FOUND	
    1:27:20.5706428 PM	csrss.exe	6788	QueryDirectory	C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5DDAD775	NO MORE FILES	
    1:27:20.5712356 PM	csrss.exe	6788	QueryAllInformationFile	C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5DDAD775\6.0.3790.4770.policy	BUFFER OVERFLOW	CreationTime: 11/18/2011 1:17:15 PM, LastAccessTime: 6/15/2012 1:27:20 PM, LastWriteTime: 11/18/2011 1:17:15 PM, ChangeTime: 11/18/2011 1:17:15 PM, FileAttributes: A, AllocationSize: 4,096, EndOfFile: 621, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x7000000005349, EaSize: 0, Access: Generic Read, Position: 0, Mode: Sequential Access, Synchronous IO Non-Alert, AlignmentRequirement: Word
    1:27:20.5716600 PM	csrss.exe	6788	ReadFile	C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5DDAD775\6.0.3790.4770.policy	END OF FILE	Offset: 621, Length: 8,178
    1:27:20.5723486 PM	csrss.exe	6788	CreateFile	C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_en-US_186470EC	NAME NOT FOUND	Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: company\MIA_MATRICOLA
    1:27:20.5724604 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\_en-US_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.mui.dll	PATH NOT FOUND	
    1:27:20.5727311 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_6.0.3790.4770_en-US_EE9322D0.manifest	NAME NOT FOUND	
    1:27:20.5729286 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls.mui\6.0.3790.4770_en-US_6595b64144ccf1df\Microsoft.Windows.Common-Controls.mui.DLL	PATH NOT FOUND	
    1:27:20.5733948 PM	csrss.exe	6788	CreateFile	C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_en_272036D3	NAME NOT FOUND	Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: company\MIA_MATRICOLA
    1:27:20.5734996 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\Assembly\GAC\Policy.6.0.Microsoft.Windows.Common-Controls.mui\_en_6595b64144ccf1df\Policy.6.0.Microsoft.Windows.Common-Controls.mui.dll	PATH NOT FOUND	
    1:27:20.5736653 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls.mui_6595b64144ccf1df_6.0.3790.4770_en_54AFD6A9.manifest	NAME NOT FOUND	
    1:27:20.5737538 PM	csrss.exe	6788	QueryOpen	C:\WINDOWS\assembly\GAC\Microsoft.Windows.Common-Controls.mui\6.0.3790.4770_en_6595b64144ccf1df\Microsoft.Windows.Common-Controls.mui.DLL	PATH NOT FOUND	
    1:27:20.5749143 PM	csrss.exe	6788	QueryAllInformationFile	C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770_x-ww_05FDF087.manifest	BUFFER OVERFLOW	CreationTime: 11/18/2011 1:17:15 PM, LastAccessTime: 6/15/2012 1:27:20 PM, LastWriteTime: 11/18/2011 1:17:15 PM, ChangeTime: 11/18/2011 1:17:15 PM, FileAttributes: A, AllocationSize: 4,096, EndOfFile: 1,862, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x5000000005347, EaSize: 0, Access: Generic Read, Position: 0, Mode: Sequential Access, Synchronous IO Non-Alert, AlignmentRequirement: Word
    1:27:20.5757666 PM	csrss.exe	6788	ReadFile	C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.4770_x-ww_05FDF087.manifest	END OF FILE	Offset: 1,862, Length: 8,178
    1:27:20.5771691 PM	runas.exe	8188	RegOpenKey	HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots	NAME NOT FOUND	
    1:27:20.5772981 PM	runas.exe	8188	QueryOpen	C:\WINDOWS\system32\runas.exe.Local	NAME NOT FOUND	
    1:27:20.5782834 PM	runas.exe	8188	RegOpenKey	HKLM\SYSTEM\CurrentControlSet\Services\crypt32\Performance	REPARSE	
    1:27:20.5783108 PM	runas.exe	8188	RegOpenKey	HKLM\System\CurrentControlSet\Services\crypt32\Performance	NAME NOT FOUND	
    1:27:20.5786678 PM	runas.exe	8188	RegOpenKey	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1	NAME NOT FOUND	
    1:27:20.5797786 PM	runas.exe	8188	RegOpenKey	HKCU\Software\Policies\Microsoft\Control Panel\Desktop	NAME NOT FOUND	
    1:27:20.5803868 PM	runas.exe	8188	RegQueryValue	HKCU\Control Panel\Desktop\MultiUILanguageId	NAME NOT FOUND	Length: 256
    1:27:20.5810478 PM	runas.exe	8188	RegOpenKey	HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option	REPARSE	
    1:27:20.5815297 PM	runas.exe	8188	RegOpenKey	HKLM\System\CurrentControlSet\Control\SafeBoot\Option	NAME NOT FOUND	
    1:27:20.5824770 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Rpc\MaxRpcSize	NAME NOT FOUND	Length: 144

    venerdì 15 giugno 2012 12:07
  • «INIZIO PARTE 3/4»
    1:27:20.5825119 PM	runas.exe	8188	RegOpenKey	HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runas.exe\RpcThreadPoolThrottle	NAME NOT FOUND	
    1:27:20.5827569 PM	runas.exe	8188	RegOpenKey	HKLM\System\CurrentControlSet\Control\ComputerName	REPARSE	
    1:27:20.5839152 PM	runas.exe	8188	RegOpenKey	HKLM\Software\Policies\Microsoft\Windows NT\Rpc	NAME NOT FOUND	
    1:27:20.5846301 PM	runas.exe	8188	RegOpenKey	HKLM\System\CurrentControlSet\Control\ComputerName	REPARSE	
    1:27:20.5860615 PM	runas.exe	8188	RegOpenKey	HKLM\Software\Policies\Microsoft\Windows NT\Rpc	NAME NOT FOUND	
    1:27:20.5912379 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\MSCTF.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.5939095 PM	runas.exe	8188	RegOpenKey	HKLM\SOFTWARE\Microsoft\CTF\Compatibility\runas.exe	NAME NOT FOUND	
    1:27:20.5951909 PM	runas.exe	8188	RegQueryValue	HKCU\Keyboard Layout\Toggle\Language Hotkey	NAME NOT FOUND	Length: 144
    1:27:20.5962614 PM	runas.exe	8188	RegQueryValue	HKCU\Keyboard Layout\Toggle\Layout Hotkey	NAME NOT FOUND	Length: 144
    1:27:20.5976376 PM	runas.exe	8188	RegOpenKey	HKCU\Software\Policies\Microsoft\Control Panel\Desktop	NAME NOT FOUND	
    1:27:20.5980446 PM	runas.exe	8188	RegQueryValue	HKCU\Control Panel\Desktop\MultiUILanguageId	NAME NOT FOUND	Length: 256
    1:27:20.5987514 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\CTF\EnableAnchorContext	NAME NOT FOUND	Length: 144
    1:27:20.5999504 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:20.6034442 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UxTheme.dll	NAME NOT FOUND	Length: 1,024
    1:27:20.6040755 PM	runas.exe	8188	RegQueryValue	HKCU\Software\Microsoft\Windows\CurrentVersion\ThemeManager\Compositing	NAME NOT FOUND	Length: 144
    1:27:20.6056512 PM	runas.exe	8188	RegOpenKey	HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots	NAME NOT FOUND	
    1:27:20.6057858 PM	runas.exe	8188	QueryOpen	C:\WINDOWS\system32\runas.exe.Local	NAME NOT FOUND	
    1:27:20.6076794 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma	NAME NOT FOUND	Length: 144
    1:27:20.6089901 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma	NAME NOT FOUND	Length: 144
    1:27:20.6107943 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma	NAME NOT FOUND	Length: 144
    1:27:21.1454427 PM	lsass.exe	464	RegOpenKey	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8F8F5EF4-6D9A-4BC2-A9BE-18CC0F965B53}	REPARSE	
    1:27:21.1455237 PM	lsass.exe	464	RegQueryValue	HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8F8F5EF4-6D9A-4BC2-A9BE-18CC0F965B53}\DhcpServer	NAME NOT FOUND	Length: 144
    1:27:21.1457223 PM	lsass.exe	464	RegOpenKey	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8F8F5EF4-6D9A-4BC2-A9BE-18CC0F965B53}	REPARSE	
    1:27:21.1457902 PM	lsass.exe	464	RegQueryValue	HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8F8F5EF4-6D9A-4BC2-A9BE-18CC0F965B53}\DhcpDomain	NAME NOT FOUND	Length: 144
    1:27:21.1458754 PM	lsass.exe	464	RegOpenKey	HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\MS TCP Loopback interface	REPARSE	
    1:27:21.1458969 PM	lsass.exe	464	RegOpenKey	HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\MS TCP Loopback interface	NAME NOT FOUND	
    1:27:21.2926128 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:21.2932754 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:21.2938403 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:21.2943066 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:21.3326905 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:21.3333501 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:21.3339130 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:21.3343720 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:22.6302979 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:22.6309949 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:22.6315701 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:22.6320308 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:22.7112523 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:22.7119166 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:22.7130126 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:22.7134797 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:23.7419174 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:23.7425881 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:23.7431510 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:23.7436148 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:23.7513202 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:23.7519781 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:23.7525447 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:23.7530017 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:24.7574068 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:24.7580786 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:24.7586427 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:24.7591017 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:24.7650706 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:24.7657316 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:24.7662881 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:24.7667471 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:24.9058924 PM	runas.exe	8188	RegOpenKey	HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName	REPARSE	
    1:27:24.9065573 PM	runas.exe	8188	RegOpenKey	HKLM\System\CurrentControlSet\Control\Session Manager	REPARSE	
    1:27:24.9066106 PM	runas.exe	8188	RegQueryValue	HKLM\System\CurrentControlSet\Control\Session Manager\SafeProcessSearchMode	NAME NOT FOUND	Length: 16
    1:27:24.9074434 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:24.9081055 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:24.9111640 PM	lsass.exe	464	RegOpenKey	HKLM\System\CurrentControlSet\Control\Terminal Server	REPARSE	
    1:27:24.9114314 PM	lsass.exe	464	RegOpenKey	HKLM\System\CurrentControlSet\Control\ComputerName	REPARSE	
    1:27:24.9116124 PM	svchost.exe	812	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserEnvDebugLevel	NAME NOT FOUND	Length: 144
    1:27:24.9116406 PM	svchost.exe	812	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\RsopLogging	NAME NOT FOUND	Length: 144
    1:27:24.9116764 PM	svchost.exe	812	RegOpenKey	HKLM\Software\Policies\Microsoft\Windows\System	NAME NOT FOUND	
    1:27:24.9122438 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:24.9126550 PM	winlogon.exe	380	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserEnvDebugLevel	NAME NOT FOUND	Length: 144
    1:27:24.9126720 PM	winlogon.exe	380	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\RsopLogging	NAME NOT FOUND	Length: 144
    1:27:24.9127011 PM	winlogon.exe	380	RegOpenKey	HKLM\Software\Policies\Microsoft\Windows\System	NAME NOT FOUND	
    1:27:24.9149533 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:24.9151916 PM	lsass.exe	464	RegOpenKey	HKLM\SAM\SAM\DOMAINS\Account\Groups\000001F4	NAME NOT FOUND	
    1:27:24.9152257 PM	lsass.exe	464	RegOpenKey	HKLM\SAM\SAM\DOMAINS\Account\Aliases\000001F4	NAME NOT FOUND	
    1:27:24.9155283 PM	winlogon.exe	380	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserEnvDebugLevel	NAME NOT FOUND	Length: 144
    1:27:24.9155459 PM	winlogon.exe	380	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\RsopLogging	NAME NOT FOUND	Length: 144
    1:27:24.9155741 PM	winlogon.exe	380	RegOpenKey	HKLM\Software\Policies\Microsoft\Windows\System	NAME NOT FOUND	
    1:27:24.9157473 PM	winlogon.exe	380	RegOpenKey	HKU\S-1-5-21-2433949442-523124216-4227445396-500	NAME NOT FOUND	
    1:27:24.9157861 PM	winlogon.exe	380	RegOpenKey	HKLM\Software\Policies\Microsoft\Windows\System	NAME NOT FOUND	
    1:27:24.9158763 PM	winlogon.exe	380	RegOpenKey	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2433949442-523124216-4227445396-500\Preference	NAME NOT FOUND	
    1:27:24.9159169 PM	winlogon.exe	380	RegOpenKey	HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2433949442-523124216-4227445396-500.bak	NAME NOT FOUND	
    1:27:24.9245554 PM	winlogon.exe	380	QueryOpen	C:\Documents and Settings\Administrator\ntuser.man	NAME NOT FOUND	
    1:27:24.9247906 PM	winlogon.exe	380	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2433949442-523124216-4227445396-500\ProfileUnloadTimeLow	NAME NOT FOUND	Length: 144
    1:27:24.9249261 PM	winlogon.exe	380	RegOpenKey	HKU\S-1-5-21-2433949442-523124216-4227445396-500	NAME NOT FOUND	
    1:27:24.9728040 PM	winlogon.exe	380	RegOpenKey	HKU\S-1-5-21-2433949442-523124216-4227445396-500_Classes	NAME NOT FOUND	
    1:27:24.9732820 PM	winlogon.exe	380	RegOpenKey	HKLM\System\CurrentControlSet\Control\Session Manager\Environment	REPARSE	
    1:27:24.9733619 PM	winlogon.exe	380	RegEnumValue	HKLM\System\CurrentControlSet\Control\Session Manager\Environment	BUFFER OVERFLOW	Index: 1, Length: 220
    1:27:24.9736910 PM	winlogon.exe	380	RegEnumValue	HKLM\System\CurrentControlSet\Control\Session Manager\Environment	BUFFER OVERFLOW	Index: 1, Length: 220
    1:27:24.9743008 PM	winlogon.exe	380	RegOpenKey	HKLM\System\CurrentControlSet\Control\ComputerName	REPARSE	
    1:27:24.9747598 PM	winlogon.exe	380	RegOpenKey	HKLM\System\CurrentControlSet\Control\ComputerName	REPARSE	
    1:27:24.9755518 PM	winlogon.exe	380	RegEnumValue	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Environment	NO MORE ENTRIES	Index: 2, Length: 220
    1:27:24.9875617 PM	winlogon.exe	380	RegEnumValue	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Environment	NO MORE ENTRIES	Index: 2, Length: 220
    1:27:24.9876059 PM	winlogon.exe	380	RegOpenKey	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Volatile Environment	NAME NOT FOUND	
    1:27:25.0044052 PM	winlogon.exe	380	RegOpenKey	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Software\Classes\Clsid	NAME NOT FOUND	
    1:27:25.0049343 PM	winlogon.exe	380	RegOpenKey	HKU\S-1-5-21-2433949442-523124216-4227445396-500_Classes	NAME NOT FOUND	
    1:27:25.0157720 PM	winlogon.exe	380	RegOpenKey	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Software\Classes	NAME NOT FOUND	
    1:27:25.0157899 PM	winlogon.exe	380	RegOpenKey	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Software\Classes	NAME NOT FOUND	
    1:27:25.0158058 PM	winlogon.exe	380	RegOpenKey	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Software\Classes	NAME NOT FOUND	
    1:27:25.0158215 PM	winlogon.exe	380	RegOpenKey	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Software\Classes	NAME NOT FOUND	

    venerdì 15 giugno 2012 12:08
  • «INIZIO PARTE 4/4»
    1:27:25.0167392 PM	winlogon.exe	380	CreateFile	C:\Documents and Settings\Administrator\ntuser.ini	NAME COLLISION	Desired Access: All Access, Disposition: Create, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: HS, ShareMode: None, AllocationSize: 0, Impersonating: NT AUTHORITY\SYSTEM
    1:27:25.0243153 PM	winlogon.exe	380	RegEnumKey	HKCR\Drive\shellex\FolderExtensions	NO MORE ENTRIES	Index: 1, Length: 288
    1:27:25.0252894 PM	winlogon.exe	380	RegOpenKey	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\Preference	NAME NOT FOUND	
    1:27:25.0253081 PM	winlogon.exe	380	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\CentralProfile	NAME NOT FOUND	Length: 144
    1:27:25.0254179 PM	winlogon.exe	380	RegOpenKey	HKU\.DEFAULT\Software\Policies\Microsoft\Control Panel\Desktop	NAME NOT FOUND	
    1:27:25.0254598 PM	winlogon.exe	380	RegQueryValue	HKU\.DEFAULT\Control Panel\Desktop\MultiUILanguageId	NAME NOT FOUND	Length: 256
    1:27:25.0380137 PM	winlogon.exe	380	UnlockFileSingle	C:\Documents and Settings\Administrator\Local Settings\desktop.ini	RANGE NOT LOCKED	Offset: 0, Length: 4,294,967,295
    1:27:25.0395141 PM	winlogon.exe	380	RegQueryValue	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Temp	NAME NOT FOUND	Length: 144
    1:27:25.0404461 PM	lsass.exe	464	RegOpenKey	HKLM\System\CurrentControlSet\Control\Session Manager\Environment	REPARSE	
    1:27:25.0405347 PM	lsass.exe	464	RegEnumValue	HKLM\System\CurrentControlSet\Control\Session Manager\Environment	BUFFER OVERFLOW	Index: 1, Length: 220
    1:27:25.0408688 PM	lsass.exe	464	RegEnumValue	HKLM\System\CurrentControlSet\Control\Session Manager\Environment	BUFFER OVERFLOW	Index: 1, Length: 220
    1:27:25.0414848 PM	lsass.exe	464	RegOpenKey	HKLM\System\CurrentControlSet\Control\ComputerName	REPARSE	
    1:27:25.0419267 PM	lsass.exe	464	RegOpenKey	HKLM\System\CurrentControlSet\Control\ComputerName	REPARSE	
    1:27:25.0427017 PM	lsass.exe	464	RegEnumValue	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Environment	NO MORE ENTRIES	Index: 2, Length: 220
    1:27:25.0437756 PM	lsass.exe	464	RegEnumValue	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Environment	NO MORE ENTRIES	Index: 2, Length: 220
    1:27:25.0438060 PM	lsass.exe	464	RegOpenKey	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Volatile Environment	NAME NOT FOUND	
    1:27:25.0439303 PM	lsass.exe	464	CreateFile	C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft	NAME COLLISION	Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, Impersonating: RM9VL20WS102\Administrator
    1:27:25.0440044 PM	lsass.exe	464	CreateFile	C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials	NAME COLLISION	Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, Impersonating: RM9VL20WS102\Administrator
    1:27:25.0441189 PM	lsass.exe	464	CreateFile	C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2433949442-523124216-4227445396-500	NAME COLLISION	Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, Impersonating: RM9VL20WS102\Administrator
    1:27:25.0442418 PM	lsass.exe	464	CreateFile	C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2433949442-523124216-4227445396-500\Credentials	NAME NOT FOUND	Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: HS, ShareMode: Read, AllocationSize: n/a, Impersonating: RM9VL20WS102\Administrator
    1:27:25.0444787 PM	lsass.exe	464	RegOpenKey	HKLM\System\CurrentControlSet\Control\Session Manager\Environment	REPARSE	
    1:27:25.0445567 PM	lsass.exe	464	RegEnumValue	HKLM\System\CurrentControlSet\Control\Session Manager\Environment	BUFFER OVERFLOW	Index: 1, Length: 220
    1:27:25.0448846 PM	lsass.exe	464	RegEnumValue	HKLM\System\CurrentControlSet\Control\Session Manager\Environment	BUFFER OVERFLOW	Index: 1, Length: 220
    1:27:25.0454830 PM	lsass.exe	464	RegOpenKey	HKLM\System\CurrentControlSet\Control\ComputerName	REPARSE	
    1:27:25.0459175 PM	lsass.exe	464	RegOpenKey	HKLM\System\CurrentControlSet\Control\ComputerName	REPARSE	
    1:27:25.0466410 PM	lsass.exe	464	RegEnumValue	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Environment	NO MORE ENTRIES	Index: 2, Length: 220
    1:27:25.0476995 PM	lsass.exe	464	RegEnumValue	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Environment	NO MORE ENTRIES	Index: 2, Length: 220
    1:27:25.0477297 PM	lsass.exe	464	RegOpenKey	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Volatile Environment	NAME NOT FOUND	
    1:27:25.0478638 PM	lsass.exe	464	CreateFile	C:\Documents and Settings\Administrator\Application Data\Microsoft	NAME COLLISION	Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, Impersonating: RM9VL20WS102\Administrator
    1:27:25.0479627 PM	lsass.exe	464	CreateFile	C:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials	NAME COLLISION	Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, Impersonating: RM9VL20WS102\Administrator
    1:27:25.0511542 PM	lsass.exe	464	CreateFile	C:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-2433949442-523124216-4227445396-500	NAME COLLISION	Desired Access: Read Data/List Directory, Synchronize, Disposition: Create, Options: Directory, Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write, AllocationSize: 0, Impersonating: RM9VL20WS102\Administrator
    1:27:25.0516548 PM	lsass.exe	464	CreateFile	C:\Documents and Settings\Administrator\Application Data\Microsoft\Credentials\S-1-5-21-2433949442-523124216-4227445396-500\Credentials	NAME NOT FOUND	Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: HS, ShareMode: Read, AllocationSize: n/a, Impersonating: RM9VL20WS102\Administrator
    1:27:25.0523010 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:25.0528904 PM	svchost.exe	812	RegOpenKey	HKLM\System\CurrentControlSet\Control\Session Manager\Environment	REPARSE	
    1:27:25.0529714 PM	svchost.exe	812	RegEnumValue	HKLM\System\CurrentControlSet\Control\Session Manager\Environment	BUFFER OVERFLOW	Index: 1, Length: 220
    1:27:25.0532980 PM	svchost.exe	812	RegEnumValue	HKLM\System\CurrentControlSet\Control\Session Manager\Environment	BUFFER OVERFLOW	Index: 1, Length: 220
    1:27:25.0539148 PM	svchost.exe	812	RegOpenKey	HKLM\System\CurrentControlSet\Control\ComputerName	REPARSE	
    1:27:25.0543817 PM	svchost.exe	812	RegOpenKey	HKLM\System\CurrentControlSet\Control\ComputerName	REPARSE	
    1:27:25.0551278 PM	svchost.exe	812	RegEnumValue	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Environment	NO MORE ENTRIES	Index: 2, Length: 220
    1:27:25.0561928 PM	svchost.exe	812	RegEnumValue	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Environment	NO MORE ENTRIES	Index: 2, Length: 220
    1:27:25.0562232 PM	svchost.exe	812	RegOpenKey	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Volatile Environment	NAME NOT FOUND	
    1:27:25.0567714 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:25.0571694 PM	winlogon.exe	380	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserEnvDebugLevel	NAME NOT FOUND	Length: 144
    1:27:25.0571898 PM	winlogon.exe	380	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\RsopLogging	NAME NOT FOUND	Length: 144
    1:27:25.0572189 PM	winlogon.exe	380	RegOpenKey	HKLM\Software\Policies\Microsoft\Windows\System	NAME NOT FOUND	
    1:27:25.0577354 PM	winlogon.exe	380	RegOpenKey	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2433949442-523124216-4227445396-500\Preference	NAME NOT FOUND	
    1:27:25.0578477 PM	winlogon.exe	380	RegOpenKey	HKU\S-1-5-21-2433949442-523124216-4227445396-500\Software\Policies\Microsoft\Windows\System	NAME NOT FOUND	
    1:27:25.0579726 PM	winlogon.exe	380	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DeleteRoamingCache	NAME NOT FOUND	Length: 144
    1:27:25.0580017 PM	winlogon.exe	380	RegOpenKey	HKLM\Software\Policies\Microsoft\Windows\System	NAME NOT FOUND	
    1:27:25.1851181 PM	winlogon.exe	380	RegOpenKey	HKLM\system\currentcontrolset\control\hivelist	REPARSE	
    1:27:25.2994477 PM	winlogon.exe	380	RegOpenKey	HKLM\system\currentcontrolset\control\hivelist	REPARSE	
    1:27:25.3073853 PM	winlogon.exe	380	CreateFile	C:\Documents and Settings\Administrator\ntuser.ini	NAME COLLISION	Desired Access: All Access, Disposition: Create, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: HS, ShareMode: None, AllocationSize: 0, Impersonating: RM9VL20WS102\Administrator
    1:27:25.3083100 PM	winlogon.exe	380	UnlockFileSingle	C:\Documents and Settings\Administrator\ntuser.ini	RANGE NOT LOCKED	Offset: 0, Length: 4,294,967,295
    1:27:25.3095426 PM	runas.exe	8188	RegQueryValue	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles	NAME NOT FOUND	Length: 20
    1:27:25.3108620 PM	cmd.exe	7240	RegOpenKey	HKCU\Software\Policies\Microsoft\Control Panel\Desktop	NAME NOT FOUND	
    1:27:25.3109036 PM	cmd.exe	7240	RegQueryValue	HKCU\Control Panel\Desktop\MultiUILanguageId	NAME NOT FOUND	Length: 256
    1:27:25.4112770 PM	Explorer.EXE	5324	RegOpenKey	HKCU\Software\Classes\Applications\cmd.exe	NAME NOT FOUND	
    1:27:25.4112994 PM	Explorer.EXE	5324	RegOpenKey	HKCR\Applications\cmd.exe	NAME NOT FOUND	
    1:27:25.7754878 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:25.7757611 PM	lsass.exe	464	RegOpenKey	HKLM\SAM\SAM\DOMAINS\Account\Groups\000001F4	NAME NOT FOUND	
    1:27:25.7757887 PM	lsass.exe	464	RegOpenKey	HKLM\SAM\SAM\DOMAINS\Account\Aliases\000001F4	NAME NOT FOUND	
    1:27:25.7912868 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:25.7919447 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:25.7925084 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:25.7929744 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:25.8007922 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:25.8014914 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:25.8020795 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:25.8025379 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:26.8043334 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:26.8049952 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:26.8055579 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:26.8060266 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:26.8119969 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    1:27:26.8126518 PM	lsass.exe	464	RegQueryValue	HKLM\SECURITY\Policy\SecDesc\(Default)	BUFFER OVERFLOW	Length: 12
    Grazie mille!!
    venerdì 15 giugno 2012 12:08
  • Troppa abbondanza e poca qualità

    • Penso che non riuscirò ad aiutarti, troppo complessa la cosa...  
    • nei tuo post ci sono righe di altri processi...
    • cerca di monitorare solo cmd e runas 
    • posta su skydrive il .PML e non riempire i post di righe su righe. 

    Se esegui c:\windows\system32\runas.exe cosa succede ?

    se cambi il path per tutti e due gli utenti coinvolti in questo modo:
    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;D:\ORACLE\ORA92\bin;C:\Program Files\Oracle\jre\1.3.1\bin;C:\Program Files\Oracle\jre\1.1.8\bin;F:\oracleora92\bin

    Poi esegui ancora una volta  c:\windows\system32\runas.exe cosa succede ?


    Gastone Canali >http://www.armadillo.it


    venerdì 15 giugno 2012 16:48
  • Troppa abbondanza e poca qualità

    • Penso che non riuscirò ad aiutarti, troppo complessa la cosa...  
    • nei tuo post ci sono righe di altri processi...
    • cerca di monitorare solo cmd e runas 
    • posta su skydrive il .PML e non riempire i post di righe su righe.

    Se esegui c:\windows\system32\runas.exe cosa succede ?

    se cambi il path per tutti e due gli utenti coinvolti in questo modo:
    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;D:\ORACLE\ORA92\bin;C:\Program Files\Oracle\jre\1.3.1\bin;C:\Program Files\Oracle\jre\1.1.8\bin;F:\oracleora92\bin

    Poi esegui ancora una volta  c:\windows\system32\runas.exe cosa succede ?


    Gastone Canali >http://www.armadillo.it


    Ciao, qua il log "ripulito".

    Le variabili di ambiente dovrebbero essere corrette:

    Path=D:\ORACLE\ORA92\bin;C:\Program Files\Oracle\jre\1.3.1\bin;C:\Program Files\Oracle\jre\1.1.8\bin;F:\oracle\ora92\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem

    Sbaglio?

    Se lancio il runas mi si apre l'help del comando.

    Ciao e grazie! 


    • Modificato Andrea(ilcress) lunedì 18 giugno 2012 08:36 Errore impaginazione
    lunedì 18 giugno 2012 08:36
  • Volevo che nel path comparissero prima i path standard di windows C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;D:\ORACLE\ORA92\bin;C:\Program Files\Oracle\jre\1.3.1\bin;C:\Program Files\Oracle\jre\1.1.8\bin;F:\oracle\ora92  poi oracle & C.!

    Da command prompt volevo che eseguissi  c:\windows\system32\runas.exe   così come è scritto, ma ovviamente completo di utente e applicativo ....

    Ma non sarà l'antivirus di symantec??

    prova a inviare un  .PML del seguente comando

    c:\windows\system32\runas.exe  /user:Administrator "c:\windows\system32\notepad.exe"


    Gastone Canali >http://www.armadillo.it

    Se alcuni post rispondono al tuo quesito (non necessariamente i miei), ricorda di contrassegnarli come risposta e non dimenticare di contrassegnare anche i post utili . GRAZIE!



    lunedì 18 giugno 2012 12:20
  • Variabili: adesso ok, adesso le ho anticipate. Fatto strano erano settate come %systemroot% e non come C:\Windows, ad ogni modo: nulla.

    Se lancio il comando per esteso? Stesso risultato. Ecco il log.

    Non è, ahimè, un problema dell'AV Symantec. Lo ho installato su altre macchine e ... da altre funziona tutto più che bene. 

    

    lunedì 18 giugno 2012 14:04
  • Non ce la possiamo fare  in quelle righe 106 righe non c'è nulla di utile

    prova a inviare un  .PML del seguente comando

    c:\windows\system32\runas.exe  /user:Administrator "c:\windows\system32\notepad.exe"


    Gastone Canali >http://www.armadillo.it

    Se alcuni post rispondono al tuo quesito (non necessariamente i miei), ricorda di contrassegnarli come risposta e non dimenticare di contrassegnare anche i post utili . GRAZIE!

    lunedì 18 giugno 2012 14:15
  • martedì 19 giugno 2012 07:44
  • su sky drive non vi è nulla di nuovo....


    Gastone Canali >http://www.armadillo.it

    Se alcuni post rispondono al tuo quesito (non necessariamente i miei), ricorda di contrassegnarli come risposta e non dimenticare di contrassegnare anche i post utili . GRAZIE!

    martedì 19 giugno 2012 08:23
  • A dire il vero ero stato poco chiaro ieri, il CSV contiene il test che avevo effettuato anche ieri. :) Mi avevi scritto: Ma non sarà l'antivirus di symantec?? prova a inviare un .PML del seguente comando c:\windows\system32\runas.exe /user:Administrator "c:\windows\system32\notepad.exe" Grazie mille!
    martedì 19 giugno 2012 09:49