Posted: Sat Sep 20, 2014 10:24 pm Post subject: Strange startup traffic
I have detected an inusual network traffic in PC's startup. With a wireshark capture you see after the user introduces his password, the Windows XP Client connecting to remote registry of the domain controller and trying to set or query some registry keys related to terminal services. In brief,
Client->Domain Controler: Open Query HKLM \SYSTEM \CurrentControlSet \Control \Terminal Server\DeafultConfiguration
and there are more keys being consulted . Another hive that is consulted in the same trace is useroverride\Control Panel\Desktop with other keys. This traffic is produced after the default domain policy is applied but we donīt have any configuration for terminal server in this policy. Until I know this
is not normal because PC clients in a domain donīt try to configure the terminal service. We only have the execution of kixstart.exe in netlogon folder to map three server folder (department documents, public and user) and certain policies that after are applied. I have seen this traffic in certain PCs but in others are different. Do you think that someone has changed the
default policy and is applying for certain PCs? Is some type of malware? Is a driver service installed by someone? I am lost with this problem but the user has to wait a lot of time to have the Pc opperative in the startup.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
TMs property of their respective owner. Comments property of posters. Đ 2007 Computer Forensics Science World. Digital forensic computing news syndication: Computer Forensics Training News or UM Text Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.