Help, User Rights Assignment in Local Policies keep resetting

Hello, this is happening on a Windows XP Professional, SP2 fully
patched. It used to share files on the network but suddenly it stopped
doing so. After some reading I found that the User Rights Assignment
propery was missing the required values. So I added the accounts and
this allowed the computer to share files again.

This would work for a few minutes but five minutes later computer
trying to access the share could not because the settings were blank
again. I repeated the process of adding the values to User Rights
Assignment and they keep resetting.

Has anyone encountered this problem? How were you able to solve it or
work around it? Thank you.

Is this a computer on an Active Directory domain as found in many businesses
or schools or not?? If not you have something strange going on that may be
malware related or maybe due to a "protection" program that is locking your
computer down for you. It may help to enable auditing of "policy change" for
success and failure in Local Security Policy to see if it shows when and who
is changing your user rights. --- Steve



"oozzzii" <osminm@gmail.com> wrote in message
news:1135611366.101712.309010@f14g2000cwb.googlegr oups.com...
> Hello, this is happening on a Windows XP Professional, SP2 fully
> patched. It used to share files on the network but suddenly it stopped
> doing so. After some reading I found that the User Rights Assignment
> propery was missing the required values. So I added the accounts and
> this allowed the computer to share files again.
>
> This would work for a few minutes but five minutes later computer
> trying to access the share could not because the settings were blank
> again. I repeated the process of adding the values to User Rights
> Assignment and they keep resetting.
>
> Has anyone encountered this problem? How were you able to solve it or
> work around it? Thank you.
>

Thank you Steve...will try enabling the "policy chaneg" in auditing .

These computers are in a workgroup setting, they do not belong to a
domain/ad. I will try running some spyware detection software as well.

Cheers.

Policy Change indeed picked up something...:
Source: Security
Category: Policy Change
Event ID: 622
User: NT AUTHORITY\SYSTEM
Computer: BOSS

System Security Access Removed:
Access Removed: SeNetworkLogonRight
Account Modified: Everyone
Removed By:
User Name: BOSS$
Domain: WORKGROUP
Logon ID: (0x0,0x3E7)

Going to MS KB to figure out what this means..thanks again.

It looks like a process using system is causing this to happen. Try booting
into Safe Mode with networking to see if that makes a difference or not
assuming you have something other than a host/software firewall protecting
your computer as they will probably be disabled in Safe Mode. The other
thing to look at is to see if you have and Scheduled Tasks running on the
computer that are running a script using secedit or ntrights that are
enforcing user rights on your computer. Also keep in mind that the user
right for deny access this computer from the network will override allow
access this computer from the network though I tend to doubt that is your
problem in this case. You might try adding "users" to that user right also
to see if the process would remove that or is only removing everyone though
you should try to get to the bottom of what is going on. The free tools
called Process Explorer and Autoruns from SysInternals may help you find out
if any rouge processes are running that may be causing your problem. ---
Steve

http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
http://www.sysinternals.com/Utilitie...sExplorer.html --- Process
Explorer

"oozzzii" <osminm@gmail.com> wrote in message
news:1135630097.164268.91590@f14g2000cwb.googlegro ups.com...
> Policy Change indeed picked up something...:
> Source: Security
> Category: Policy Change
> Event ID: 622
> User: NT AUTHORITY\SYSTEM
> Computer: BOSS
>
> System Security Access Removed:
> Access Removed: SeNetworkLogonRight
> Account Modified: Everyone
> Removed By:
> User Name: BOSS$
> Domain: WORKGROUP
> Logon ID: (0x0,0x3E7)
>
> Going to MS KB to figure out what this means..thanks again.
>

Everyone, THANK YOU for all the help...you suggested very useful tips
and tools.

Indeed a worm was causing the problem..a search for SeNetworkLogonRight
yielded better results, including the following link:
http://securityresponse.symantec.com...ybot.worm.html

Reseting the SeNetworkLogonRight policy is just one of the things that
W32.Spybot.Worm does. Workstation is back to normall after getting rid
of this worm.

Thank you again! Happy holidays.

Hi Steven,

That's a lot for your post. I've been driven to tears all day with this
problem. And there it was... remon.sys and some .exe's messing up my
PDC!

Happy New Year to you :-)

Steven L Umbach Wrote:
> It looks like a process using system is causing this to happen. Try
> booting
> into Safe Mode with networking to see if that makes a difference or
> not
> assuming you have something other than a host/software firewall
> protecting
> your computer as they will probably be disabled in Safe Mode. The
> other
> thing to look at is to see if you have and Scheduled Tasks running on
> the
> computer that are running a script using secedit or ntrights that are
> enforcing user rights on your computer. Also keep in mind that the
> user
> right for deny access this computer from the network will override
> allow
> access this computer from the network though I tend to doubt that is
> your
> problem in this case. You might try adding "users" to that user right
> also
> to see if the process would remove that or is only removing everyone
> though
> you should try to get to the bottom of what is going on. The free
> tools
> called Process Explorer and Autoruns from SysInternals may help you
> find out
> if any rouge processes are running that may be causing your problem.
> ---
> Steve
>
> http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
> http://www.sysinternals.com/Utilitie...sExplorer.html ---
> Process
> Explorer
>
> "oozzzii" osminm@gmail.com wrote in message
> news:1135630097.164268.91590@f14g2000cwb.googlegro ups.com...
> Policy Change indeed picked up something...:
> Source: Security
> Category: Policy Change
> Event ID: 622
> User: NT AUTHORITY\SYSTEM
> Computer: BOSS
>
> System Security Access Removed:
> Access Removed: SeNetworkLogonRight
> Account Modified: Everyone
> Removed By:
> User Name: BOSS$
> Domain: WORKGROUP
> Logon ID: (0x0,0x3E7)
>
> Going to MS KB to figure out what this means..thanks again.
>


--
MiBa

Well glad you got it sorted out - maybe. I don't know if you looked any
further into what remon.sys is but according to a Google search it is a
trojan/backdoor so you want to be sure to do full system malware scans on
your computer using the latest virus definitions from your vendor. ---
Steve

http://www.sophos.com/virusinfo/anal...tilebotgs.html
http://www.greatis.com/appdata/d/r/remon.sys.htm

"MiBa" <MiBa.211hjd@pcbanter.net> wrote in message
news:MiBa.211hjd@pcbanter.net...
>
> Hi Steven,
>
> That's a lot for your post. I've been driven to tears all day with this
> problem. And there it was... remon.sys and some .exe's messing up my
> PDC!
>
> Happy New Year to you :-)
>
> Steven L Umbach Wrote:
>> It looks like a process using system is causing this to happen. Try
>> booting
>> into Safe Mode with networking to see if that makes a difference or
>> not
>> assuming you have something other than a host/software firewall
>> protecting
>> your computer as they will probably be disabled in Safe Mode. The
>> other
>> thing to look at is to see if you have and Scheduled Tasks running on
>> the
>> computer that are running a script using secedit or ntrights that are
>> enforcing user rights on your computer. Also keep in mind that the
>> user
>> right for deny access this computer from the network will override
>> allow
>> access this computer from the network though I tend to doubt that is
>> your
>> problem in this case. You might try adding "users" to that user right
>> also
>> to see if the process would remove that or is only removing everyone
>> though
>> you should try to get to the bottom of what is going on. The free
>> tools
>> called Process Explorer and Autoruns from SysInternals may help you
>> find out
>> if any rouge processes are running that may be causing your problem.
>> ---
>> Steve
>>
>> http://www.sysinternals.com/Utilities/Autoruns.html --- Autoruns
>> http://www.sysinternals.com/Utilitie...sExplorer.html ---
>> Process
>> Explorer
>>
>> "oozzzii" osminm@gmail.com wrote in message
>> news:1135630097.164268.91590@f14g2000cwb.googlegro ups.com...
>> Policy Change indeed picked up something...:
>> Source: Security
>> Category: Policy Change
>> Event ID: 622
>> User: NT AUTHORITY\SYSTEM
>> Computer: BOSS
>>
>> System Security Access Removed:
>> Access Removed: SeNetworkLogonRight
>> Account Modified: Everyone
>> Removed By:
>> User Name: BOSS$
>> Domain: WORKGROUP
>> Logon ID: (0x0,0x3E7)
>>
>> Going to MS KB to figure out what this means..thanks again.
>>
>
>
> --
> MiBa