0

I was writing some .VBS code at the office that would allow certain file extensions to be downloaded without a warning dialog on a Windows7x32 system.

The system I was writing this on is in a lab on a segmented subnet. All web access is via a proxy server. The only means of accessing my machine is via the internet or from within the lab's AD domain.

While writing and testing my code I found a message of sorts. Upon refreshing the registry to verify my code changed a dword, instead the message HELLO was written and visible in regedit where the dword value was called for.

I took a screen shot and proceeded to edit my code. This same weird behavior occurred last time I was writing registry code except on another internal server.

I understand that remote registry access exists for windows systems. I will block this immediately once I return to the office.

What I want to know is, can I trace who made this connection? How would I do this?

I suspect the cause of this is the cause of other "odd" behaviors I'm experiencing at work such as losing control of my input director master control for over an hour and unchanged code that all of a sudden fails for no logical region.

These failures occur at funny times, whenever I'm about to give a demonstration of my test code. I know this sounds crazy however knowledge of the registry component makes this believable. Once the registry can be accessed, the entire system is compromised.

This is on a test network where everybody is a domain admin so anybody in that group has the ability to enable remote registry access. Can remote assistance be enabled secretly?

Any help or sanity checking is appreciated.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
user67052
  • 1
  • @Slugster: I hope not :) The question is "What I want to know is, can I trace who made this connection? How would I do this?" which sounds more like server admin (or security) than programming...but I could be wrong. – Cameron Skinner Jan 16 '11 at 03:49
  • @Cameron, i agree, and all due respect to the OP but i think there is probably no Bad Guy :) – slugster Jan 16 '11 at 04:01

2 Answers2

3

I would speculate that this may be programming related... but you better post some code fast before it gets closed.

These failures occur at funny times, whenver I'm about to give a demonstration of my test code.

To be honest, this is probably a mix of paranoia and bad coding and bad environment setup. How does the bad guy know you are about to do a demo?

Upon refresing the registry to verify my code changed a dword, instead the message HELLO was written and visible in regedit where the dword value wass called for.

Post your code. I also have difficulty believing the Bad Guy knew which registry key you were about to write..... and you can't put a string into a DWORD type registry key... which means you are either looking at the wrong key, or there is a bug in your code.

slugster
  • 203
  • 1
  • 7
  • 12
0

Remote-Registry access requires a login, which records and event in the Security event-log. Since this is Win7, it's actually on by default, which isn't the case in Win7. Troll through the Security log looking for accesses you don't recognize. You may see some 'anonymous' attempts, those are fairly normal on Windows networks.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300