SERVICES.EXE Mystery

J

Jay Somerset

Every couple of hours, services.exe tries to add the same two keys to my
WIN2K registry. I am running WIN2K/SP4 with the latest MS patches. The
system is not part of a domain.

The keys being rewritten are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"legalnoticecaption"=""
"legalnoticetext"=""

Why is this happening? I have checked services.exe for any virus, and it is
clean. Is this normal WIN2K behavior? Should I be concerned?
-Jay-
 
D

Dave Patrick

I don't know where you got that info but those two strings are populated via
your domain policy.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect
 
D

David H. Lipman

From: "Jay Somerset >" <<[email protected]>

| Every couple of hours, services.exe tries to add the same two keys to my
| WIN2K registry. I am running WIN2K/SP4 with the latest MS patches. The
| system is not part of a domain.
|
| The keys being rewritten are:
|
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
| "legalnoticecaption"=""
| "legalnoticetext"=""
|
| Why is this happening? I have checked services.exe for any virus, and it is
| clean. Is this normal WIN2K behavior? Should I be concerned?
| -Jay-

And the NEW added/modified text is... ?
 
J

Jay Somerset

From: "Jay Somerset >" <<[email protected]>

| Every couple of hours, services.exe tries to add the same two keys to my
| WIN2K registry. I am running WIN2K/SP4 with the latest MS patches. The
| system is not part of a domain.
|
| The keys being rewritten are:
|
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
| "legalnoticecaption"=""
| "legalnoticetext"=""
|
| Why is this happening? I have checked services.exe for any virus, and it is
| clean. Is this normal WIN2K behavior? Should I be concerned?
| -Jay-

And the NEW added/modified text is... ?
Click to expand...

Exactly as described above. The fields are both set to blank ("").
-Jay-
 
J

Jay Somerset

I don't know where you got that info but those two strings are populated via
your domain policy.
Click to expand...

I am running Kaspersky Labs AntiVirus 6, which can trap out changes to the
registry and permit them to be accepted or rejected. KLAV provided the
info.

I do not have a "domain policy" -- the system has never been configured to
be part of a domain.
-Jay-
 
D

David H. Lipman

|
| Exactly as described above. The fields are both set to blank ("").
| -Jay-

So what's the problem if the text is NULL, blank ?
 
D

Dave Patrick

It could be malware related but it isn't services.exe specifically. Have you
run rsop.msc to see what policy has been applied?

Computer Configuration\Windows Settings \Security Settings\Local
Policies\Security Options
Interactive logon: Message title for users attempting to log on
Interactive logon: Message text for users attempting to log on

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect
 
D

David H. Lipman

From: "Dave Patrick" <[email protected]>

| It could be malware related but it isn't services.exe specifically. Have you
| run rsop.msc to see what policy has been applied?
|
| Computer Configuration\Windows Settings \Security Settings\Local
| Policies\Security Options
| Interactive logon: Message title for users attempting to log on
| Interactive logon: Message text for users attempting to log on
|

I doubt it is malware related unless it actually put text into those fields.
Since Jay has indicated they are NULL, then I think the OS touched those Registry settings
an Kaspersky over exuberantly made false declaration of a Registry change.
 
J

Jay Somerset

|
| Exactly as described above. The fields are both set to blank ("").
| -Jay-

So what's the problem if the text is NULL, blank ?
Click to expand...

It may not present a security problem, per se, but the system shouldn't be
trying to rewrite these values, even with a null string, every 90-120
minutes.
 
J

Jay Somerset

I assumed null because his AV disallowed the changes.
Click to expand...

Not so. Before I blocked furher attemps, they went through. The result is
a reapeated attempt to rewrite as null.

Doesn't make sense, and it's anomalous behavior, so I wondered if anyone had
ever seen this before, or had an expanation as to why services .exe was
trying to do this.
-Jay-
 
D

David H. Lipman

From: "Jay Somerset >" <<[email protected]>


|
| It may not present a security problem, per se, but the system shouldn't be
| trying to rewrite these values, even with a null string, every 90-120
| minutes.

I don't know. I haven't monitored that Registry key.

You say it is SERVICES.EXE. Ok, what is the fully qualified path to the SERVICES.EXE file
attempting these changes ?
 
J

Jay Somerset

It could be malware related but it isn't services.exe specifically. Have you
run rsop.msc to see what policy has been applied?

Computer Configuration\Windows Settings \Security Settings\Local
Policies\Security Options
Interactive logon: Message title for users attempting to log on
Interactive logon: Message text for users attempting to log on
Click to expand...

I know what the entries are, and their purpose. What I don't understand is
why services.exe is repeatedly trying to add these keys to the Registry.

Also, rsop.msc is not on my system. How can I install it? A google search
yielded no information on how to obtain and install this snap-in.
-Jay-
 
J

Jay Somerset

From: "Jay Somerset >" <<[email protected]>


|
| It may not present a security problem, per se, but the system shouldn't be
| trying to rewrite these values, even with a null string, every 90-120
| minutes.

I don't know. I haven't monitored that Registry key.

You say it is SERVICES.EXE. Ok, what is the fully qualified path to the SERVICES.EXE file
attempting these changes ?
Click to expand...

C:\WINNT\system32\services.exe
 
D

David H. Lipman

From: "Jay Somerset >" <<[email protected]>


|
| C:\WINNT\system32\services.exe

That's the legitimate location. Again this points away from malware.

The ONLY thing left is it may be a RootKit that is plugging into SERVICES.EXE

I suggest using the following anti RootKit Utility.
G.m.e.r. { Name & URL obfuscated due to a severe DDoS attack on mirrors }

h**p://www.young-andersen.dk/gamer/gamer.htm
 
T

Tim Jackson

Jay Somerset > said:
I am running Kaspersky Labs AntiVirus 6, which can trap out changes to the
registry and permit them to be accepted or rejected. KLAV provided the
info.

I do not have a "domain policy" -- the system has never been configured to
be part of a domain.
-Jay-
Click to expand...

But you do have a Local Security Policy that by default has these two
strings set to NULL. IIRC policy settings are *automatically* refreshed
every 90 minutes (with a 30 min random factor added in) and I suspect you
are catching this refresh process, although why it would try to update these
strings if they're not changing I don't know.
 
J

Jay Somerset

But you do have a Local Security Policy that by default has these two
strings set to NULL. IIRC policy settings are *automatically* refreshed
every 90 minutes (with a 30 min random factor added in) and I suspect you
are catching this refresh process, although why it would try to update these
strings if they're not changing I don't know.
Click to expand...

Thanks for the info. That certainly explains what is happening. I was not
aware of any deliberate automatic refreshment of the policy settings --
seems kind of lame-brained to me.

As it appears to be innocuous (even if annoying) behavior, I have set up a
rule in Kasperky AV to allow this to continue without notification.
-Jay-
 
T

Tim Jackson

Jay Somerset > said:
Thanks for the info. That certainly explains what is happening. I was
not
aware of any deliberate automatic refreshment of the policy settings --
seems kind of lame-brained to me.

As it appears to be innocuous (even if annoying) behavior, I have set up a
rule in Kasperky AV to allow this to continue without notification.
-Jay-
Click to expand...

In a single computer or non-domain situation the automatic refresh probably
is bit over the top but in a domain with server(s) and (many) client PCs a
policy may be changed centrally and the automatic refresh ensures changes
are promulgated without waiting for users to logoff and or reboot. :)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

services.exe process suddenly has a very high memory usage 1
Virus recovery and services.exe 1
Windows 2000 (Pro and Server) having services.exe error and rebooting 4
Windows-System Error 2
3F8AB4CH Service 1
Empty Application Event Logs 1
Strange system account behaviour 1
HELP: Desktop/Task Bar MISSING after Windows 2000 startup, but I can start desktop/task bar manually 0

Top