Access Denied errors recorded by Regmon

[Guest]

Regmon filtered to show just Access Denied errors will generate hundreds of
errors in just an hour or so of computer use. This Xp pro desktop is slightly
sick being slow doing things like "open with..." but otherwise is basically
functional. The Regmon error was discovered investigating a loss of Folder
file association. Changing key ownership, creating new administator user or
editing and resaving permissions do not affect the errors. For example
opening IE6 and setting Regmon's filter to "Bags" and comparing a healthy XP
Home laptop Regmon output
gives on laptop 39 lines opening IE6 and a total of 60 lines also closing
IE6. On
laptop all are SUCCESS apart from 6 NOT FOUND. On suspect desktop the total
is 77 including 16 ACCESS DENIED - which all occur on closing IE6.
On desktop keys like Shell\\MinPos1280x1024(1).x get QueryValue twice at
lines 4 & 5 both with SUCESS but later at line 43 QueryValue of same key
gives
ACCESS DENIED followed at line 44 by a SetValue with SUCCESS.
All open program events produce at least one access denied error the first
of which is always the HKCU\SessionInformation\ProgramCount key value.
This has me totally puzzled - is there an expert who can shed any light on
this?
Thanks in anticipation,
Richard (jaistar)

 

[Guest]

How granular are you getting with the registry permissions? If you go into
special permissions you can set QueryValue to Deny and SetValue to Allow,
which could explain the results of your log file. Also, are you checking the
permissions to all groups of the said keys, like the special groups CREATOR
OWNER and SYSTEM?

 

[Guest]

Hello Adam,
Thanks for the input. The top level HKCU key is set to full control (+ Read)
for all users apart from restricted. As i log on as administrator type user I
spefically checked Administrators group that all keys below inherited their
permissions from this top level. Using edit at each level shows all allow
boxes ticked but grey and no deny boxes have ticks. Aditionally AccessEnum
shows no irregularity here. I added my specfic login user as this was
identified in the access denied errors and set it up for full control too but
to no new result. User System was checked similarly without seeing anything
odd. In short I really do not think it is actually a permission problem but
otherwise am stumped. The vast majority of the errors are from HKCU but not
exclusively. Note that the HKCU key mentioned gives Sucess for QueryValue at
one point and ACCESS DENIED later. About 17 errors are logged in 70 lines of
"Bags" filiered output with several keys showing this strange behaviour.
Jaistar.

 

[Adam Leinss]

Thanks for the input. The top level HKCU key is set to full
control (+ Read) for all users apart from restricted. As i log on
as administrator type user I spefically checked Administrators
group that all keys below inherited their permissions from this
top level.

Have you tried posting at the Sysinternals forum for Regmon? I've used
Filemon and Regmon for the past few years and they do sometimes give
false positives, though the number in your case seems really high.

The only thing else I think of is malware. I had a piece of spyware
once that was protecting certain registry keys by intercepting my calls
to modify them. You can watch Mark Russinovich's web cast on malware
here: http://tinyurl.com/7muer.

Adam

 

[Guest]

Thanks Adam,
I use Panda Titanium AV fully up to date and also MS Antispyware and scans
from both are clean so I hope spyware is not the problem. I tried the Rootkit
revealer which found a couple of keys containing nulls but nothing else apart
for the temporary files rootkitrevealer.zip so I dont think this is the
problem. Strangely the regdelnull tool could not find them in HKLM to
delete.. ( I ran regdelnull HKLM -s). Not had time to read thoroughly all
about therse tools but using defaults I thought it would work as advertised.
I will have a look at the sysinternals forum as you suggest,
Many thanks,
Jaistar.