I've wasted my time before telling people the process on how to fix. But you idiots refuse to do it. YOU HAVE NOT FIXED IT (as some setup programs will now fail).
Autoexec.nt. There is something deleting it for many people at boot or shutdown. Hopefully auditiong will show what program or virus is doing it. Most people can't use auditing so noone know what it is. Auditing records access to something (what you specify it to) in Windows. It's off by default because it slows down the computer and often noone cares.
1. Turn on auditing (this turns it on but nothing is being audited)
2. Set auditing for just this file (else you'll get millions of messages to sort through if you audit everything).
1. You must enable Auditing for the machine (in Local Security Policy - see Help).
2. You must specify what to audit. You do this the same place you set permissions (click Advanced).
Then you can read it in the Event Viewer
Audit object access
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
Description
Determines whether to audit the event of a user accessing an object-for example, a file, folder, registry key, printer, and so forth-that has its own system access control list (SACL) specified.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has a SACL specified. To set this value to no auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.
Note that you can set a SACL on a file system object using the Security tab in that object's Properties dialog box.
Default: No auditing.
Then set auditing for your drives in the Drives Properties - Security - Advanced - Auditing
You have to turn it on then set what is to be audited.
This is what a audit for a printer looks like
Object Open:
Object Server: Spooler
Object Type: Document
Object Name:
http://smh.com.au/news/opinion/webdiary/index.html?from=lhsnav
Handle ID: 9487952
Operation ID: {-,-}
Process ID: 1020
Image File Name: C:\WINDOWS\system32\spoolsv.exe
Primary User Name: SERENITY$
Primary Domain: WORKGROUP
Primary Logon ID: (0x0,0x3E7)
Client User Name: David Candy
Client Domain: SERENITY
Client Logon ID: (0x0,0xE179)
Accesses: READ_CONTROL
%%6949
Privileges: -
Restricted Sid Count: 0
For more information, see Help and Support Center at
Big companies have programs that look through these logs. You can use a spreadsheet.
--
----------------------------------------------------------
http://www.uscricket.com
Terry said:
Well can you believe that? I tried the suggestion of "Bullwinkle" and
changed the file's properties to "read only" and it doesn't get deleted upon
boot. I'm flabbergasted that such a simple thing could resolve this deletion
problem! Even if the root cause of the original problem of the file being
deleted in the first place, is still unknown, at least I can live with it
until I can discover what caused it.
I've put this problem to all kind of places on the Web (I use both Terry and
Bud Norris) and even to my computer OEM (Gateway) and nobody ever thought of
changing the file's properties.
Many, many thanks to Bullwinkle!
Bud Norris said:
Lots of luck Sebastion! If somehow you can replace the AUTOEXEC.NT file in
your C:\WINNT\System32| folder AND keep it there, please let me know how you
managed it. Everytime I put the file into the system32 folder it is deleted
the next time I reboot. No body seems to know why this happens It's
obviously something to do with the Windows XP file protection feature but no
one can tell me what to do to stop the deletion.
Also when people tell you that the folder you are to put the AUTOEXEC.NT
file in is your C:\Windows\System32\ folder they are incorrect. It's the
C:\WINNT\System32| folder. People for some reason keep saying it's the
C:\Windows|System32 folder. (Ido realize thats what the Microsoft articles
say but ther're wrong)
If any of these experts that answered your question can tell me how to stop
the deletion problem please do it!
NevBud
Sebastian said:
:
The file is located in the Windows\system32 folder
I didn't really phrase my question properly. I had already discovered that
the file is missing from that directory and I was trying to locate another
copy to put there. As I understand it (you can see I'm a new user) this used
to be windows\driver cache\i386 and [since SP2] windows\sustem32zdllcache.
"Patti MacLeod" suggested two refences. The second wasn't available, the
first was helpful.
Thanks for all clues - I'll have more if they're availabe because, being
naive, I keep thinking I might learn to understand all this stuff one day.
