Hi Robert,
True. Using R'Mon might not help if the problem is caused by a startup application or during shutdown. Auditing works in anycase (startup, shutdown, or during normal operation of windows), so I preferred that one (given that we have no clue when this is occuring). The Image Name might give a clue.
--
Ramesh - Microsoft MVP
Windows XP Shell/User
http://www.mvps.org/sramesh2k
AumHa VSOP:
http://www.aumha.org
Robert Aldwinckle said:
it would be great if you let us know what application is changing that path wrongly
Ramesh,
Do we know when these changes are occurring?
If she shuts down with it set the way it should be,
checks immediately after a boot and it isn't set
she'd have to use your auditing idea (or try some fault
isolation with some clean-boot troubleshooting)
<title>KB316434 - How to perform advanced clean-boot troubleshooting in Windows XP</title>
Otherwise (if it occurs sometime after a boot)
she could use RegMon which might be easier
to set up and check. She only needs to monitor one value
so the filter could be very specifically for that.
Sounds like it's a frequent thing which means that diagnostics
would only need to be in place for a short time.
FWIW
Robert Aldwinckle
---
Maggie,
You can prevent the registry change for sure (by assigning read-only Permissions to that User Shell Folders path, for your login).
But, it would be great if you let us know what application is changing that path wrongly. If using XP Professional, set the auditing
for those registry keys:
Phase I: Enable Audit Policy
1. Click Start, Run and type Secpol.msc
2. In the left pane, under Local Policies, click Audit Policy.
3. In the right pane, double-click Audit Object Access, and then select the Success and Failure boxes.
Phase II: Set the keys to be Audited:
1. Now, use Regedit to audit individual keys.
2. Open Registry Editor and click the key you want to audit. (First start with "User Shell Folders" key)
3. On the Edit menu, click Permission; then click Advanced.
4. On the Auditing tab, click Add.
5. Type your username there and add it to the audit list
6. In the Auditing Entry For Name dialog box, in the Access list, select both the Successful and Failed check boxes next to the
activities for which you want to audit successful and failed attempts.
Phase III: Inspect the Event Logs for any information on the changed keys/values:
1. Click Start, Run and type Eventvwr.msc
2. In Event Viewer's left pane, click Security.
3. In the right-pane, double-click any entry to see more details.
4. Post the contents of that dialog here
--
Ramesh - Microsoft MVP
Windows XP Shell/User
http://www.mvps.org/sramesh2k
AumHa VSOP:
http://www.aumha.org
Alan - sorry - one more bit of information. I changed the regedit in both the user shell folder and the shell folder. If I change
one, and they change the other and go back and check it - it bounces back to c:\windows\favorites again. Kinda of annoying. (This
happened to me once before where my favorites got messed up). I created a new login for myself and copied my favorites over to it -
not sure why it is happening again). Thanks in advance for your help.
Maggie