Is this normal or a security breach?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I noticed my HD started working up pretty heavily out of the blue so I checked the event logs and I saw these entries

First, in the applications log there was a Winmgt warning that "a provider, OffProv, has been registered in the WMI namespace, Root\MSAPPS, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Also around this time I noticed many failure audits and finally a success in the security logs for logging on

I'm running XP home on a cable network.... this computer is using ICS's firewall services... This computer is also a DELL and I noticed it has some support services that I haven't totally been able to clear out. Should I be worried
 
I'm not sure what it means, but do a Google search on words "OffProv has
been registered" and you'll find some hits which may be of use to you.

Hope this is useful to you. Let us know.

rms
 
The message about Office registering a provider with WMI is
normal after an Office install.

The long sequence of failed logons, ending with a success is
not too normal. If the success was for an impowered account
and you did not log in at the time, and you were not running
MBSA at the time, then you may want to investigate.
However, as you say you had ICS on, it is likely from something
you initiated (unless you have poked some holes in ICS).
You may want to run
net localgroup administrators
and then log in with each listed admin account and change
its password, checking to see if there are any noticible
differences in each account while logged in.


--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
Nick said:
I noticed my HD started working up pretty heavily out of the blue so I
Click to expand...
checked the event logs and I saw these entries.
First, in the applications log there was a Winmgt warning that "a
Click to expand...
provider, OffProv, has been registered in the WMI namespace, Root\MSAPPS, to
use the LocalSystem account. This account is privileged and the provider
may cause a security violation if it does not correctly impersonate user
requests."
Also around this time I noticed many failure audits and finally a success
Click to expand...
in the security logs for logging on.
I'm running XP home on a cable network.... this computer is using ICS's
Click to expand...
firewall services... This computer is also a DELL and I noticed it has some
support services that I haven't totally been able to clear out. Should I be
worried?
 
You must log in or register to reply here.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

What does this warning mean? 4
HiPerfCooker_v1, ... WHAT is it? 2
Largest recorded data breach 7
How can I block access to a suspected hack on my local system netw 2
Event Viewer after SP3 5
Security issue/ "Home invasion"? 1
EventID 63 4
event happening ? 6

Back
Top