need a basic understanding

[stevemiller]

I have Windows XP home edition. I'm not connected to a
network and I am the only user of the computer. Apparently
I have four or more accounts on my system: Owner,
Administrator, NT AUTHORITY/SYSTEM and Guest(turned off).
I am supposed to have administrative privilages but I
can't even add a screen saver. I found directions for
getting a screensaver to work at kellys korner but I need
a better understanding of the basics before tackling the
registry.
I need to find a tutorial on the basics of accounts and
permissions specifically for XP home, non-workstation, non-
networking computer.

1) Are all these accounts necessary?

2) If I edit the permissions to edit the registry of the
owner account do I need to go into safe mode and edit the
Administrator permissions? Should I do all my registry
editing in safe mode from the Administrator account?

3) What are these security permissions being granted
access to my files all the time? Usually nt
authority\system, winlogon, winlogon\Gina, CHAP, RASMAN
etc...

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

1) Are all these accounts necessary?

A) No. First, go to Control Panel, open User Accounts, check to see if your
account, I assume named the Owner account is listed as Limited or
Administrator. If listed as Limited, log into the account named
Administrator, go to Control Panel, open User Accounts, click the Owner
account, from the list on the new screen that opens, click Change my account
type and then select Computer Administrator. Ultimately, this should hide
the account called administrator as that is normally a hidden account used
only in an emergency if you cannot access any of your other accounts. This
should give you the ability to do all the things you wish to do, no need to
edit the registry and you might not even require Kelly's tweak as that is
usually designed to fix a disabled function.

2) If I edit the permissions to edit the registry of the
owner account do I need to go into safe mode and edit the
Administrator permissions? Should I do all my registry
editing in safe mode from the Administrator account?

A) No need to do this, see above.

3) What are these security permissions being granted
access to my files all the time? Usually nt
authority\system, winlogon, winlogon\Gina, CHAP, RASMAN
etc...

A) I don't understand the question.

To play safe, make sure your antivirus software is up to date and run a
virus scan. I'm not familiar with a default setup creating a user called
"NT Authority System."

If you are the only user, we usually recommend that you have an
Administrator account (this is over and above the usually hidden account
mentioned above and while you can make it "Computer Administrator" as
outlined above, you name it something else as no other account on the system
can have the name "Administrator," and have a second account for normal
everyday use that is a limited account. If you are on the Internet or you
contract a virus and you basically use your limited account, because it is
limited account, a virus or a hacker would have a difficult time doing
anything because the account is limited.

If you didn't created the NT Authority account, I would say it can be
deleted in Control Panel\User Accounts but I don't know what else you might
have done that might have created that account in the first place which is
one of the reasons I suggested running a virus scan.

The Guest accent cannot be deleted but it can be turned off as it appears is
the case on your system.

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

One other point, assuming the account named "Administrator" disappears from
the Welcome screen where you log in, should you ever need to get to that
account in the future the procedure for XP Home Edition which differs from
the procedure for XP Pro requires that you log into Safe Mode as that
Administrator. If that account has no password set, then leave the password
for that account blank when you get to safe mode. In other words, leave the
password blank and press enter. If you have set a password for that account
make note of it as you will need it to log into safe mode as that
administrator. In order to get to Safe Mode, you boot the system and start
tapping F8, when the menu appears, select Safe Mode from the menu and press
enter.

 

[stevemiller]

I checked. I have admin. privilages but cannot make an
added on sreensaver stay selected in the screensaver
selection box. I select the screensaver from the list,
click apply, then Ok. The window closes. I reopen the
screensaver selection window and my selection has reverted
to "NONE" I tried renaming it, putting ss in front of it.
I added new values... c:\windows\system32\ssA Frozen
Night.scr to the Screensaver.exe in the machine hive of
the registry. It should'nt be this complicated. I nearly
deleted everthing under desktop in the registry. I have
backups but I gotta be able to log on to use them. Thanks
for the advice. I'll keep working on it.

-----Original Message-----
One other point, assuming the account

named "Administrator" disappears from

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

The screen saver to which you refer, Frozen Night, is not a part of Windows
XP. If this is from some earlier version of Windows or something you
downloaded, note that many screensavers created for Windows 9x operating
systems will not work with XP and when they won't, they just won't.

You can try contacting the source of the screen saver for help but many such
screen savers for 9x and outside sources simply won't work with XP and that
is likely the reason you are having this issue.

 

[stevemiller]

Ok, thanks I'll check. Here is the site I downloaded
from:
http://themexp.ezthemes.com/pcenhance/ss/preview.phtml?
blank+16274
No, the ss is not part of windows...I have tried several
from this site..."Themexp", none of them will work in the
same manner as i described earlier. Many of them come with
excess baggage (so they can be free, monetarily) programs
they want you to download. I strip these off before using
the actual scr file. maybe doing so corrupts the scr file.
I don't know, i'll keep trying things. Thanks again.

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

It's possible they require the "excess baggage" in order to run but I can
tell you, Non-XP and third party screen savers can be problematic in XP.

 

[stevemiller]

Good Idea! about having the limited account for everyday
use, never thought of that. I found I have an account for
every time I changed the computer name. NT
AUTHORITY\SYSTEM doesn't actually have an account but it
does something. Here is a couple of security audit events
copied from event veiwer:

-----Original Message-----Event Type: Failure Audit

Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 1/30/2004
Time: 3:53:27 PM
User: NT AUTHORITY\SYSTEM
Computer: FOXTROT
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Owner
Source Workstation: FOXTROT
Error Code: 0xC000006A


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 1/30/2004
Time: 12:50:22 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: FOXTROT
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-
000000000000}

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I don't have any networking activities that I know of nor
do I belong to a workgroup. And, my OS is XP not NT but I
have all kinds of NT files. There are about 40 security
audit events per session. Could I have activated something
to do with networking by mistake? [another example]
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 612
Date: 1/30/2004
Time: 10:53:11 AM
User: NT AUTHORITY\SYSTEM
Computer: FOXTROT
Description:
Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
- - Object Access
- - Privilege Use
+ + Account Management
+ + Policy Change
+ + System
- - Detailed Tracking
- - Directory Service Access
+ + Account Logon

Changed By:
User Name: FOXTROT$
Domain Name: WORKGROUP
Logon ID: (0x0,0x3E7)

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

[Michael Solomon \(MS-MVP Windows Shell/User\)]

Have you run the virus scan? The blaster virus manifests itself by
informing users of an NT Authority shutdown. While you may not have seen
this, I suggest you make sure your antivirus software is up to date and do a
virus scan of your system, all the more so because this appears to be a
security alert. It may be related to an update you downloaded that helps
protect against this virus or it may be something else altogether.

XP is built on the NT kernel. XP is essentially a new iteration of NT, as
98 and ME were on 95, that is the case for Windows 2000 and XP, they are
evolutions of NT.

Whenever you log on to your ISP, you are logging on to a network, if you are
on a broadband connection, you are always connected to that network.

Nonetheless, I have not seen this error in the event logs and given the
reference to NT Authority, I suggest you run a virus scan.

--
Michael Solomon MS-MVP
Windows Shell/User
Backup is a PC User's Best Friend
DTS-L.Org: http://www.dts-l.org/

Good Idea! about having the limited account for everyday
use, never thought of that. I found I have an account for
every time I changed the computer name. NT
AUTHORITY\SYSTEM doesn't actually have an account but it
does something. Here is a couple of security audit events
copied from event veiwer:

-----Original Message-----Event Type: Failure Audit

Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 1/30/2004
Time: 3:53:27 PM
User: NT AUTHORITY\SYSTEM
Computer: FOXTROT
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Owner
Source Workstation: FOXTROT
Error Code: 0xC000006A


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 1/30/2004
Time: 12:50:22 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: FOXTROT
Description:
Successful Logon:
User Name: NETWORK SERVICE
Domain: NT AUTHORITY
Logon ID: (0x0,0x3E4)
Logon Type: 5
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-
000000000000}

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I don't have any networking activities that I know of nor
do I belong to a workgroup. And, my OS is XP not NT but I
have all kinds of NT files. There are about 40 security
audit events per session. Could I have activated something
to do with networking by mistake? [another example]
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 612
Date: 1/30/2004
Time: 10:53:11 AM
User: NT AUTHORITY\SYSTEM
Computer: FOXTROT
Description:
Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
- - Object Access
- - Privilege Use
+ + Account Management
+ + Policy Change
+ + System
- - Detailed Tracking
- - Directory Service Access
+ + Account Logon

Changed By:
User Name: FOXTROT$
Domain Name: WORKGROUP
Logon ID: (0x0,0x3E7)

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

1) Are all these accounts necessary?

A) No. First, go to Control Panel, open User Accounts, check to see if your
account, I assume named the Owner account is listed as Limited or
Administrator. If listed as Limited, log into the account named
Administrator, go to Control Panel, open User Accounts, click the Owner
account, from the list on the new screen that opens, click Change my account
type and then select Computer Administrator. Ultimately, this should hide
the account called administrator as that is normally a hidden account used
only in an emergency if you cannot access any of your other accounts. This
should give you the ability to do all the things you wish to do, no need to
edit the registry and you might not even require Kelly's tweak as that is
usually designed to fix a disabled function.

2) If I edit the permissions to edit the registry of the
owner account do I need to go into safe mode and edit the
Administrator permissions? Should I do all my registry
editing in safe mode from the Administrator account?

A) No need to do this, see above.

3) What are these security permissions being granted
access to my files all the time? Usually nt
authority\system, winlogon, winlogon\Gina, CHAP, RASMAN
etc...

A) I don't understand the question.

To play safe, make sure your antivirus software is up to date and run a
virus scan. I'm not familiar with a default setup creating a user called
"NT Authority System."

If you are the only user, we usually recommend that you have an
Administrator account (this is over and above the usually hidden account
mentioned above and while you can make it "Computer Administrator" as
outlined above, you name it something else as no other account on the system
can have the name "Administrator," and have a second account for normal
everyday use that is a limited account. If you are on the Internet or you
contract a virus and you basically use your limited account, because it is
limited account, a virus or a hacker would have a difficult time doing
anything because the account is limited.

If you didn't created the NT Authority account, I would say it can be
deleted in Control Panel\User Accounts but I don't know what else you might
have done that might have created that account in the first place which is
one of the reasons I suggested running a virus scan.

The Guest accent cannot be deleted but it can be turned off as it appears is
the case on your system.

--
Michael Solomon MS-MVP
Windows Shell/User
Backup is a PC User's Best Friend
DTS-L.Org: http://www.dts-l.org/




.