Pagefile.sys & NTAUTHORITY

[dcdon]

Recently problems with pagefile.sys has caused many trepidatious momemts. I
have rebuilt my pagefile.sys several times and now it seems to be okay. The
last time, I used what I thought caused the problem in the first place. This
is what I did, and then my question. On a trustworthy site, (is there such a
thing), it was said that in some cases performance could be gained by
setting the applet to both zeros. On reboot, I was to reset the sizes in the
applet to RAM + 32Meg. When, reboot, 20 Meg was on the initial window (as if
it had created tempf.sys), but when I set the sizes and Ok'ed out, the
computer would boot (so I had the automatically reboot on BSOD). After
unchecking the auto reboot, I found that I could reset the size in the
registry, and I could make the initial adn max smaller, but each time I
tried to increase, BSOD.

I did finally make it small enough that it generated a temppf.sys. That's
when I used regedt32 to regenerate the pagefile, after changing the
extension on the original. This did okay, but something would cause the
squawk of a temppf.sys to be created. And I had to rebuild the pagefile
several times. One of those times, I had taken back "full control" from
NTAUTHORITY/system. After relenquishing the control again, I did get
pagefile.sys set. But it still has full control.

And now for the question. Does NTAUTHORITY need to retain "full control"
indefinitely, and if so, "will this cause a problem or vulnerability???""

Postscript: I did see the M$ article on setting a pagefile to zero, and
after boot, setting the size to a minimum of RAM+32Meg Minimum. I did that
and it works and it looks to be doing just fine. I believe all of this is
caused by some type of attack or infection, and believe me, I run a tight
ship. I have run every kind of fixtool imaginable exactly by the directions
from Symantec and other AVP vendors and have found no infection of any kind,
as if that was to make me feel better.

I've also had trouble with Event Viewers being visible. I believe one of the
first in this NG, rebuilt them and don't seem to have any further problem
there, but one can never tell the way clocks coded in and all manner of
variants, and growing. All that I have done has been with the generous help
of great people in here. Thanks guys.

thanks very much,
don
-------

 

[dcdon]

Thank you kind sir,
I will quit worrying about it for now.
However with the Event Viewer and pagefile problem is there any correlation
to having a problem worm, etux ? And on that note the system is very slow to
shutdown and the processor is laboring the entire time, or am I just
paranoid now. I just can't let this go. I have to find the %RootCause%. I
have done everything imaginable to find a worm type creature and have had
zero luck.

thank you,
You are A1
don
-----






The system account (nt authority) needs to have full control of at least the
%systemroot% and the drive you put the pagefile on always. The system
account (nt authority) is a local account for the operating system to use
and never has any privileges/permissions to access another pc hence it
wouldn't be possible for someone to gain access from the outside via this
account.

 

[Dave Patrick]

If you have another pc you could use performance monitor to see what process
is hogging the processor at shutdown.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows NT/2000 Operating Systems]

Thank you kind sir,
I will quit worrying about it for now.
However with the Event Viewer and pagefile problem is there any correlation
to having a problem worm, etux ? And on that note the system is very slow to
shutdown and the processor is laboring the entire time, or am I just
paranoid now. I just can't let this go. I have to find the %RootCause%. I
have done everything imaginable to find a worm type creature and have had
zero luck.

thank you,
You are A1
don
-----






The system account (nt authority) needs to have full control of at least the
%systemroot% and the drive you put the pagefile on always. The system
account (nt authority) is a local account for the operating system to use
and never has any privileges/permissions to access another pc hence it
wouldn't be possible for someone to gain access from the outside via this
account.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows NT/2000 Operating Systems]

Recently problems with pagefile.sys has caused many trepidatious

momemts.

I
have rebuilt my pagefile.sys several times and now it seems to be okay. The
last time, I used what I thought caused the problem in the first place. This
is what I did, and then my question. On a trustworthy site, (is there

such

a
thing), it was said that in some cases performance could be gained by
setting the applet to both zeros. On reboot, I was to reset the sizes in the
applet to RAM + 32Meg. When, reboot, 20 Meg was on the initial window

(as

if
it had created tempf.sys), but when I set the sizes and Ok'ed out, the
computer would boot (so I had the automatically reboot on BSOD). After
unchecking the auto reboot, I found that I could reset the size in the
registry, and I could make the initial adn max smaller, but each time I
tried to increase, BSOD.

I did finally make it small enough that it generated a temppf.sys. That's
when I used regedt32 to regenerate the pagefile, after changing the
extension on the original. This did okay, but something would cause the
squawk of a temppf.sys to be created. And I had to rebuild the pagefile
several times. One of those times, I had taken back "full control" from
NTAUTHORITY/system. After relenquishing the control again, I did get
pagefile.sys set. But it still has full control.

And now for the question. Does NTAUTHORITY need to retain "full control"
indefinitely, and if so, "will this cause a problem or vulnerability???""

Postscript: I did see the M$ article on setting a pagefile to zero, and
after boot, setting the size to a minimum of RAM+32Meg Minimum. I did that
and it works and it looks to be doing just fine. I believe all of this is
caused by some type of attack or infection, and believe me, I run a tight
ship. I have run every kind of fixtool imaginable exactly by the directions
from Symantec and other AVP vendors and have found no infection of any kind,
as if that was to make me feel better.

I've also had trouble with Event Viewers being visible. I believe one of the
first in this NG, rebuilt them and don't seem to have any further problem
there, but one can never tell the way clocks coded in and all manner of
variants, and growing. All that I have done has been with the generous help
of great people in here. Thanks guys.

thanks very much,
don

 

[dcdon]

Well, in that case, I will get in a hurry to finish the other project of
take one of the old twin pentium pros and plug it in.
Like Arnold,
Io'll be' bok,
;-)
thx Dave
don
---
As soon as it get it together, I'll get back with you one this...


If you have another pc you could use performance monitor to see what process
is hogging the processor at shutdown.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows NT/2000 Operating Systems]

Thank you kind sir,
I will quit worrying about it for now.
However with the Event Viewer and pagefile problem is there any correlation
to having a problem worm, etux ? And on that note the system is very slow to
shutdown and the processor is laboring the entire time, or am I just
paranoid now. I just can't let this go. I have to find the %RootCause%. I
have done everything imaginable to find a worm type creature and have had
zero luck.

thank you,
You are A1
don
-----






The system account (nt authority) needs to have full control of at least the
%systemroot% and the drive you put the pagefile on always. The system
account (nt authority) is a local account for the operating system to use
and never has any privileges/permissions to access another pc hence it
wouldn't be possible for someone to gain access from the outside via this
account.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows NT/2000 Operating Systems]

Recently problems with pagefile.sys has caused many trepidatious

momemts.

I
have rebuilt my pagefile.sys several times and now it seems to be okay. The
last time, I used what I thought caused the problem in the first place. This
is what I did, and then my question. On a trustworthy site, (is there

such

a
thing), it was said that in some cases performance could be gained by
setting the applet to both zeros. On reboot, I was to reset the sizes in the
applet to RAM + 32Meg. When, reboot, 20 Meg was on the initial window

(as

if
it had created tempf.sys), but when I set the sizes and Ok'ed out, the
computer would boot (so I had the automatically reboot on BSOD). After
unchecking the auto reboot, I found that I could reset the size in the
registry, and I could make the initial adn max smaller, but each time I
tried to increase, BSOD.

I did finally make it small enough that it generated a temppf.sys. That's
when I used regedt32 to regenerate the pagefile, after changing the
extension on the original. This did okay, but something would cause the
squawk of a temppf.sys to be created. And I had to rebuild the pagefile
several times. One of those times, I had taken back "full control" from
NTAUTHORITY/system. After relenquishing the control again, I did get
pagefile.sys set. But it still has full control.

And now for the question. Does NTAUTHORITY need to retain "full control"
indefinitely, and if so, "will this cause a problem or vulnerability???""

Postscript: I did see the M$ article on setting a pagefile to zero, and
after boot, setting the size to a minimum of RAM+32Meg Minimum. I did that
and it works and it looks to be doing just fine. I believe all of this is
caused by some type of attack or infection, and believe me, I run a tight
ship. I have run every kind of fixtool imaginable exactly by the directions
from Symantec and other AVP vendors and have found no infection of any kind,
as if that was to make me feel better.

I've also had trouble with Event Viewers being visible. I believe one of the
first in this NG, rebuilt them and don't seem to have any further problem
there, but one can never tell the way clocks coded in and all manner of
variants, and growing. All that I have done has been with the generous help
of great people in here. Thanks guys.

thanks very much,
don

 

[Ricardo M. Urbano - W2K/NT4 MVP]

The system account (nt authority) needs to have full control of at least the
%systemroot% and the drive you put the pagefile on always. The system
account (nt authority) is a local account for the operating system to use
and never has any privileges/permissions to access another pc hence it
wouldn't be possible for someone to gain access from the outside via this
account.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft MVP [Windows NT/2000 Operating Systems]

Recently problems with pagefile.sys has caused many trepidatious momemts. I
have rebuilt my pagefile.sys several times and now it seems to be okay. The
last time, I used what I thought caused the problem in the first place. This
is what I did, and then my question. On a trustworthy site, (is there such a
thing), it was said that in some cases performance could be gained by
setting the applet to both zeros. On reboot, I was to reset the sizes in the
applet to RAM + 32Meg. When, reboot, 20 Meg was on the initial window (as if
it had created tempf.sys), but when I set the sizes and Ok'ed out, the
computer would boot (so I had the automatically reboot on BSOD). After
unchecking the auto reboot, I found that I could reset the size in the
registry, and I could make the initial adn max smaller, but each time I
tried to increase, BSOD.

I did finally make it small enough that it generated a temppf.sys. That's
when I used regedt32 to regenerate the pagefile, after changing the
extension on the original. This did okay, but something would cause the
squawk of a temppf.sys to be created. And I had to rebuild the pagefile
several times. One of those times, I had taken back "full control" from
NTAUTHORITY/system. After relenquishing the control again, I did get
pagefile.sys set. But it still has full control.

And now for the question. Does NTAUTHORITY need to retain "full control"
indefinitely, and if so, "will this cause a problem or vulnerability???""

Postscript: I did see the M$ article on setting a pagefile to zero, and
after boot, setting the size to a minimum of RAM+32Meg Minimum. I did that
and it works and it looks to be doing just fine. I believe all of this is
caused by some type of attack or infection, and believe me, I run a tight
ship. I have run every kind of fixtool imaginable exactly by the directions
from Symantec and other AVP vendors and have found no infection of any kind,
as if that was to make me feel better.

I've also had trouble with Event Viewers being visible. I believe one of the
first in this NG, rebuilt them and don't seem to have any further problem
there, but one can never tell the way clocks coded in and all manner of
variants, and growing. All that I have done has been with the generous help
of great people in here. Thanks guys.

thanks very much,
don

Dave, I was part of a thread a ways back that discussed that the
LocalSystem account, if used for a service, *could* access remote
network resources if that machine had enabled Everyone network access
and the resource enabled Everyone access.

Scared the living daylights out of me, but I could neither prove or
disprove since I *ALWAYS* replace Everyone w/ Authenticated Users.