Reg key HKEY_LOCAL_MACHINE\SECURITY is empty

[Jim]

When I launch programs, my XP Pro/SP2 system sometimes hesitates for a
few seconds.

Using RegMon (by Systems Internals) I found this hesitation was when
registry key HKEY_LOCAL_MACHINE\SECURITY was being accessed.

I found that this reg key had no sub-keys. Should I have sub-keys
there?

If so, then what do those missing keys do and how can I get them back?

 

[Wesley Vogel]

I do not believe that there is anything to worry about.

Basically my HKEY_LOCAL_MACHINE\SECURITY is also pretty much empty on two
machines, one with XP Pro SP1 and the other with XP Pro SP2. Trying to
export that key on either machine brings up:

---------------------------
Export Registry File
---------------------------
The selected branch does not exist. Make sure that the correct path is
given.
---------------------------
OK
---------------------------

This is all that's there on either machine...
HKEY_LOCAL_MACHINE\SECURITY
Value Name: (Default)
Data Type: REG_SZ
Value Data: (value not set)

Double clicking on (Default), on either machine, brings up:

---------------------------
Error Editing Value
---------------------------
Cannot edit : Error reading the value's contents.
---------------------------
OK
---------------------------

On my SP2 machine...
C:\WINDOWS\system32\config\SECURITY is 44.0 KB in size. SECURITY IS the
HKEY_LOCAL_MACHINE\SECURITY hive.

C:\WINDOWS\system32\config\SECURITY.LOG is 1.00 KB in size. SECURITY.LOG is
the backup file for the HKEY_LOCAL_MACHINE\SECURITY hive.

C:\WINDOWS\system32\config\SECURITY.tmp.LOG is 0 bytes in size.

C:\WINDOWS\repair\security is 32.0 KB in size. C:\WINDOWS\repair contains
backup copies of the permanent Registry hives.

On my SP1 machine...
C:\WINDOWS\system32\config\SECURITY is 36.0 KB in size.
C:\WINDOWS\system32\config\SECURITY.LOG is 1.00 KB in size.
C:\WINDOWS\system32\config\SECURITY.tmp.LOG is 8 KB in size.
C:\WINDOWS\repair\security is 28 KB in size.

I found that this reg key had no sub-keys. Should I have sub-keys
there?

I do not have any either on two machines, that leads me to believe that
there is no problem, I may be wrong of course. ;-) We will find out if
anyone else posts with any usefull info.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Jim]

I do not believe that there is anything to worry about.

Basically my HKEY_LOCAL_MACHINE\SECURITY is also pretty much empty
on two machines, one with XP Pro SP1 and the other with XP Pro SP2.
Trying to export that key on either machine brings up:

---------------------------
Export Registry File
---------------------------
The selected branch does not exist. Make sure that the correct path
is given.
---------------------------
OK
---------------------------

This is all that's there on either machine...
HKEY_LOCAL_MACHINE\SECURITY
Value Name: (Default)
Data Type: REG_SZ
Value Data: (value not set)

Double clicking on (Default), on either machine, brings up:

---------------------------
Error Editing Value
---------------------------
Cannot edit : Error reading the value's contents.
---------------------------
OK
---------------------------

On my SP2 machine...
C:\WINDOWS\system32\config\SECURITY is 44.0 KB in size. SECURITY
IS the HKEY_LOCAL_MACHINE\SECURITY hive.

C:\WINDOWS\system32\config\SECURITY.LOG is 1.00 KB in size.
SECURITY.LOG is the backup file for the HKEY_LOCAL_MACHINE\SECURITY
hive.

C:\WINDOWS\system32\config\SECURITY.tmp.LOG is 0 bytes in size.

C:\WINDOWS\repair\security is 32.0 KB in size. C:\WINDOWS\repair
contains backup copies of the permanent Registry hives.

On my SP1 machine...
C:\WINDOWS\system32\config\SECURITY is 36.0 KB in size.
C:\WINDOWS\system32\config\SECURITY.LOG is 1.00 KB in size.
C:\WINDOWS\system32\config\SECURITY.tmp.LOG is 8 KB in size.
C:\WINDOWS\repair\security is 28 KB in size.


I do not have any either on two machines, that leads me to believe
that there is no problem, I may be wrong of course. ;-) We will
find out if anyone else posts with any usefull info.

ISTR that some keys need special security arrangements just to be
seen. I wonder if this is one of them?

 

[Wesley Vogel]

Hi Jim,

ISTR that some keys need special security arrangements just to be
seen. I wonder if this is one of them?

Yep. I never realized that before. I have never had a reason to go
snooping in that key until your post.

<quote>
Now your natural reaction should be: WinKey-R, regedit, My Computer,
HKEY_LOCAL_MACHINE, SECURITY. You'll be disappointed I guess, nothing
visible in there. Check the permissions of the key and you'll see that only
the SYSTEM account has access to this key.
<quote>
Why preparing security demos can hurt ... I killed lsass.exe by mistake
http://community.bartdesmet.net/blogs/bart/archive/2005/08/18/3475.aspx

<quote>
Q: The Registry editor grays out the HKEY_LOCAL_MACHINE/SAM and
HKEY_LOCAL_MACHINE/SECURITY Registry hives on my Windows NT system. How can
I look at the content of these hives without resetting their ACLs?

A: You can use the At command or the Microsoft Windows NT Server 4.0
Resource Kit Winat utility to force NT to expose these usually protected
Registry hives. Use At and Winat to schedule an instance of a Registry
editor at a specified time. By default, your system runs the scheduled
session in the security context of the System account. The System account
has access to the HKEY_LOCAL_MACHINE/SAM and HKEY_LOCAL_MACHINE/SECURITY
Registry keys; thus, you can view the contents of these hives when your
scheduled session pops up. Be sure to use the /interactive switch or, if
you're using Winat, select the interactive option so that the scheduled
Registry editor session is visible on the desktop.

For example, to schedule a regedt32 session to pop up on the local machine
at 11:00 a.m., type the following command at an NT command prompt:

at 11:00 /interactive regedt32
<quote>
from...
Tricks & Traps: Ask Dr. Bob Your Windows NT Questions (May 1999)
http://www.microsoft.com/technet/archive/community/columns/tips/5-31-99.mspx

Looks like a key to stay out of. I have no intention of getting or using
the following utility, but here you are.

LSASecretsView v1.00
LSASecretsView is a small utility that displays the list of all LSA secrets
stored in the Registry on your computer. The LSA secrets key is located
under HKEY_LOCAL_MACHINE\Security\Policy\Secrets and may contain your
RAS/VPN passwords, Autologon password, and other system passwords/keys.
http://www.nirsoft.net/utils/lsa_secrets_view.html

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In