registry problem - Can't see system hive

[SB]

Windows 2000 Server SP4 AD domain controller.

I noticed today that I was unable to open the system log in event
viewer. The error is: Unable to read the contents of this event log.
All the other logs are functioning. When I started to investigate the
problem I discovered that the hklm\system hive was missing in regedit.
When I try opening it whith regedt32 I am unable to expand or open any
hklm sub folders. also current config is missing the system hive as
well. I'm %90 sure I was able to reboot with this condition but at this
point I'm not sure if I want to confirm that. I have the system and
system.alt in the config folder and it seems ok. Any ideas?

I'm almost ready to call M$ tech support but thought I would give this
group a shot first.

Everything else on the system seems to be working fine ie: web server,
sql, exchange. I'm stummped at this point.
No ERD or backup of system state

Thanks
SB

 

[Dave Patrick]

1.) The files may be corrupt. Control Panel|Services|Event Log
Service|General, set the "Startup Type:" to "Disabled" restart the pc, then
delete (or move) the corrupt *.evt files from %systemroot%\system32\config
then set the Event Log Service "Startup Type:" back to "Automatic", restart
for effect.

2.) You didn't tell us what happens when you try. It can't be missing else
the machine would not run. Although the permissions might be damaged. You
can run Programs|Accessories|System Tools|Backup, then choose ERD, then if
you check the box for "Also backup....", then the reg will also be backed up
to
%windir%\repair\RegBack
leaving the
%windir%\repair\
directory files intact as original installation.

This article may help.

How to Restore the Default NTFS Permissions for Windows 2000
http://support.microsoft.com/?id=266118

The article is a little deceptive. At step 7 create a new database.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Windows 2000 Server SP4 AD domain controller.
|
| I noticed today that I was unable to open the system log in event
| viewer. The error is: Unable to read the contents of this event log.
| All the other logs are functioning. When I started to investigate the
| problem I discovered that the hklm\system hive was missing in regedit.
| When I try opening it whith regedt32 I am unable to expand or open any
| hklm sub folders. also current config is missing the system hive as
| well. I'm %90 sure I was able to reboot with this condition but at this
| point I'm not sure if I want to confirm that. I have the system and
| system.alt in the config folder and it seems ok. Any ideas?
|
| I'm almost ready to call M$ tech support but thought I would give this
| group a shot first.
|
| Everything else on the system seems to be working fine ie: web server,
| sql, exchange. I'm stummped at this point.
| No ERD or backup of system state
|
| Thanks
| SB
|

 

[SB]

Thanks for the quick response.
Things I have tried:
1.) The files may be corrupt. Control Panel|Services|Event Log
Service|General, set the "Startup Type:" to "Disabled" restart the pc,
then
delete (or move) the corrupt *.evt files from
%systemroot%\system32\config
then set the Event Log Service "Startup Type:" back to "Automatic",
restart
for effect.
Did all that. No joy.

2. The system can be rebboted so I don't think the system file is
corrupt.

3. Can't do a erd because my server has no floppy.

4. I Did do a system state backup and imported the system file from
\repair\regback to another server and loaded the hive. Looked ok to
me. I had a controlset001 and controlset002

5. Tried using the security mmc snapin but when I tried to open
secedit.sbd I got an access denied. Not sure how to create new db.

6. I'm thinking that I got hacked or my permissions for viewing the
system hive got screwed.

Server is at a colocation about 50 miles away so I am doing this
through rdp.

The problem with the system log in event viewer is a symptom of the
problem.

I don't even know where to start looking at permissions on a reg key
that is not there.
Thanks,

 

[Dave Patrick]

:
| Thanks for the quick response.
| Things I have tried:
| 1.) The files may be corrupt. Control Panel|Services|Event Log
| Service|General, set the "Startup Type:" to "Disabled" restart the pc,
| then
| delete (or move) the corrupt *.evt files from
| %systemroot%\system32\config
| then set the Event Log Service "Startup Type:" back to "Automatic",
| restart
| for effect.
| Did all that. No joy.
* What happens when you try?

| 2. The system can be rebboted so I don't think the system file is
| corrupt.
* I didn't think so.

| 3. Can't do a erd because my server has no floppy.
* The floppy creation will fail but the %systemroot%\repair\regback\ files
are updated.


| 4. I Did do a system state backup and imported the system file from
| \repair\regback to another server and loaded the hive. Looked ok to
| me. I had a controlset001 and controlset002
|
| 5. Tried using the security mmc snapin but when I tried to open
| secedit.sbd I got an access denied. Not sure how to create new db.
* At step 7 create a new database in lieu of opening secedit


| 6. I'm thinking that I got hacked or my permissions for viewing the
| system hive got screwed.
* That's what I'm thinking. Permissions issue.


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

[Mark V]

:
| Thanks for the quick response.
| Things I have tried:

[ ]

| 6. I'm thinking that I got hacked or my permissions for viewing
| the system hive got screwed.
* That's what I'm thinking. Permissions issue.

Rather thin but could something have hooked registry API calls and be
hiding the system key?

Might we copy the (backed up) SYSTEM hive file on disk to another
system and Load it in regedt32? There at least viewing the ACLs.

OP have you been able or tried to get regedt32 running under SYSTEM
context?

Just ideas...

 

[Dave Patrick]

I don't know Mark. If there is it's unknown to me. OP did load the system
hive on another machine and viewed. As far as I know permissions would be
the only mechanism capable of controlling registry editor visibility.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Rather thin but could something have hooked registry API calls and be
| hiding the system key?
|
| Might we copy the (backed up) SYSTEM hive file on disk to another
| system and Load it in regedt32? There at least viewing the ACLs.
|
| OP have you been able or tried to get regedt32 running under SYSTEM
| context?
|
| Just ideas...

 

[Mark V]

I don't know Mark. If there is it's unknown to me. OP did load
the system hive on another machine and viewed.

Yep I missed that (sorry). But no details were provided on what ACEs
existed at various points.

As far as I know
permissions would be the only mechanism capable of controlling
registry editor visibility.

I can think of two others although this is a stretch for the existing
situation and I tend to believe FWIW it is as simple as you suggest.
Altered or corrupted security info.


- - - - - - - - - -
Reference only below:
Sysinternals has a demo of creating a key with NT native API that is
in a format not viewable/accessible via standard tools (eg reg*.exe)
that use the Win32 APIs.
http://www.sysinternals.com/ntw2k/info/tips.shtml#registryhidden

Some varieties of CWS (not to mention root kits) manage to to get a
DLL loaded (sometimes via AppInit_DLLs) that hook system calls in
order to hide processes, registry keys, dlls etc. from the user and
standard tools. (one ref.)
http://www.silentrunners.org/sr_cwsremoval.html

 

[Dave Patrick]

Thanks for that link Mark. When I get some time I'll take a closer look. I
wasn't aware of anything like that.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
|
| Yep I missed that (sorry). But no details were provided on what ACEs
| existed at various points.
|
|
| > As far as I know
| > permissions would be the only mechanism capable of controlling
| > registry editor visibility.
|
| I can think of two others although this is a stretch for the existing
| situation and I tend to believe FWIW it is as simple as you suggest.
| Altered or corrupted security info.
|
|
| - - - - - - - - - -
| Reference only below:
| Sysinternals has a demo of creating a key with NT native API that is
| in a format not viewable/accessible via standard tools (eg reg*.exe)
| that use the Win32 APIs.
| http://www.sysinternals.com/ntw2k/info/tips.shtml#registryhidden
|
| Some varieties of CWS (not to mention root kits) manage to to get a
| DLL loaded (sometimes via AppInit_DLLs) that hook system calls in
| order to hide processes, registry keys, dlls etc. from the user and
| standard tools. (one ref.)
| http://www.silentrunners.org/sr_cwsremoval.html
|
|

 

[SB]

Ok, I've been all through my system and think I might of had a hacker
breach my network. I found a program called eggdropper.exe installed.
I think it is some sort of irc bot.

I think the problem is that the system key is being hidden. I ran
regedt32.exe in interactive mode and the keys were also hidden.

I can open the system log in event viewer if I open it manually, but
under the drop down box log type systrem is not listed.

I have googled everything having to do with hidden registry keys but
I'm still lost on how to fix this.

One side note: I installed a firewall and I'm sure it made changes to
the system hive.

Still at a loss.

SB

 

[SB]

Ok, I've been all through my system and think I might of had a hacker
breach my network. I found a program called eggdropper.exe installed.
I think it is some sort of irc bot.

I think the problem is that the system key is being hidden. I ran
regedt32.exe in interactive mode and the keys were also hidden.

I can open the system log in event viewer if I open it manually, but
under the drop down box log type systrem is not listed.

I have googled everything having to do with hidden registry keys but
I'm still lost on how to fix this.

One side note: I installed a firewall and I'm sure it made changes to
the system hive.

Still at a loss.

SB

 

[Dave Patrick]

Given this info there is really no way you can rely on this server build.
You need to blow it away and start a clean install.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Ok, I've been all through my system and think I might of had a hacker
| breach my network. I found a program called eggdropper.exe installed.
| I think it is some sort of irc bot.
|
| I think the problem is that the system key is being hidden. I ran
| regedt32.exe in interactive mode and the keys were also hidden.
|
| I can open the system log in event viewer if I open it manually, but
| under the drop down box log type systrem is not listed.
|
| I have googled everything having to do with hidden registry keys but
| I'm still lost on how to fix this.
|
| One side note: I installed a firewall and I'm sure it made changes to
| the system hive.
|
| Still at a loss.
|
| SB
|

 

[Mark V]

Ok, I've been all through my system and think I might of had a
hacker breach my network. I found a program called
eggdropper.exe installed. I think it is some sort of irc bot.

eggdropper is a known cracker tool....
One Google hit is
http://www.mut.ac.th/~b1121625/crack.html

Your system is compromised and in my opinion must be wiped and re-
installed, then *secured before any Internet connection is allowed*
and *all* passwords changed. Consider anything on the server to be
owned now by someone else and act accordingly. Data stored elsewhere
on the LAN may also be now in the possession of another. This sounds
"worst case", but assuming the worst is the most defensive position
possible and quite reasonable unless it can be proved otherwise IMHO.
Any other LAN connected system may also be compromised and that must
be investigated as well.

 

[SB]

Resolution-
I shelled out the $245 to MS to help resolve this problem. This is a
standalone web server with tons of stuff loaded. Exchange, DNS, SQL, AD
etc. To wipe it out and reinstall would be a huge undertaking.
After going through 3 or 4 departments at microsoft all them were
stumped. Off to the security team. Ran some tests and sure enough I
had some hidden proccess running on my system that were hiding my
system key. MS gave me some tools to block these services and allow me
to boot up without them running. Found the nasty directory and deleted
it wiped out the corresponding reg keys and knock on wood I think I'm
ok now. Now we are analyzing the logs to determine where this bastard
came from.

Thanks for all your help.
SB

 

[Mark V]

Resolution-
I shelled out the $245 to MS to help resolve this problem. This
is a standalone web server with tons of stuff loaded. Exchange,
DNS, SQL, AD etc. To wipe it out and reinstall would be a huge
undertaking. After going through 3 or 4 departments at microsoft
all them were stumped. Off to the security team. Ran some
tests and sure enough I had some hidden proccess running on my
system that were hiding my system key. MS gave me some tools to
block these services and allow me to boot up without them
running. Found the nasty directory and deleted it wiped out the
corresponding reg keys and knock on wood I think I'm ok now.

That's your choice of course...

 

[John John]

I'd be interested to know what were the tools?

John

 

[Dave Patrick]

And what service name was stopped.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect