# Audit failures / multiple logon attempts



## TSHELP0711

I have noticed multiple audit failures due to failed logons in all my user accounts. Since I have been concerned about re-occuring changes made to many of my settings, I investigated further and am concerned that the logon process Advapi might be malware. Perhaps it is something else. I am enclosing all files and attachments as requested. Please advise. Thank you.


TSHELP0711





DDS (Ver_09-01-19.01) - NTFSx86 
Run by El Jeff de Casa at 10:32:02.39 on Fri 01/23/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.1043 [GMT -6:00]

AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\System32\ZoneLabs\avsys\ScanningProcess.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k LPDService
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\PrintSuperVision\PSVService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\jureg.exe
C:\Windows\System32\wpcumi.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\AOL\1226951043\ee\aolsoftware.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\CPSHelpRunner10.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\dllhost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\AOL\1226951043\ee\AOLDesktop.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\El Jeff de Casa\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: PicLens plug-in for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\PicLens.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [HPADVISOR] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
uRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [HostManager] c:\program files\common files\aol\1226951043\ee\AOLSoftware.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [<NO NAME>] 
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [DMXLauncher] "c:\program files\roxio\cineplayer\DMXLauncher.exe"
StartupFolder: c:\users\eljeff~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\buffal~1.lnk - c:\program files\buffalo\nasnavi\NasNavi.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\PicLens.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

============= SERVICES / DRIVERS ===============

R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2008-12-3 5504]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111v.sys [2008-8-4 904192]
R4 PrintSupervisor;PrintSuperVisor;c:\program files\printsupervision\PSVService.exe [2008-1-24 184320]
R4 ZDCNDIS5;ZDCNDIS5 NDIS5.1 Protocol Driver;c:\windows\system32\ZDCndis5.sys [2008-6-28 20736]
S3 MRV6X32U;Vista 32-bits Native WiFi Driver - USB;c:\windows\system32\drivers\MRVW23B.sys [2006-12-22 231040]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2007-8-24 72176]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2007-8-24 1083888]
S4 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2007-8-24 362992]
S4 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2007-8-24 309744]
S4 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2007-8-24 166384]

=============== Created Last 30 ================

2009-01-21 05:56	<DIR>	--d-----	c:\program files\BUFFALO
2009-01-14 19:17	288,768	a-------	c:\windows\system32\drivers\srv.sys
2009-01-11 10:26	7,680	a-------	c:\windows\system32\spwmp.dll
2009-01-11 10:26	4,096	a-------	c:\windows\system32\msdxm.ocx
2009-01-11 10:26	4,096	a-------	c:\windows\system32\dxmasf.dll
2009-01-11 10:26	8,147,456	a-------	c:\windows\system32\wmploc.DLL
2009-01-08 19:47	<DIR>	--d-----	c:\program files\TVAnts
2009-01-08 19:41	<DIR>	--d-----	c:\program files\TV Player Pro
2008-12-30 08:23	0	a---h---	c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-12-27 12:11	<DIR>	--d-----	c:\program files\InterActual
2008-12-27 11:15	<DIR>	--d-----	c:\program files\common files\Sonic Shared
2008-12-27 10:47	410,984	a-------	c:\windows\system32\deploytk.dll
2008-12-27 07:06	553	a-------	c:\windows\USetup.iss
2008-12-27 07:05	4,874,240	a-------	c:\windows\RtHDVCpl.exe
2008-12-27 07:05	1,191,936	a-------	c:\windows\RtlUpd.exe
2008-12-27 07:05	2,047,576	--------	c:\windows\system32\drivers\RTKVHDA.sys
2008-12-27 07:05	636,416	--------	c:\windows\system32\RtkPgExt.dll
2008-12-27 07:05	532,480	--------	c:\windows\system32\RTSndMgr.cpl
2008-12-27 06:58	2,048	a-------	c:\windows\system32\tzres.dll

==================== Find3M ====================

2009-01-23 08:51	90	a-------	C:\psv.bat
2009-01-23 08:50	349,220	a---h---	c:\windows\system32\drivers\vsconfig.xml
2009-01-23 08:33	443,993,120	a-------	c:\windows\system32\drivers\fidbox.dat
2009-01-22 17:25	5,930,228	a-------	c:\windows\system32\drivers\fidbox.idx
2009-01-11 05:21	143,360	a-------	c:\windows\inf\infstrng.dat
2009-01-11 05:21	86,016	a-------	c:\windows\inf\infstor.dat
2009-01-11 05:21	51,200	a-------	c:\windows\inf\infpub.dat
2008-12-27 07:05	319,456	a-------	c:\windows\DIFxAPI.dll
2008-12-03 15:54	5,504	--------	c:\windows\system32\drivers\IntelDH.sys
2008-12-01 16:35	0	--------	c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-11-17 14:04	2,306,113	--------	c:\windows\system32\GPhotos.scr
2008-10-31 21:44	52,736	a-------	c:\windows\apppatch\iebrshim.dll
2008-10-31 21:44	2,154,496	a-------	c:\windows\apppatch\AcGenral.dll
2008-10-31 21:44	541,696	a-------	c:\windows\apppatch\AcLayers.dll
2008-10-31 21:44	460,288	a-------	c:\windows\apppatch\AcSpecfc.dll
2008-10-31 21:44	173,056	a-------	c:\windows\apppatch\AcXtrnal.dll
2008-10-31 21:44	28,672	a-------	c:\windows\system32\Apphlpdm.dll
2008-10-31 19:21	4,240,384	a-------	c:\windows\system32\GameUXLegacyGDFs.dll
2008-10-29 12:50	174	a--sh---	c:\program files\desktop.ini
2008-10-29 09:27	665,600	a-------	c:\windows\inf\drvindex.dat
2008-10-29 09:13	101,888	--------	c:\windows\system32\ifxcardm.dll
2008-10-29 09:13	82,432	--------	c:\windows\system32\axaltocm.dll
2008-10-29 00:29	2,927,104	a-------	c:\windows\explorer.exe
2008-10-12 22:20	274	a-------	c:\users\eljeff~1\appdata\roaming\wklnhst.dat
2006-11-02 06:42	287,440	a-------	c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:42	287,440	a-------	c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:42	30,674	a-------	c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:42	30,674	a-------	c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20	287,440	a-------	c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20	287,440	a-------	c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20	30,674	a-------	c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20	30,674	a-------	c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 10:32:57.29 ===============


----------



## ndmmxiaomayi

Hi TSHELP0711,

Welcome to Tech Support Forum.









Your logs are clean. I'm not seeing any audit failures events in your Event Viewer logs though. Could you copy and paste some of the events here for us to take a look?


----------



## TSHELP0711

Here are 3 of the events of about 10 in succesion. This happens almost daily. I have read many forum posts that call advapi a virus. I notice that is the logon process. Please advise.


Keywords	Date and Time	Source	Event ID	Task Category
Audit Failure	1/27/2009 11:59:48 AM	Microsoft-Windows-Security-Auditing	4625	Logon	"An account failed to log on.

Subject:
Security ID: OfficeHP\El Jeff de Casa
Account Name: El Jeff de Casa
Account Domain: OfficeHP
Logon ID: 0x675092

Logon Type: 4

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrator
Account Domain: 

Failure Information:
Failure Reason: Account currently disabled.
Status: 0xc000006e
Sub Status: 0xc0000072

Process Information:
Caller Process ID:	0xd94
Caller Process Name:	C:\Windows\explorer.exe

Network Information:
Workstation Name:	OFFICEHP
Source Network Address:	-
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi 
Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:	-
Package Name (NTLM only):	-
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."


Keywords	Date and Time	Source	Event ID	Task Category
Audit Failure	1/27/2009 11:59:53 AM	Microsoft-Windows-Security-Auditing	4625	Logon	"An account failed to log on.

Subject:
Security ID: OfficeHP\El Jeff de Casa
Account Name: El Jeff de Casa
Account Domain: OfficeHP
Logon ID: 0x675092

Logon Type: 4

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: El Jeff de Casa
Account Domain: 

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a

Process Information:
Caller Process ID:	0xd94
Caller Process Name:	C:\Windows\explorer.exe

Network Information:
Workstation Name:	OFFICEHP
Source Network Address:	-
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi 
Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:	-
Package Name (NTLM only):	-
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."





Keywords	Date and Time	Source	Event ID	Task Category
Audit Failure	1/27/2009 12:00:05 PM	Microsoft-Windows-Security-Auditing	4625	Logon	"An account failed to log on.

Subject:
Security ID: OfficeHP\El Jeff de Casa
Account Name: El Jeff de Casa
Account Domain: OfficeHP
Logon ID: 0x675092

Logon Type: 4

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: El Jeff de Casa
Account Domain: 

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a

Process Information:
Caller Process ID:	0xd94
Caller Process Name:	C:\Windows\explorer.exe

Network Information:
Workstation Name:	OFFICEHP
Source Network Address:	-
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi 
Authentication Package:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:	-
Package Name (NTLM only):	-
Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."


----------



## ndmmxiaomayi

Hmm... let's see.

*Step 1*


Right click on the Start button and select *Explore*.
In the address bar, copy and paste in the following:

*notepad.exe C:\psv.bat*

Below is an image for your reference.











After that, press Enter. Notepad will open. Please copy and paste the contents of this Notepad file in your next reply.

*Step 2*


Please download *regsearch.zip* and save it to your desktop.
Check (tick) the *Show extracted files when complete* box and click on *Extract*.
Right click on *regsearch.exe* and select *Run As Administrator* to run it.
Copy and paste *Advapi* under *Enter search strings (case independent) and click OK...* (boxed up in red in the screenshot below).











Click *OK*.
When done, *RegSearch.txt* will open. Please post the contents of this file in your next reply. This file can also be found on your desktop or wherever regsearch is extracted to.

In your next reply, please post:


Contents of Notepad file from Step 1
Contents of RegSearch.txt


----------



## TSHELP0711

Thank you for your response. Please find the information you requested.



1. Contents of Notepad file:



set path=C:\\Program Files\\PrintSuperVision 
crtvdir UA w3svc/1/root/PrintSuperVision 






2. Contents of RegSearch.txt:






Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0
; Results at 2/9/2009 11:18:39 AM for strings:
; 'advapi'
; Strings excluded from search:
; (None)
; Search in: 
; Registry Keys Registry Values Registry Data 
; HKEY_LOCAL_MACHINE HKEY_USERS 

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-a..lity-infrastructure_31bf3856ad364e35_6.0.6000.16386_none_78a17485e4424613]
; Contents of value:
; a d v a p i 3 2 . a m x 
"f!advapi32.amx"=hex:61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,61,\
00,6d,00,78,00
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-a..lity-infrastructure_31bf3856ad364e35_6.0.6001.18000_none_7ad83681e12d56e7]
; Contents of value:
; a d v a p i 3 2 . a m x 
"f!advapi32.amx"=hex:61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,61,\
00,6d,00,78,00
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.0.6000.16386_en-us_1652b637b3e9dec3]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.0.6000.16386_en-us_1652b637b3e9dec3]
; Contents of value:
; a d v a p i 3 2 . d l l . m u i 
"f!advapi32.dll.mui"=hex:61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,\
64,00,6c,00,6c,00,2e,00,6d,00,75,00,69,00
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.0.6001.18000_en-us_18897833b0d4ef97]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.0.6001.18000_en-us_18897833b0d4ef97]
; Contents of value:
; a d v a p i 3 2 . d l l . m u i 
"f!advapi32.dll.mui"=hex:61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,\
64,00,6c,00,6c,00,2e,00,6d,00,75,00,69,00
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-advapi32_31bf3856ad364e35_6.0.6000.16386_none_e1118fae8996a7dc]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-advapi32_31bf3856ad364e35_6.0.6000.16386_none_e1118fae8996a7dc]
; Contents of value:
; a d v a p i 3 2 . d l l 
"f!advapi32.dll"=hex:61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,\
00,6c,00,6c,00
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-advapi32_31bf3856ad364e35_6.0.6001.18000_none_e34851aa8681b8b0]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-advapi32_31bf3856ad364e35_6.0.6001.18000_none_e34851aa8681b8b0]
; Contents of value:
; a d v a p i 3 2 . d l l 
"f!advapi32.dll"=hex:61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,\
00,6c,00,6c,00
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6001.18000_001c50b5\ComponentFamilies\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_en-us_ba4f1caa916c668b]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6001.18000_001c50b5\ComponentFamilies\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_en-us_ba4f1caa916c668b\v!6.0.6000.16386]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6001.18000_001c50b5\ComponentFamilies\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_en-us_ba4f1caa916c668b\v!6.0.6001.18000]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6001.18000_001c50b5\ComponentFamilies\x86_microsoft-windows-advapi32_31bf3856ad364e35_none_ed84a70b5d3cc1fa]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6001.18000_001c50b5\ComponentFamilies\x86_microsoft-windows-advapi32_31bf3856ad364e35_none_ed84a70b5d3cc1fa\v!6.0.6000.16386]
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6001.18000_001c50b5\ComponentFamilies\x86_microsoft-windows-advapi32_31bf3856ad364e35_none_ed84a70b5d3cc1fa\v!6.0.6001.18000]
[HKEY_LOCAL_MACHINE\COMPONENTS\Winners\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_en-us_ba4f1caa916c668b]
[HKEY_LOCAL_MACHINE\COMPONENTS\Winners\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_en-us_ba4f1caa916c668b\6.0]
[HKEY_LOCAL_MACHINE\COMPONENTS\Winners\x86_microsoft-windows-advapi32_31bf3856ad364e35_none_ed84a70b5d3cc1fa]
[HKEY_LOCAL_MACHINE\COMPONENTS\Winners\x86_microsoft-windows-advapi32_31bf3856ad364e35_none_ed84a70b5d3cc1fa\6.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM]
"C:\\Windows\\system32\\en-US\\advapi32.dll.mui[MofResourceName]"="LowDateTime:-641593953,HighDateTime:29907516***Binary mof compiled successfully"
"C:\\Windows\\system32\\advapi32.dll[MofResourceName]"="LowDateTime:1402340560,HighDateTime:29907515***Binary mof compiled successfully"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\WDM\DREDGE]
"C:\\Windows\\system32\\en-US\\advapi32.dll.mui[MofResourceName]"="LowDateTime:-641593953,HighDateTime:29907516***Binary mof compiled successfully"
"C:\\Windows\\system32\\advapi32.dll[MofResourceName]"="LowDateTime:1402340560,HighDateTime:29907515***Binary mof compiled successfully"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\ComponentDetect\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_0.0.0.0_en-us_3c636de0f8ff2bcd]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\ComponentDetect\x86_microsoft-windows-advapi32_31bf3856ad364e35_0.0.0.0_none_07224757ceabf4e6]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{0f67e49f-fe51-4e9f-b490-6f2948cc6027}]
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,00,00
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}]
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,00,00
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{2ff3e6b7-cb90-4700-9621-443f389734ed}]
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,00,00
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{331c3b3a-2005-44c2-ac5e-77220c37d6b4}]
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,00,00
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{3aa52b8b-6357-4c18-a92e-b53fb177853b}]
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,00,00
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{4cec9c95-a65f-4591-b5c4-30100e51d870}]
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,00,00
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{5322d61a-9efa-4bc3-a3f9-14be95c144f8}]
; Contents of value:
;  %SystemRoot%\system32\advapi32.dll 
"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,00,00
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{63d1e632-95cc-4443-9312-af927761d52a}]
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,00,00
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{70eb4f03-c1de-4f73-a051-33d13d5413bd}]
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,00,00
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{7d29d58a-931a-40ac-8743-48c733045548}]
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,00,00
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{96ac7637-5950-4a30-b8f7-e07e8e5734c1}]
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,00,00
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{9c205a39-1250-487d-abd7-e831c6290539}]
; Contents of value:
; advapi32.dll 
"ResourceFileName"=hex(2):61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,\
00,64,00,6c,00,6c,00,00,00
; Contents of value:
; advapi32.dll 
"MessageFileName"=hex(2):61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,\
64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{a68ca8b7-004f-d7b6-a698-07e2de0f1f5d}]
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,00,00
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{a8a1f2f6-a13a-45e9-b1fe-3419569e5ef2}]
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,00,00
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{b059b83f-d946-4b13-87ca-4292839dc2f2}]
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,00,00
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{c514638f-7723-485b-bcfc-96565d735d4a}]
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"ResourceFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,00,00
; Contents of value:
; %SystemRoot%\system32\advapi32.dll 
"MessageFileName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{d4263c98-310c-4d97-ba39-b55354f08584}]
; Contents of value:
; %systemroot%\system32\advapi32.dll 
"ResourceFileName"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,00,00
; Contents of value:
; %systemroot%\system32\advapi32.dll 
"MessageFileName"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{e7558269-3fa5-46ed-9f4d-3c6e282dde55}]
; Contents of value:
; %systemroot%\system32\advapi32.dll 
"ResourceFileName"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,00,00
; Contents of value:
; %systemroot%\system32\advapi32.dll 
"MessageFileName"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,\
6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,\
00,61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,\
00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-a..lity-infrastructure_31bf3856ad364e35_6.0.6000.16386_none_78a17485e4424613]
; Contents of value:
; a d v a p i 3 2 . a m x 
"f!advapi32.amx"=hex:61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,61,\
00,6d,00,78,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-a..lity-infrastructure_31bf3856ad364e35_6.0.6001.18000_none_7ad83681e12d56e7]
; Contents of value:
; a d v a p i 3 2 . a m x 
"f!advapi32.amx"=hex:61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,61,\
00,6d,00,78,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.0.6000.16386_en-us_1652b637b3e9dec3]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.0.6000.16386_en-us_1652b637b3e9dec3]
; Contents of value:
; a d v a p i 3 2 . d l l . m u i 
"f!advapi32.dll.mui"=hex:61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,\
64,00,6c,00,6c,00,2e,00,6d,00,75,00,69,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.0.6001.18000_en-us_18897833b0d4ef97]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.0.6001.18000_en-us_18897833b0d4ef97]
; Contents of value:
; a d v a p i 3 2 . d l l . m u i 
"f!advapi32.dll.mui"=hex:61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,\
64,00,6c,00,6c,00,2e,00,6d,00,75,00,69,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-advapi32_31bf3856ad364e35_6.0.6000.16386_none_e1118fae8996a7dc]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-advapi32_31bf3856ad364e35_6.0.6000.16386_none_e1118fae8996a7dc]
; Contents of value:
; a d v a p i 3 2 . d l l 
"f!advapi32.dll"=hex:61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,\
00,6c,00,6c,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-advapi32_31bf3856ad364e35_6.0.6001.18000_none_e34851aa8681b8b0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-advapi32_31bf3856ad364e35_6.0.6001.18000_none_e34851aa8681b8b0]
; Contents of value:
; a d v a p i 3 2 . d l l 
"f!advapi32.dll"=hex:61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,64,\
00,6c,00,6c,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6001.18000_001c50b5\ComponentFamilies\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_en-us_ba4f1caa916c668b]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6001.18000_001c50b5\ComponentFamilies\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_en-us_ba4f1caa916c668b\v!6.0.6000.16386]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6001.18000_001c50b5\ComponentFamilies\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_en-us_ba4f1caa916c668b\v!6.0.6001.18000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6001.18000_001c50b5\ComponentFamilies\x86_microsoft-windows-advapi32_31bf3856ad364e35_none_ed84a70b5d3cc1fa]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6001.18000_001c50b5\ComponentFamilies\x86_microsoft-windows-advapi32_31bf3856ad364e35_none_ed84a70b5d3cc1fa\v!6.0.6000.16386]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6001.18000_001c50b5\ComponentFamilies\x86_microsoft-windows-advapi32_31bf3856ad364e35_none_ed84a70b5d3cc1fa\v!6.0.6001.18000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_en-us_ba4f1caa916c668b]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_en-us_ba4f1caa916c668b\6.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\x86_microsoft-windows-advapi32_31bf3856ad364e35_none_ed84a70b5d3cc1fa]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\x86_microsoft-windows-advapi32_31bf3856ad364e35_none_ed84a70b5d3cc1fa\6.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\APITracing]
; Contents of value:
; %windir%\system32\manifeststore\advapi32.amx
; %windir%\system32\manifeststore\gdi32.amx
; %windir%\system32\manifeststore\kernel32.amx
; %windir%\system32\manifeststore\user32.amx
; 
"InstalledManifests"=hex(7):25,00,77,00,69,00,6e,00,64,00,69,00,72,00,25,00,5c,\
00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,61,00,6e,00,\
69,00,66,00,65,00,73,00,74,00,73,00,74,00,6f,00,72,00,65,00,5c,00,61,00,64,\
00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,61,00,6d,00,78,00,00,00,25,00,\
77,00,69,00,6e,00,64,00,69,00,72,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,\
00,6d,00,33,00,32,00,5c,00,6d,00,61,00,6e,00,69,00,66,00,65,00,73,00,74,00,\
73,00,74,00,6f,00,72,00,65,00,5c,00,67,00,64,00,69,00,33,00,32,00,2e,00,61,\
00,6d,00,78,00,00,00,25,00,77,00,69,00,6e,00,64,00,69,00,72,00,25,00,5c,00,\
73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,61,00,6e,00,69,\
00,66,00,65,00,73,00,74,00,73,00,74,00,6f,00,72,00,65,00,5c,00,6b,00,65,00,\
72,00,6e,00,65,00,6c,00,33,00,32,00,2e,00,61,00,6d,00,78,00,00,00,25,00,77,\
00,69,00,6e,00,64,00,69,00,72,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,\
6d,00,33,00,32,00,5c,00,6d,00,61,00,6e,00,69,00,66,00,65,00,73,00,74,00,73,\
00,74,00,6f,00,72,00,65,00,5c,00,75,00,73,00,65,00,72,00,33,00,32,00,2e,00,\
61,00,6d,00,78,00,00,00,00,00
; Contents of value:
; advapi32.dll
; gdi32.dll
; kernel32.dll
; user32.dll
; 
"IncludeModules"=hex(7):61,00,64,00,76,00,61,00,70,00,69,00,33,00,32,00,2e,00,\
64,00,6c,00,6c,00,00,00,67,00,64,00,69,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
00,00,00,6b,00,65,00,72,00,6e,00,65,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00,75,00,73,00,65,00,72,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,\
00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\KnownDLLs]
"advapi32"="advapi32.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Session Manager\KnownDLLs]
"advapi32"="advapi32.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs]
"advapi32"="advapi32.dll"
; End Of The Log...




Hope this is of some help.


----------



## ndmmxiaomayi

Hi TSHELP0711,

Sorry for the delay. I've asked around for some help. Some questions:

1. Do you have any account/password policies in place, such as password expiry policy, account lockout policies, etc?

2. Do you have any scheduled tasks that are scheduled to run regularly?

Regarding the advapi logon process, it's legitimate.


----------

