I have detected an inusual network traffic in PC's startup. With a wireshark capture you see after the user introduces his password, the Windows XP Client connecting to remote registry of the domain controller and trying to set or query some registry keys related to terminal services. In brief,
Client->Domain Controler: Open Query HKLM \SYSTEM \CurrentControlSet \Control \Terminal Server\DeafultConfiguration
and followed by the secuence:
Client->Domain Controller: QueryValue request fInheritAutologon
Domain controller-Client: QueryValue response
Client->Domain Controller: QueryValue request fInheritResetBroken
Domain controller-Client: QueryValue response
Client->Domain Controller: QueryValue request fInheritReconnectSame
Domain controller-Client: QueryValue response
Client->Domain Controller: QueryValue request fInheritInitialProgram
Domain controller-Client: QueryValue response
Client->Domain Controller: QueryValue request fInheritCallBack
Domain controller-Client: QueryValue response
Client->Domain Controller: QueryValue request fInheritCallBackNumber
Domain controller-Client: QueryValue response
Client->Domain Controller: QueryValue request fInheritShadow
Domain controller-Client: QueryValue response
Client->Domain Controller: QueryValue request fInheritMaxSessionTime
Domain controller-Client: QueryValue response
Client->Domain Controller: QueryValue request fInheritMaxDesconectionTime
Domain controller-Client: QueryValue response
Client->Domain Controller: QueryValue request fInheritMaxIdleTime
Domain controller-Client: QueryValue response
Client->Domain Controller: QueryValue request fInheritAutoclient
Domain controller-Client: QueryValue response Error: WERR_BADFILE
Client->Domain Controller: QueryValue request fInheritSecurity
Domain controller-Client: QueryValue response Error: WERR_BADFILE
Client->Domain Controller: QueryValue request fInheritColorDepth
Domain controller-Client: QueryValue response Error: WERR_BADFILE
Client->Domain Controller: QueryValue request fpromptforpassword
Domain controller-Client: QueryValue response
and there are more keys being consulted . Another hive that is consulted in the same trace is useroverride\Control Panel\Desktop with other keys. This traffic is produced after the default domain policy is applied but we don´t have any configuration for terminal server in this policy. Until I know this
is not normal because PC clients in a domain don´t try to configure the terminal service. We only have the execution of a script in netlogon folder to map three server folder (department documents, public and user) and certain policies that after are applied. I have seen this traffic in certain PCs but in others are different. Do you think that someone has changed the
default policy and is applying for certain PCs? Is some type of malware? Is a driver service installed by someone? I am lost with this problem but the user has to wait a lot of time to have the Pc opperative in the startup.
↧