Announcement

Collapse
No announcement yet.

File Audit services.exe changing permissions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • File Audit services.exe changing permissions

    I have been having issues with a folders permissions being changed randomly though out the day on a test server. I turned on file auditing and was able to determine that it is the system account and the services.exe process. Is there a better way to tell what is causing this?

    OS. Windows Server 2003 SP2



    Searched the forums google and didn't see any clear answers to this.

  • #2
    Re: File Audit services.exe changing permissions

    I would do a full Virus scan as some viruses and trojans use the filename Services.exe.
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: File Audit services.exe changing permissions

      It is an isolated test box for our web app vender, I ran a full scan using sophos and an online trend micro and nothing was detected. The vender began testing their new update code and i am pretty sure it is something they are doing (they have full access to the box), but i have to prove it is them as they are stating the reason the upgrade is taking to long is because of this issue. Just to let you know what i am dealing with originally they stated the issue was because i had it running on a VMware box and Vmware was changing their directory and only their directories permissions.

      Comment


      • #4
        Re: File Audit services.exe changing permissions

        Can you post the permissions on the said directory and any events logged as a result of auditing?

        Cheers
        Caesar's cipher - 3

        ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

        SFX JNRS FC U6 MNGR

        Comment


        • #5
          Re: File Audit services.exe changing permissions

          This is what i thought the event was that changed the directories

          Type: Audit Success
          Date: 2/18/2009
          Time: 8:02:47 AM
          Event: 560
          Source: Security
          Category: Object Access
          User: \SYSTEM
          Computer: -
          Description:
          Object Open:
          Object Server: Security
          Object Type: File
          Object Name: C:\Program Files\Retalix\DAX\Website\CfxTemp
          Handle ID: 3188
          Operation ID: {0,5181477}
          Process ID: 480
          Image File Name: C:\WINDOWS\system32\services.exe
          Primary User Name: U-$
          Primary Domain: -
          Primary Logon ID: (0x0,0x3E7)
          Client User Name: U-$
          Client Domain: U-
          Client Logon ID: (0x0,0x3E7)
          Accesses: READ_CONTROL
          WRITE_DAC

          Privileges: -
          Restricted Sid Count: 0

          ------------------------------------------------------------------------------------------------------------------

          Type: Audit Success
          Date: 2/18/2009
          Time: 3:02:47 AM
          Event: 560
          Source: Security
          Category: Object Access
          User: \SYSTEM
          Computer: --TEST60
          Description:
          Object Open:
          Object Server: Security
          Object Type: File
          Object Name: C:\Program Files\Retalix\DAX\Website\CfxTemp
          Handle ID: 3188
          Operation ID: {0,5181477}
          Process ID: 480
          Image File Name: C:\WINDOWS\system32\services.exe
          Primary User Name: -$
          Primary Domain: U-
          Primary Logon ID: (0x0,0x3E7)
          Client User Name: U-$
          Client Domain: --
          Client Logon ID: (0x0,0x3E7)
          Accesses: READ_CONTROL
          WRITE_DAC

          Privileges: -
          Restricted Sid Count: 0



          Below this are some supporting events that might help

          Type: Audit Success
          Date: 2/18/2009
          Time: 8:02:47 AM
          Event: 560
          Source: Security
          Category: Object Access
          User: \SYSTEM
          Computer: ----
          Description:
          Object Open:
          Object Server: Security
          Object Type: File
          Object Name: C:\Program Files\Retalix\DAX\Website\CfxTemp
          Handle ID: 3188
          Operation ID: {0,5181480}
          Process ID: 480
          Image File Name: C:\WINDOWS\system32\services.exe
          Primary User Name: ---
          Primary Domain: ----
          Primary Logon ID: (0x0,0x3E7)
          Client User Name: ----
          Client Domain: -
          Client Logon ID: (0x0,0x3E7)
          Accesses: SYNCHRONIZE
          ReadData (or ListDirectory)

          Privileges: -
          Restricted Sid Count: 0

          Comment


          • #6
            Re: File Audit services.exe changing permissions

            Can you find any Events 592 in the log and look for any details of
            Process ID: 480 to shed more light on the name of the program changing those permissions.
            BTW is it just the temporary folder being affected or are there any other events for different folders.
            It's worth double checking the manifacturers installation notes regarding the directory permissions.

            Ta
            Caesar's cipher - 3

            ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

            SFX JNRS FC U6 MNGR

            Comment


            • #7
              Re: File Audit services.exe changing permissions

              Something is changing the root and child level folder permissions i ran process monitor and was able to record the event happening, but it seems my filter recorded to little information to see what spawned the process since i dropped filter events. Ill have to look into creating a filter that records the launch of the services.exe process. It seems to me this would be the best bet? and i didn't see any 592 events. and the PID that was used in process monitor was also 480 being services.exe
              Last edited by DietMountainDewFTW; 25th March 2009, 05:08.

              Comment


              • #8
                Re: File Audit services.exe changing permissions

                The other thing you could do to determine if the application itself is making those changes is to temporarily Deny "Change permissions" for the SYSTEM account and see if it's affecting any functionality.

                Ta
                Caesar's cipher - 3

                ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                SFX JNRS FC U6 MNGR

                Comment


                • #9
                  Re: File Audit services.exe changing permissions

                  I left that out denying permission changes on that directory fixes the issue, and if there isn't at least read on the permissions on root of their directory the application fails to function.

                  Comment

                  Working...
                  X