RE: Files in system 32 directory

From: Benjamin D. Goldman <bgoldman(at)kipany.com>
Date: Tue Apr 22 2003 - 14:13:21 EDT

there is only one thing I could find:
http://www.dshield.org/pipermail/list/2002-July/004582.php

its a link to a messageboard from july2002

"Yes, I have these same 1KB files appearing on my ISA server and I've
also been concerned and curious. Wayne's question prompted me to do a little research.

I was able to match the two most recent file creation times to success audit events in the security log. These events are ID # 617, "Policy Change".

In the Microsoft Knowledge Base I found the following information in Q272460:

"When the "Audit policy change" policy is enabled for either success or
failure in the Default Domain Policy or Default Domain Controllers Policy Group Policy objects (GPO), a success event, event 617, is logged in the Windows 2000 Security log regardless of whether or not a policy change occurred.

The following list describes when a Security policy is propagated by default:

        Every five minutes when the domain controller's GPO is refreshed

        Every 16 hours, regardless of whether or not a policy change has occurred

        When you use the SECEDIT /RefreshPolicy machine_policy /enforce command to propagate Group Policy changes"

Looks like the audit event is part of an automatic process just to show the audit process is turned on. Apparently the strange one line text files are generated as part of this test/check/confirmation.

However, I was unable to turn up anything in the KB searching on the file names or on the file content. Also Google turned up nothing useful.

The whole is probably harmless, but it's sure odd, isn't it? If anybody else knows more than this I'll be happy to change my mind!

Bob Savage
IT Manager
RNR, Inc.
Minneapolis, MN"

-----Original Message-----
From: ashah@sevenspace.com [mailto:ashah@sevenspace.com] Sent: Monday, April 21, 2003 5:37 PM
To: focus-ms@securityfocus.com
Subject: Files in system 32 directory

Hello,

     I have a windows 2000 sp2 machine which is a DC/DNS. In the system32

folder i see a lot of files name 'Security=Impersonation Dynamic False'.

They are usually 1 to 2 kb in size and contain the following in the file

'Error 0 to send control flag 0 over to server'. Has anyone seen this

before? What might be causing this?. Please advise.

Thank You,

---

---

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-focus-ms

---

---

---

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-focus-ms

---

Received on Wed Apr 23 10:41:28 2003