My HKEY_LOCAL_MACHINE\SECURITY is empty

Discussion in 'Computer Security' started by Jim, Apr 6, 2007.

  1. Jim

    Jim Guest

    When I launch programs, my XP Pro/SP2 system sometimes hesitates for a
    few seconds.

    Using RegMon (by Systems Internals) I found this hesitation was when
    registry key HKEY_LOCAL_MACHINE\SECURITY was being accessed.

    I found that this reg key had no sub-keys. Should I have sub-keys
    there?

    If so, then what do those missing keys do and how can I get them back?
     
    Jim, Apr 6, 2007
    #1
    1. Advertising

  2. Jim <> writes:
    >When I launch programs, my XP Pro/SP2 system sometimes hesitates for a
    >few seconds.


    >Using RegMon (by Systems Internals) I found this hesitation was when
    >registry key HKEY_LOCAL_MACHINE\SECURITY was being accessed.


    >I found that this reg key had no sub-keys. Should I have sub-keys
    >there?
    >If so, then what do those missing keys do and how can I get them back?



    No, its normally blank.

    If you've used RegMon at all, you'd notice it getting negative hits
    for dozens of keys anytime anything runs, and apps usually try dozens
    or hundreds of times for these "missing" keys.

    Thats the normal windows design, such as it is.
     
    Doug McIntyre, Apr 6, 2007
    #2
    1. Advertising

  3. Jim wrote:

    > When I launch programs, my XP Pro/SP2 system sometimes hesitates for a
    > few seconds.
    >
    > Using RegMon (by Systems Internals) I found this hesitation was when
    > registry key HKEY_LOCAL_MACHINE\SECURITY was being accessed.
    >
    > I found that this reg key had no sub-keys. Should I have sub-keys
    > there?
    >
    > If so, then what do those missing keys do and how can I get them back?


    Could it be that you didn't give yourself sufficient permission to view the
    content of this key? By default only the integrated principal
    NT-AUTHORITY\SYSTEM should have access to that key, wheras the admin is
    only allowed to write the DAC and read the control handle.

    For your problem: The kernel loader indeed does a lot stuff when creating a
    new process, and looking up various security policies belongs to this. If
    something is broken about this key or some security policies are
    misconfigured, such a behaviour would be expected.

    Maybe you wanna restore the SECURITY hive from your backup? Or maybe from
    the repair backup and re-set your relevant security policies?
     
    Sebastian Gottschalk, Apr 6, 2007
    #3
  4. Doug McIntyre wrote:

    > Jim <> writes:
    >>When I launch programs, my XP Pro/SP2 system sometimes hesitates for a
    >>few seconds.

    >
    >>Using RegMon (by Systems Internals) I found this hesitation was when
    >>registry key HKEY_LOCAL_MACHINE\SECURITY was being accessed.

    >
    >>I found that this reg key had no sub-keys. Should I have sub-keys
    >>there?
    >>If so, then what do those missing keys do and how can I get them back?

    >
    > No, its normally blank.


    It's interesting how people jump to conclusions from "Regedit shows it
    blank to me, thus it must be blank" without even considering checking the
    ACLs on the relevant key.

    (If it was indeed blank then your system would crash immediately and not
    boot up any more.)

    > If you've used RegMon at all, you'd notice it getting negative hits
    > for dozens of keys anytime anything runs, and apps usually try dozens
    > or hundreds of times for these "missing" keys.
    >
    > Thats the normal windows design, such as it is.


    For sure it's not. Even Mark Russinovich ranted a lot of times about
    various Windows components using polling instead of change notificiation
    messages.

    The only legitimate scenario is a fail-buffer-again read on variable length
    data. Read the key with a buffer size of zero, receive an error "BUFFER
    OVERFLOW, you need a buffer of size xyz to read these data", read again
    with the right buffer size.
     
    Sebastian Gottschalk, Apr 6, 2007
    #4
  5. Jim

    BernieM Guest

    "Jim" <> wrote in message
    news:Xns990A9DA5FCEB064A18E@127.0.0.1...
    > When I launch programs, my XP Pro/SP2 system sometimes hesitates for a
    > few seconds.
    >
    > Using RegMon (by Systems Internals) I found this hesitation was when
    > registry key HKEY_LOCAL_MACHINE\SECURITY was being accessed.
    >
    > I found that this reg key had no sub-keys. Should I have sub-keys
    > there?
    >
    > If so, then what do those missing keys do and how can I get them back?


    From ...
    http://www.microsoft.com/technet/archive/winntas/tips/winntmag/bob0599.mspx?mfr=true

    Q.The Registry editor grays out the HKEY_LOCAL_MACHINE/SAM and
    HKEY_LOCAL_MACHINE/SECURITY Registry hives on my Windows NT system. How can
    I look at the content of these hives without resetting their ACLs?A
    A.You can use the At command or the Microsoft Windows NT Server 4.0 Resource
    Kit Winat utility to force NT to expose these usually protected Registry
    hives. Use At and Winat to schedule an instance of a Registry editor at a
    specified time. By default, your system runs the scheduled session in the
    security context of the System account. The System account has access to the
    HKEY_LOCAL_MACHINE/SAM and HKEY_LOCAL_MACHINE/SECURITY Registry keys; thus,
    you can view the contents of these hives when your scheduled session pops
    up. Be sure to use the /interactive switch or, if you're using Winat, select
    the interactive option so that the scheduled Registry editor session is
    visible on the desktop.

    For example, to schedule a regedt32 session to pop up on the local machine
    at 11:00 a.m., type the following command at an NT command prompt:

    at 11:00 /interactive regedt32
     
    BernieM, Apr 6, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?YWxsYXByaW1hMQ==?=

    HELP! Network connections empty and Ipconfig won't work

    =?Utf-8?B?YWxsYXByaW1hMQ==?=, Apr 5, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    9,355
    Jerry Peterson[MSFT]
    Apr 6, 2005
  2. JustMe

    Empty shells

    JustMe, Jul 26, 2004, in forum: Firefox
    Replies:
    0
    Views:
    484
    JustMe
    Jul 26, 2004
  3. COMSOLIT Messmer

    IT-Security, Security, e-security

    COMSOLIT Messmer, Sep 5, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    637
    COMSOLIT Messmer
    Sep 5, 2003
  4. Terry Pinnell

    Security Alert - then floods of empty IE6 windows

    Terry Pinnell, Mar 7, 2008, in forum: Computer Support
    Replies:
    5
    Views:
    510
    Leythos
    Mar 9, 2008
  5. Mijc

    .reg file in HKEY_LOCAL_MACHINE

    Mijc, Dec 16, 2003, in forum: A+ Certification
    Replies:
    0
    Views:
    497
Loading...

Share This Page