This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have detected an inusual network traffic in PC's startup. With a wireshark capture you see after the user introduces his password, the Windows XP Client connecting to remote registry of the domain controller (W2000 cluster) and trying to set or query some registry keys related to terminal services. In brief,

Client->Domain Controler: Open Query HKLM \SYSTEM \CurrentControlSet \Control \Terminal Server\DeafultConfiguration

and followed by the secuence:

Client->Domain Controller: QueryValue request fInheritAutologon Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritResetBroken Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritReconnectSame Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritInitialProgram Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritCallBack Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritCallBackNumber Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritShadow Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritMaxSessionTime Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritMaxDesconectionTime Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritMaxIdleTime Domain controller-Client: QueryValue response

Client->Domain Controller: QueryValue request fInheritAutoclient Domain controller-Client: QueryValue response Error: WERR_BADFILE

Client->Domain Controller: QueryValue request fInheritSecurity Domain controller-Client: QueryValue response Error: WERR_BADFILE

Client->Domain Controller: QueryValue request fInheritColorDepth Domain controller-Client: QueryValue response Error: WERR_BADFILE

Client->Domain Controller: QueryValue request fpromptforpassword Domain controller-Client: QueryValue response

and there are more keys being consulted. Another hive that is consulted in the same trace is useroverride\Control Panel\Desktop with other keys. This traffic is produced after the default domain policy is applied but we don´t have any configuration for terminal server in this policy. Until I know this is not normal because PC clients in a domain don´t try to configure the terminal service. We only have the execution of a script in netlogon folder to map three server folder and certain policies that after are applied. I have seen this traffic in certain PCs but in others are different. What can produce this situation (malware, kernel driver, installed service, etc..? Can somenone help me to find the cause?

Best Regards and thanks in advance.

asked 20 Sep '14, 06:30

Pim's gravatar image

Pim
11334
accept rate: 0%

Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×115
×52
×32
×4

question asked: 20 Sep '14, 06:30

question was seen: 1,705 times

last updated: 20 Sep '14, 06:30

p​o​w​e​r​e​d by O​S​Q​A