A Problem with IE security

[md usa spybot fan]

darkdestiny:

In Regmon > Options there is a "Log Boot". However, if I remember correctly the filter does not appear to be in affect with this option and it creates thousands of entries.

[darkdestiny]

I'm not quite sure how that function works, but that function is enabled. Maybe I'll check out the Log file which it mentioned in the pop-up.

[md usa spybot fan]

From the Regmon's help facility:

Monitoring Boot-Time Registry Access (Windows NT/2K only)

To use Regmon's boot logging feature simply select the "Log Boot" menu entry. Regmon will indicate that starting the next time the system boots Registry activity will be monitored and recorded to a log file named REGMON.LOG in your system root directory. When you make this selection Regmon configures itself as the very first driver to initialize in the system, enabling it to capture the Registry startup activity of all other device drivers and services, including critical boot drivers such as SCSI miniport drivers and boot file system drivers.

Regmon stops recording to the log file when you start the Regmon GUI, and it will only log a single boot. Logging is therefore also stopped when the system shuts down, unless you have re-enabled boot-time logging for the subsequent boot. The format of the log file is the same tab-delineated text as a standard Regmon output file that can be viewed with any editor.

Before you use the boot-logging feature you should ensure that there is ample free space on your system drive. Capturing Registry activity from startup to shutdown on an NT 4.0 system will generate a log file with 90,000-120,000 records (7-10 MB in size), whereas an identically configured NT 5.0 system (Beta 2) will generate 140,000-160,000 records (15-25 MB's of log data). If Regmon fills the disk while writing to the log it will truncate the log file and leave a message in it indicating that the disk did not have enough free space. Regmon aborts logging and cleans up the log in such cases so that lack of disk space will not prevent a successful boot.

[darkdestiny]

I tried twice to view the log file you mentioned, but the file developed is too big (400+ MB). I tried opening RegMon as soon as I logged in, and did managed to get a much smaller file. This is what I found.

NOTE: Below are all the related entries of the raw data I've collected. There are some that have nothing to do with the problem.

248062: tvtsched.exe:2952 OpenKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x1

248063: tvtsched.exe:2952 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\tvtsched.exe NOT FOUND

248067: tvtsched.exe:2952 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\* NOT FOUND

248074: tvtsched.exe:2952 CloseKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS

572328: explorer.exe:1280 OpenKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x1

572329: explorer.exe:1280 QueryValue HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Explorer.EXE NOT FOUND

572330: explorer.exe:1280 QueryValue HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\* NOT FOUND

572331: explorer.exe:1280 CloseKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS

572332: explorer.exe:1280 OpenKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x1

572333: explorer.exe:1280 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Explorer.EXE SUCCESS 0x1

572334: explorer.exe:1280 CloseKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS

648956: SynTPEnh.exe:3788 OpenKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x1


648957: SynTPEnh.exe:3788 QueryValue HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\SynTPEnh.exe NOT FOUND
NOTE: This is somewhat irrelevant, but I just want to state it in case it has anything to do with the change.

648959: SynTPEnh.exe:3788 QueryValue HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\* NOT FOUND

648961: SynTPEnh.exe:3788 CloseKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS

648962: SynTPEnh.exe:3788 OpenKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x1

648963: SynTPEnh.exe:3788 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\SynTPEnh.exe NOT FOUND

648964: SynTPEnh.exe:3788 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\* NOT FOUND

648965: SynTPEnh.exe:3788 CloseKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS

701629: rrservice.exe:2896 OpenKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x1

701631: rrservice.exe:2896 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\rrservice.exe NOT FOUND

701633: rrservice.exe:2896 QueryValue HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\* NOT FOUND

701635: rrservice.exe:2896 CloseKey HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS

This is as much as I can find. Sorry if it doesn't give much help, but if I left the computer to load completely, the data could have been too much.

I have quite a number of programs, and so I can't really give much of a help with the RegMon log gathering too much data.

[darkdestiny]

Although it's pretty much the same with the other log I received, it showed the entire log of what's happening during and just after Windows boot (it's about 290MB!!!)

Nothing found in relation to the problem. The closest one I've noticed is "explorer.exe", but no "iexplorer.exe"

I'll check with the Microsoft support regarding the problem.

[darkdestiny]

Below is a part of the log which I'd noted that have changed the registry.

934347: ASMonitor.exe:3164 CreateKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS Access: 0x20006
934348: ASMonitor.exe:3164 SetValue HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe SUCCESS 0x0
934349: ASMonitor.exe:3164 CloseKey HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN SUCCESS

Culprit: ASMonitor.exe (AOL Security Monitor)

I'll uninstall the program and see if the problem is fixed.

[darkdestiny]

After uninstalling Active Security Monitor (sorry, I mad a mistake. It's not AOL, it's Active) and rebooting my computer (which I did a while ago), the problem did not occur again.

So, for those who have the problem whereby the option "Allow active content to run in files in My Computer" (in IE > Internet Options... > Advanced tab > Security) is checked each time you boot, check if you have Active Security Monitor installed.

Thanks, Spybot Team, for the help.