need to capture an event....

sambuca69

i'm drawing a blank here.... at work, we have tasks being mysteriously created and reappear after being deleted. nothing special, just AT jobs.

the GPO guys insist there isnt a policy putting this back, and i couldnt find one as well. our startup scripts have no reference to them as well.

how can i log all activity and get to the bottom of this? i was thinking procmon, but a reboot (a task does a reboot) makes the procmon unusable since it didnt exit gracefully.

any ideas?

RobertKaucher

Could you set a shutdown script that runs procmon /terminate?

undomiel

From looking at this: Windows Security Log Event ID 602

It looks like you'll want to enable aubject auditing: success, and then scan the logs for a 602 event. For procmon you could add to your reboot sheduled task. Issue "procmon /terminate" to gracefully close out of it and save your log file. It sounds like you may want to scan for viruses or spyware, I've seen those creating their own AT jobs.

sambuca69

Cool beans, thanks you two for the ideas

Update: well, we have 'Object Access: enable' disable via GPO, but the shutdown script route seems to shutdown PROCMON gracefully and i can read it after a reboot. Now I just have to sit and wait.

docrice

In addition to auditing (object access visibility should inflate the amount of logging activity considerably), you might also consider installing Snare on a machine and sending its syslog to a syslog server (or Splunk). I just find it hard to read through the Event Viewer GUI after a while, especially with so many events. At the very least, I'd have to export the logs using Psloglist and carve out the events in Excel.

http://technet.microsoft.com/en-us/sysinternals/bb897544