Event Error SecurityCenter ID: 1802
in [Security]
|
From: Abigail on 3 Oct 2008 19:03 "nass" wrote: > Abi > Can you search for these two files on your System and let me know the > whereabout they located if any. > Did you tried to create a new profile and see if that will work okay? > Mine located here: > > c:\Windows\System32\wbem > C:\Windows\$NtServicePackUninstall$ > C:\Windows\ServicePackFiles\i386 > C:\Windows\SoftwareDistrubition\SelfUpdate\16b...... > > If you find it in one of these direcoties copy it to the other and Reboot > your machine please do this for both files and Reboot your machine and see if > the WMI is restored. > > If the above didn't help please contact me with your Hijackthis log. > Download Hijackthis and send me the log. > (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php) > my address is : to_you_ross(at remove this and repalce with the > obvious)yahoo.co.uk > ( _ is underscore) > HTH. > nass > --- > http://www.nasstec.co.uk nass, If you are referring to the 2 Files that the registry command entries you posted earlier that did not load before (wbemprox.dll) and (Fastprox.dll) they only exist in :: C:\WINNT\system32\wbem in my system. Specifically where do they need to be copied? I have the following $NtServicePackUninstall folders under C:\WINNT :: $NtServicePackUninstallIDNMitigationAPIs$ $NtServicePackUninstallNLSDownlevelMapping$ Do they need to be copied under:: C:\WINNT\ServicePackFiles\i386\ also? As for the:: C:\Windows\SoftwareDistrubition\SelfUpdate\16b...... Mine is :: C:\WINNT\SoftwareDistrubition\SelfUpdate\ containing only two folders :: \Default & \Registered ? Did you mean a new profile, a new computer username? Abigail
From: Abigail on 4 Oct 2008 00:22 nass, At reviewing back the thread I performed all it was left to try from the following point: ####################### Setting The Default WMI Namespace Security: http://community.spiceworks.com/education/projects/Setting_The_Default_WMI_Namespace_Security?query=WMI Setting The Default DCOM Properties And Security: http://community.spiceworks.com/education/projects/Setting_The_Default_DCOM_Properties_And_Security Right click My Computer and select Properties. On the System Properties click on Advanced tab then click on [ Environment Variables ] Button and under System Variables make sure these settings correct: Variable | Value ComSpec %SystemRoot%\system32\cmd.exe Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH TEMP %SystemRoot%\TEMP TMP %SystemRoot%\TEMP windir %SystemRoot% NOTE the above copied from the Edit Window, it will take the Path letter C:\Windows\Temp for Exm.. ####################### Results: After opening dcomcnfg.exe the windows firewall warning dialog prompted that the item is being blocked, therefore I selected to unblock and continued resetting the defaults exactly as recommended in the link above. After completing anything else that it was not attempted before and rebooting it seems like the Event Error SecurityCenter ID: 1802 is gone but now I'm getting a new event warning with the following Description: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account... I performed an additional WMIDiag scan and it is reporting Warnings, additionally I performed the Hijack This tool diagnostics scan and I forwarded the results of both to the e-address you are providing. Thanks Abigail
From: nass on 4 Oct 2008 05:33
"Abigail" wrote: > nass, > > At reviewing back the thread I performed all it was left to try from the > following point: > > ####################### > > Setting The Default WMI Namespace Security: > http://community.spiceworks.com/education/projects/Setting_The_Default_WMI_Namespace_Security?query=WMI > Setting The Default DCOM Properties And Security: > http://community.spiceworks.com/education/projects/Setting_The_Default_DCOM_Properties_And_Security > > > Right click My Computer and select Properties. On the System Properties > click on Advanced tab then click on [ Environment Variables ] Button and > under System Variables make sure these settings correct: > Variable | Value > ComSpec %SystemRoot%\system32\cmd.exe > > Path > C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem > > PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH > TEMP %SystemRoot%\TEMP > TMP %SystemRoot%\TEMP > windir %SystemRoot% > > NOTE the above copied from the Edit Window, it will take the Path letter > C:\Windows\Temp for Exm.. > > ####################### > > Results: > > After opening dcomcnfg.exe the windows firewall warning dialog prompted that > the item is being blocked, therefore I selected to > > unblock and continued resetting the defaults exactly as recommended in the > link above. > > After completing anything else that it was not attempted before and > rebooting it seems like the Event Error SecurityCenter ID: 1802 > > is gone but now I'm getting a new event warning with the following > Description: A provider, HiPerfCooker_v1, has been registered in > > the WMI namespace, Root\WMI, to use the LocalSystem account... > > I performed an additional WMIDiag scan and it is reporting Warnings, > additionally I performed the Hijack This tool diagnostics scan > > and I forwarded the results of both to the e-address you are providing. > > Thanks > Abigail Hi Abi, About the warning for HiPerfCooker_v1 is related to the "Formatted Performance Data Provider" hence "Cooked Counter Provider" : http://msdn.microsoft.com/en-us/library/aa390431(VS.85).aspx Yes I mean copy the Two files to the locations I meantioned in my previous post: c:\\WINNT\System32\wbem C:\\WINNT\$NtServicePackUninstall$ C:\\WINNT\ServicePackFiles\i386 C:\\WINNT\SoftwareDistrubition\SelfUpdate\16b...... I didn't get your message but here my address again and please Note that ( _ ) is underscore: to_you_ross(.at.)yahoo.co.uk HTH, nass --- http://www.nasstec.co.uk |