System Profile in W...
 
Notifications
Clear all

System Profile in W2000

10 Posts
3 Users
0 Likes
492 Views
 pimp
(@pimp)
Posts: 18
Active Member
Topic starter
 

Hi,

I have found a computer (W2000 operating system) with a System Profile under Document and Settings Folder. As far I know this user doesn´t log in the computer. In a new W2000 PC this system profile folder doesn`t appear. In the registry under

Microsoft\Windows NT\CurrentVersion\ProfileList

there is a key with id S-1-5-18 and Date Modified 11/09/2013 93313. Analyzing profile's folders in MFT I've found that Std Info Modification date is prior to Std Info Creation date in some folders under System profile, for example

Filename #1 /Documents and Settings/SYSTEM/SendTo
Std Info Creation date 2013-05-29 113344.724249
Std Info Modification date 2005-07-05 122858
Std Info Access date 2014-02-07 134816.765625 (this date is because the disk was plugged by usb cable to check it)
Std Info Entry date 2013-05-29 113346.083626
FN Info Creation date 2013-05-29 113344.724249
FN Info Modification date 2013-05-29 113344.724249
FN Info Access date 2013-05-29 113344.724249
FN Info Entry date. 2013-05-29 113344.72424

The system was installed in 2005.

Could anyone help me to understand what happened? Is this the result of an exploit? Why Std Info Modification date is prior to Std Info Creation date?

Best Regards and thanks in advance.

 
Posted : 02/03/2015 2:31 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hmmm.
Trying to reach a wider audience? ?

http//reboot.pro/topic/20357-system-profile-w2000/

http//security.stackexchange.com/questions/82806/windows-2000-system-profile

jaclaz

 
Posted : 02/03/2015 5:31 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Is this "System" profile the name of a user account? If you parse the SAM hive, is there a user account named "System"?

 
Posted : 02/03/2015 9:49 pm
 pimp
(@pimp)
Posts: 18
Active Member
Topic starter
 

Hi,

Jaclaz yes it is the same question. The purpose is as you say to reach a wider audience and find an answer. For me it is important to understand what happened because it is strange, so I thought to ask the same question in different security forums. If there is anything wrong with it I apologize for that. On the other hand, I would like to thank you for your answers to different questions that I have posted in this forum.

keydet89's I have parsed SAM and there isn´t a SYSTEM account, so there is a key in
Microsoft\Windows NT\CurrentVersion\ProfileList and the folder under documents and setting but there isn´t an account called System in the SAM. On the other hand, I would like to thank you too for your answers to different questions that I have posted in this fórum.

Best Regards.

 
Posted : 02/03/2015 10:36 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The purpose is as you say to reach a wider audience and find an answer. For me it is important to understand what happened because it is strange, so I thought to ask the same question in different security forums. If there is anything wrong with it I apologize for that.

Naah, nothing "wrong" right now ) , the potential issue with multi-posting on several boards that may happen IF you do not "maintain" the threads is that of polluting the internet 😯 .

I mean, IF (and WHEN) hopefully you will get your answer on this or on the other forums, there is a risk that you will leave all the threads where you did not get the answer not finalized, so that next peep googling for a System profile on Windows 2000 is likely to find n threads without an answer (and not the one containing it).

A smaller risk (but still a risk) is that - say wink - after Wonko the Sane on reboot.pro attempted to answer the question you asked there, when he finds the same question logging on forensic focus as jaclaz he might get upset with you and be grumpier than usual …

jaclaz

 
Posted : 02/03/2015 11:44 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

keydet89's I have parsed SAM and there isn´t a SYSTEM account, so there is a key in
Microsoft\Windows NT\CurrentVersion\ProfileList and the folder under documents and setting but there isn´t an account called System in the SAM.

What is the SID for the listing within the ProfileList key?

 
Posted : 02/03/2015 11:48 pm
 pimp
(@pimp)
Posts: 18
Active Member
Topic starter
 

keydet89's I have parsed SAM and there isn´t a SYSTEM account, so there is a key in
Microsoft\Windows NT\CurrentVersion\ProfileList and the folder under documents and setting but there isn´t an account called System in the SAM.

What is the SID for the listing within the ProfileList key?

In the registry under

Microsoft\Windows NT\CurrentVersion\ProfileList

sid S-1-5-18 and Date Modified 11/09/2013 93313.

 
Posted : 03/03/2015 12:53 am
 pimp
(@pimp)
Posts: 18
Active Member
Topic starter
 

The purpose is as you say to reach a wider audience and find an answer. For me it is important to understand what happened because it is strange, so I thought to ask the same question in different security forums. If there is anything wrong with it I apologize for that.

Naah, nothing "wrong" right now ) , the potential issue with multi-posting on several boards that may happen IF you do not "maintain" the threads is that of polluting the internet 😯 .

I mean, IF (and WHEN) hopefully you will get your answer on this or on the other forums, there is a risk that you will leave all the threads where you did not get the answer not finalized, so that next peep googling for a System profile on Windows 2000 is likely to find n threads without an answer (and not the one containing it).

A smaller risk (but still a risk) is that - say wink - after Wonko the Sane on reboot.pro attempted to answer the question you asked there, when he finds the same question logging on forensic focus as jaclaz he might get upset with you and be grumpier than usual …

jaclaz

OK, I understand..thanks

 
Posted : 03/03/2015 12:54 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

The system was installed in 2005.

Could anyone help me to understand what happened? Is this the result of an exploit? Why Std Info Modification date is prior to Std Info Creation date?

Looking at this again, what you're seeing is not likely the result of an exploit. Windows systems maintain a "default user" profile, so that when a user logs into the system, the files are copied over into the user's profile, which would explain the dates that you're seeing. So, it's _likely_ that what you're seeing is the OS doing what it does.

The question then becomes, if the system was installed in 2005, why would this profile be created 8 yrs later?

I _suspect_ that it may be the result of malware running on the system with System level privileges. Knowing that Windows 2000 systems notoriously have a dearth of information, I'd create a timeline of system activity using whatever data sources are available…$MFT, Registry files, Event Logs, etc. I would be particularly interested to see if the profile contains IE browser history…this would be indicative of malware using the WinInet API (the API used by IE) for off-system communications. I would start by looking for malware that persists as a Windows service.

HTH

 
Posted : 03/03/2015 5:10 pm
 pimp
(@pimp)
Posts: 18
Active Member
Topic starter
 

The system was installed in 2005.

Could anyone help me to understand what happened? Is this the result of an exploit? Why Std Info Modification date is prior to Std Info Creation date?

Looking at this again, what you're seeing is not likely the result of an exploit. Windows systems maintain a "default user" profile, so that when a user logs into the system, the files are copied over into the user's profile, which would explain the dates that you're seeing. So, it's _likely_ that what you're seeing is the OS doing what it does.

Ok, but one doubt, the profile is the system, not any user. Is the same behaviour for special accounts like system or local service, network service (in case of XP)?

The question then becomes, if the system was installed in 2005, why would this profile be created 8 yrs later?

I _suspect_ that it may be the result of malware running on the system with System level privileges. Knowing that Windows 2000 systems notoriously have a dearth of information, I'd create a timeline of system activity using whatever data sources are available…$MFT, Registry files, Event Logs, etc. I would be particularly interested to see if the profile contains IE browser history…this would be indicative of malware using the WinInet API (the API used by IE) for off-system communications. I would start by looking for malware that persists as a Windows service.

HTH

I checked the profile and there isn't a IE browser history in the folders. I would look for malware as you recommend.

Best Regards and thanks.

 
Posted : 06/03/2015 2:27 am
Share: