Remote-access Guide

hklm system controlset001 control terminal server remote access trojan

by Kallie McClure Published 3 years ago Updated 2 years ago

What is ControlSet001 HKLM?

On your system, it could be ControlSet002. The HKLM\SYSTEM\ControlSet001HKLM\SYSTEM\ControlSet001\Control\Terminal Server hive allows you to configure general settings, just as you can under Terminal Services configuration or Group Policies. Some of the values described here will be discussed in detail later in this chapter.

What is the hklmsystemcurrentcontrolsetcontrol registry tree?

The HKLMSYSTEMCurrentControlSetControl registry tree contains information for controlling system startup and some aspects of device configuration. The following subkeys are of particular interest: Contains information about the device setup classes on the system.

What is the difference between ControlSet001 and ControlSet002?

The numbered ControlSet001 and ControlSet002 subkeys contain control information that is needed to start and keep Windows Server 2003 running. One of these two numbered subkeys is the original; the other is the backup copy. On startup, the system determines which one of the keys is the original and saves the result under HKLM[&SYSTEM&]Select.

What are the HKLM root hive subkeys?

One of the central HKLM root hive areas can be found under SYSTEMCurrentControlSet and SYSTEM[&ControlSet00&] n. The numbered ControlSet001 and ControlSet002 subkeys contain control information that is needed to start and keep Windows Server 2003 running. One of these two numbered subkeys is the original; the other is the backup copy.

Question

We seem to have some unique kind of issue with terminal services where administrators will get "Access is denied" error on logging on to the server. Often,people in remote desktop group also have same error "Access is denied" ..Although as a workaround have enabled a reg key:

Answers

Administrators can login but only if they use the switch /admin i.e mstsc /admin..

All replies

We seem to have some unique kind of issue with terminal services where administrators will get "Access is denied" error on logging on to the server.

What is HKLM SYSTEM ControlSet001?

An adjoining hive, called HKLMSYSTEMControlSet001ServicesTermService, hosts both the configuration of Terminal Services within the generic Svchost.exe Windows service and of the Services.exe process. The keys you find there include, for example, the display name, description, complete path, or start options as also listed under services administration. The subkeys show license settings and parameters for the performance indicator object of the system monitor.

Where is the HKLM root hive?

One of the central HKLM root hive areas can be found under SYSTEMCurrentControlSet and SYSTEMControlSet00 n. The numbered ControlSet001 and ControlSet002 subkeys contain control information that is needed to start and keep Windows Server 2003 running. One of these two numbered subkeys is the original; the other is the backup copy. On startup, the system determines which one of the keys is the original and saves the result under HKLMSYSTEMSelect. The last successful set of control information is saved in HKLMSYSTEMCurrentControlSet. The three sets of control information are for the most part identical, but only one is valid and used by the system.

Where is the UsrLogon.cmd file?

Another relevant area is located under HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon. It includes the AppSetup key that defines a special script file called UsrLogon.cmd. This script file is executed along with a possible logon script on startup of each terminal server session. (See Chapter 7.) The same location also contains the WinStationDisabled key that either denies (0) or allows (1) new terminal server users to log on, regardless of the protocol. At the prompt, you can modify this value using the Change logon /enable or Change logon /disable prompts.

Where are the configuration options for terminal servers?

The relevant configuration options for terminal servers, terminal server sessions, users, and clients can be found in different places in the registry. The administration tools and Group Policies, described in the previous chapters, usually change several registry values. The following section provides you with information on their paths and default values.

What is the value of each user session's temporary directory?

Each user session receives its own temporary directory. Possible values for this setting are 0 or 1. Change this value using the Use per session directory server setting in Terminal Services configuration.

What port does Remote Desktop listen to?

When you connect to a computer (either a Windows client or Windows Server) through the Remote Desktop client, the Remote Desktop feature on your computer "hears" the connection request through a defined listening port (3389 by default). You can change that listening port on Windows computers by modifying the registry.

How to change port number on remote desktop?

Change the listening port for Remote Desktop on your computer 1 Start the registry editor. (Type regedit in the Search box.) 2 Navigate to the following registry subkey: HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp 3 Find PortNumber 4 Click Edit > Modify, and then click Decimal. 5 Type the new port number, and then click OK. 6 Close the registry editor, and restart your computer.

What tool is used to register malicious files?

After dropping the malicious file, it uses the RegAsm.exe tool, which is used to register the values in registry, to perform malicious tasks. All the registry changes are defined below:

What is the URL of the TCP request?

The URL behind the TCP request were “ meeti.duckdns.org ” which represents that this is the Nanocore RAT malware and the IP address of URL is “192.169.69.25”

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9