 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
There are a few things that Windows won't let you do, that I wish it
would let you do. For example:
- Allow Administrators to pretend to be another user, without having to
know that user's password.
There are times when, in order to configure something, you have to log
in under the user's account before you can configure it. It would be
*so* much easier for everyone if the user didn't have to hang around so
they can enter their password for you 18 times while you try to get
their PC working. Of course, you can reset their password yourself - but
then you can't set it back to what it was (due to password recycling
restrictions).
- Allow Administrators to unlock a workstation without destroying all of
the user's unsaved work. (IOW, without terminating all the stuff they
have running.)
- Log security events in a meaningful way.
Do you know what
Object Access Attempt:
Object Server:Security
Handle ID:144
Object Type:File
Process ID:3156
Image File Name:C:\WINDOWS\system32\notepad.exe
Accesses:WriteData
Access Mask:0x6
means? I certainly don't.
But then, this isn't human-readable data. This is simply a raw dump of
the low-level internal data structures that Windows itself uses to
manage object access. Something human-readable would be far more useful.
As it is, all over the company we have event logs full of gibberish like
this that nobody can understand. We might as well not bother logging it...
- The ability to monitor CPU, HD and NIC activity from the notification
area would be useful. (It's useful for determining whether the computer
is actually "doing anything", and if it is, what it's waiting around
for.) Actually, I'm still hoping that one day somebody will design a
case with the NIC activity light on the front rather than the back. And
seperate indicator lights for each HD...
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Invisible wrote:
> There are a few things that Windows won't let you do, that I wish it
> would let you do. For example:
>
> - Allow Administrators to pretend to be another user, without having to
> know that user's password.
>
> There are times when, in order to configure something, you have to log
> in under the user's account before you can configure it. It would be
> *so* much easier for everyone if the user didn't have to hang around so
> they can enter their password for you 18 times while you try to get
> their PC working. Of course, you can reset their password yourself - but
> then you can't set it back to what it was (due to password recycling
> restrictions).
>
> - Allow Administrators to unlock a workstation without destroying all of
> the user's unsaved work. (IOW, without terminating all the stuff they
> have running.)
>
> - Log security events in a meaningful way.
>
> Do you know what
>
> Object Access Attempt:
> Object Server:Security
> Handle ID:144
> Object Type:File
> Process ID:3156
> Image File Name:C:\WINDOWS\system32\notepad.exe
> Accesses:WriteData
> Access Mask:0x6
>
> means? I certainly don't.
>
> But then, this isn't human-readable data. This is simply a raw dump of
> the low-level internal data structures that Windows itself uses to
> manage object access. Something human-readable would be far more useful.
> As it is, all over the company we have event logs full of gibberish like
> this that nobody can understand. We might as well not bother logging it...
Looks like someone was trying to overwrite notepad. I'd be suspicious.
Most people don't overwrite notepad. Wonder what process 3156 was..
> - The ability to monitor CPU, HD and NIC activity from the notification
> area would be useful. (It's useful for determining whether the computer
> is actually "doing anything", and if it is, what it's waiting around
> for.) Actually, I'm still hoping that one day somebody will design a
> case with the NIC activity light on the front rather than the back. And
> seperate indicator lights for each HD...
I think sysinternals has a utility like this..
http://technet.microsoft.com/en-us/sysinternals/bb896646.aspx
Just open task manager for a CPU monitor. NIC, I dunno.
--
~Mike
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> - Log security events in a meaningful way.
>>
>> Do you know what
>>
>> Object Access Attempt:
>> Object Server:Security
>> Handle ID:144
>> Object Type:File
>> Process ID:3156
>> Image File Name:C:\WINDOWS\system32\notepad.exe
>> Accesses:WriteData
>> Access Mask:0x6
>>
>> means? I certainly don't.
>
> Looks like someone was trying to overwrite notepad. I'd be suspicious.
> Most people don't overwrite notepad. Wonder what process 3156 was..
I think it means that process 3156 *was* NOTEPAD.EXE - but I have no
idea what it was trying to overwrite...
>> - The ability to monitor CPU, HD and NIC activity from the
>> notification area would be useful.
>
> I think sysinternals has a utility like this..
>
> http://technet.microsoft.com/en-us/sysinternals/bb896646.aspx
>
> Just open task manager for a CPU monitor. NIC, I dunno.
SysInternals has Process Explorer, which gives you a nice scrolling CPU
graph (and now also I/O). Task Manager gives you current CPU usage, but
PE gives you a scrolling graph, and seperates user-time and kernel-time
with colours. Unfortunately, the I/O graph is wildly inaccurate (as in,
it doesn't appear strongly correlated with the HD activity light on the
front of the PC).
Windows XP (and later?) have a feature where you can put a little NIC
icon in the tray, and it flashes when you access the network. Not
terribly accurate though. Task Manager shows you a better graph, but
only when you have it open on that page. There's nothing in the tray.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Invisible wrote:
> - Allow Administrators to pretend to be another user, without having to
> know that user's password.
Sure. We all wish security would let administrators make changes to the
system they could blame on other users. :-)
> There are times when, in order to configure something, you have to log
> in under the user's account before you can configure it.
Not really. That's the easiest way to do it, but it isn't necessary.
Everything about the user is stored in the file system, so...
If you knew how to work it, you could do it. Do you think people at
Microsoft or American Express hang around to enter their passwords while the
sysadmin fixes things?
> - Allow Administrators to unlock a workstation without destroying all of
> the user's unsaved work. (IOW, without terminating all the stuff they
> have running.)
Wouldn't be much of a lock, would it?
> - Log security events in a meaningful way.
> Do you know what
>
> Object Access Attempt:
> Object Server:Security
> Handle ID:144
> Object Type:File
> Process ID:3156
> Image File Name:C:\WINDOWS\system32\notepad.exe
> Accesses:WriteData
> Access Mask:0x6
>
> means? I certainly don't.
You didn't provide the actual interesting information, which is the Event ID.
http://www.microsoft.com/technet/support/ee/ee_advanced.aspx
> But then, this isn't human-readable data. This is simply a raw dump of
> the low-level internal data structures that Windows itself uses to
> manage object access.
Not really. It's the codes the OS passed to be recorded in the event logs.
> As it is, all over the company we have event logs full of gibberish like
> this that nobody can understand. We might as well not bother logging it...
Or, alternately, you could learn what the codes mean.
> - The ability to monitor CPU, HD and NIC activity from the notification
> area would be useful.
CPU and NIC activity monitors come with Windows, if you're just interested
in a approximate "is it doing anything". Task manager will iconify to a CPU
activity barchart in the notification area, and there's a checkbox on the
network connection configuration front page that says to show the icon even
when you have good connectivity, and that icon will animate.
Your HD light on the front should work. :-) If not, google for "hd activity
systray" or something.
Vista has sidebar gadgets for nic and HD activity like you want. :-)
--
Darren New, San Diego CA, USA (PST)
"Ouch ouch ouch!"
"What's wrong? Noodles too hot?"
"No, I have Chopstick Tunnel Syndrome."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Invisible wrote:
> Task Manager gives you current CPU usage, but
> PE gives you a scrolling graph, and seperates user-time and kernel-time
> with colours.
So does Task Manager. Go to the "performance" tab, turn on "show kernel
times", and you have a scrolling graph with separate times. :-) Not in the
tray, mind.
--
Darren New, San Diego CA, USA (PST)
"Ouch ouch ouch!"
"What's wrong? Noodles too hot?"
"No, I have Chopstick Tunnel Syndrome."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> - Allow Administrators to pretend to be another user, without having
>> to know that user's password.
>
> Sure. We all wish security would let administrators make changes to the
> system they could blame on other users. :-)
Newsflash: If your administrators can't be trusted, you have A Big Problem.
>> There are times when, in order to configure something, you have to log
>> in under the user's account before you can configure it.
>
> Not really. That's the easiest way to do it, but it isn't necessary.
> Everything about the user is stored in the file system, so...
Yeah, sure, because it's really easy to figure out how every random
screwed up app designed for Windows 95 is using the filesystem to store
its stuff, right?
> If you knew how to work it, you could do it. Do you think people at
> Microsoft or American Express hang around to enter their passwords while
> the sysadmin fixes things?
Presumably they don't use obscure, badly designed software...
>> - Allow Administrators to unlock a workstation without destroying all
>> of the user's unsaved work. (IOW, without terminating all the stuff
>> they have running.)
>
> Wouldn't be much of a lock, would it?
Why? Because one person in the building can unlock it? (Note that the
administrator can *already* unlock it - as can anybody else by using the
on/off switch, come to think of it.) It would just be nice if somebody
goes home and forgets to save their work if I didn't have to destroy all
that work.
> You didn't provide the actual interesting information, which is the
> Event ID.
Yes, but you get my *point*. Turn on auditing, perform a few trivial
actions, watch your event log fill with many megabytes of data that
nobody knows what it means.
> Or, alternately, you could learn what the codes mean.
As far as I can tell, M$ hasn't actually documented many of them yet.
(Although a number of other sites have - but you're never sure the info
is correct.)
> CPU and NIC activity monitors come with Windows, if you're just
> interested in a approximate "is it doing anything". Task manager will
> iconify to a CPU activity barchart in the notification area
Yeah, I found that one. Process Explorer does it nicer tho. ;-)
> and there's
> a checkbox on the network connection configuration front page that says
> to show the icon even when you have good connectivity, and that icon
> will animate.
This is one of the many, many alterations I make every time I set up a
Windows box.
> Your HD light on the front should work. :-) If not, google for "hd
> activity systray" or something.
Not much help if you're accessing the machine remotely. System Internals
have a couple of tools that are supposed to do it, but they seem to not
be very accurate. (E.g., the HD light is flashing away, yet PE shows no
I/O activity.)
> Vista has sidebar gadgets for nic and HD activity like you want. :-)
I hope I never end up having to use Vista.
Actually, I used to say that about XP. Let me rephrase: I hope I never
have to use Vista before they're finished fixing it. ;-)
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 wrote:
> Newsflash: If your administrators can't be trusted, you have A Big Problem.
Not true. It's certainly easier to trust your administrators. But being able
to audit the administrators is probably a good idea.
>> Not really. That's the easiest way to do it, but it isn't necessary.
>> Everything about the user is stored in the file system, so...
>
> Yeah, sure, because it's really easy to figure out how every random
> screwed up app designed for Windows 95 is using the filesystem to store
> its stuff, right?
I didn't say it was easier. I said it was possible. If it's actually enough
of a problem, you'll buy a new program that works with remote management
technologies, or you'll hire someone to figure out where stuff is stored.
>> If you knew how to work it, you could do it. Do you think people at
>> Microsoft or American Express hang around to enter their passwords
>> while the sysadmin fixes things?
>
> Presumably they don't use obscure, badly designed software...
Or they hire someone to work out what they need to do to fix things.
>>> - Allow Administrators to unlock a workstation without destroying all
>>> of the user's unsaved work. (IOW, without terminating all the stuff
>>> they have running.)
>>
>> Wouldn't be much of a lock, would it?
>
> Why? Because one person in the building can unlock it? (Note that the
> administrator can *already* unlock it - as can anybody else by using the
> on/off switch, come to think of it.)
No. They can't unlock the programs running on the machine under another user
ID. They can only unlock the entire machine.
> It would just be nice if somebody
> goes home and forgets to save their work if I didn't have to destroy all
> that work.
Why would you log them out? Let it run. Open a new session if someone else
needs to use the same console.
>> You didn't provide the actual interesting information, which is the
>> Event ID.
>
> Yes, but you get my *point*. Turn on auditing, perform a few trivial
> actions, watch your event log fill with many megabytes of data that
> nobody knows what it means.
Because *you* don't know what it means doesn't mean *nobody* knows what it
means.
> As far as I can tell, M$ hasn't actually documented many of them yet.
As far as you could tell, MS didn't document what programs you get when you
buy Office Home. That isn't saying much. ;-)
> (E.g., the HD light is flashing away, yet PE shows no
> I/O activity.)
NTFS slowly commits the log out to the disk. If you do something big, it
might take 20 or 30 seconds to finish in the background after it has already
been committed. Try running "sync", and then see if it still happens.
> Actually, I used to say that about XP. Let me rephrase: I hope I never
> have to use Vista before they're finished fixing it. ;-)
Dunno. Works great for me. You seem to have bad luck, tho, so... Wait for
Win7SP1. ;-)
--
Darren New, San Diego CA, USA (PST)
"Ouch ouch ouch!"
"What's wrong? Noodles too hot?"
"No, I have Chopstick Tunnel Syndrome."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
> Invisible wrote:
>> - Allow Administrators to pretend to be another user, without having
>> to know that user's password.
>
> Sure. We all wish security would let administrators make changes to the
> system they could blame on other users. :-)
>
>> There are times when, in order to configure something, you have to log
>> in under the user's account before you can configure it.
>
> Not really. That's the easiest way to do it, but it isn't necessary.
> Everything about the user is stored in the file system, so...
>
> If you knew how to work it, you could do it. Do you think people at
> Microsoft or American Express hang around to enter their passwords while
> the sysadmin fixes things?
>
>> - Allow Administrators to unlock a workstation without destroying all
>> of the user's unsaved work. (IOW, without terminating all the stuff
>> they have running.)
>
> Wouldn't be much of a lock, would it?
>
>> - Log security events in a meaningful way.
>> Do you know what
>>
>> Object Access Attempt:
>> Object Server:Security
>> Handle ID:144
>> Object Type:File
>> Process ID:3156
>> Image File Name:C:\WINDOWS\system32\notepad.exe
>> Accesses:WriteData
>> Access Mask:0x6
>>
>> means? I certainly don't.
>
> You didn't provide the actual interesting information, which is the
> Event ID.
>
> http://www.microsoft.com/technet/support/ee/ee_advanced.aspx
>
>> But then, this isn't human-readable data. This is simply a raw dump of
>> the low-level internal data structures that Windows itself uses to
>> manage object access.
>
> Not really. It's the codes the OS passed to be recorded in the event logs.
>
>> As it is, all over the company we have event logs full of gibberish
>> like this that nobody can understand. We might as well not bother
>> logging it...
>
> Or, alternately, you could learn what the codes mean.
>
Because.. Providing administrators with... I don't know, something that
could tell them, so they don't have to look it up, or memorize 4,000
codes, would just what? Make too much sense? lol
--
void main () {
If Schrödingers_cat is alive or version > 98 {
if version = "Vista" {
call slow_by_half();
call DRM_everything();
}
call functional_code();
}
else
call crash_windows();
}
<A HREF='http://www.daz3d.com/index.php?refid=16130551'>Get 3D Models,
3D Content, and 3D Software at DAZ3D!</A>
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
> Orchid XP v8 wrote:
>> Newsflash: If your administrators can't be trusted, you have A Big
>> Problem.
>
> Not true. It's certainly easier to trust your administrators. But being
> able to audit the administrators is probably a good idea.
>
>>> Not really. That's the easiest way to do it, but it isn't necessary.
>>> Everything about the user is stored in the file system, so...
>>
>> Yeah, sure, because it's really easy to figure out how every random
>> screwed up app designed for Windows 95 is using the filesystem to
>> store its stuff, right?
>
> I didn't say it was easier. I said it was possible. If it's actually
> enough of a problem, you'll buy a new program that works with remote
> management technologies, or you'll hire someone to figure out where
> stuff is stored.
>
>>> If you knew how to work it, you could do it. Do you think people at
>>> Microsoft or American Express hang around to enter their passwords
>>> while the sysadmin fixes things?
>>
>> Presumably they don't use obscure, badly designed software...
>
> Or they hire someone to work out what they need to do to fix things.
>
>>>> - Allow Administrators to unlock a workstation without destroying
>>>> all of the user's unsaved work. (IOW, without terminating all the
>>>> stuff they have running.)
>>>
>>> Wouldn't be much of a lock, would it?
>>
>> Why? Because one person in the building can unlock it? (Note that the
>> administrator can *already* unlock it - as can anybody else by using
>> the on/off switch, come to think of it.)
>
> No. They can't unlock the programs running on the machine under another
> user ID. They can only unlock the entire machine.
>
>> It would just be nice if somebody goes home and forgets to save their
>> work if I didn't have to destroy all that work.
>
> Why would you log them out? Let it run. Open a new session if someone
> else needs to use the same console.
>
>>> You didn't provide the actual interesting information, which is the
>>> Event ID.
>>
>> Yes, but you get my *point*. Turn on auditing, perform a few trivial
>> actions, watch your event log fill with many megabytes of data that
>> nobody knows what it means.
>
> Because *you* don't know what it means doesn't mean *nobody* knows what
> it means.
>
Snort. Been in this situation a few times. Go to MS site, either not
find anything on it at all, or find something so moronically unhelpful
that you might as well as asked the family dog, "Bark, bark!". "Well,
you are real helpful, I already knew it was application X that crashed,
I want to know fracking *why*!" lol Seriously, again, why not something
that at least told you want the codes "mean" in some usable way, as one
of the available tools?
--
void main () {
If Schrödingers_cat is alive or version > 98 {
if version = "Vista" {
call slow_by_half();
call DRM_everything();
}
call functional_code();
}
else
call crash_windows();
}
<A HREF='http://www.daz3d.com/index.php?refid=16130551'>Get 3D Models,
3D Content, and 3D Software at DAZ3D!</A>
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Patrick Elliott wrote:
> that at least told you want the codes "mean" in some usable way, as one
> of the available tools?
Did you try putting the code into the link I offered? You know, the one with
the drop-down box letting you specify the program, the code, the sub-code,
and it spits back an explanation?
--
Darren New, San Diego CA, USA (PST)
"Ouch ouch ouch!"
"What's wrong? Noodles too hot?"
"No, I have Chopstick Tunnel Syndrome."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
