In Windows 10 there is a value - LastLogOffEndTimePerfCounter in key - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. Show I need to sysckeck this key, but value LastLogOffEndTimePerfCounter I need to ignore. I tried add local rule: `<rule id="100013" level="0"> <if_group>syscheck</if_group> <match>LastLogOffEndTimePerfCounter</match> <description>Ignore changes to winlogon</description> </rule> ` but it is not helped. Victor Fernandezunread, Oct 24, 2019, 5:36:40 AM10/24/19 to ITS spec, Wazuh mailing list Hi, I'm afraid this is not currently possible. Syscheck produces a checksum for the entire key. The agent deliveries the key and its checksum to the manager, but not the values. Maybe it's possible to implement this kind of filter in the agent-side, with an option like: <windows_registry restrict="!LastLogOffEndTimePerfCounter">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry> Best regards, ITS specunread, Oct 24, 2019, 6:44:32 PM10/24/19 to Wazuh mailing list Hi, Victor. I did not quite understand, where do I need to add this option? I tried add it in <! Windows registry entries to monitor. > section in agent.conf, but I've got error in ossec.log: ERROR: (1243): Invalid attribute 'restrict' in the configuration: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'. Also, I can't find information about attribute 'restrict' in wazuh docs. Is it undocumented features? среда, 23 октября 2019 г., 21:36:40 UTC+3 пользователь Victor Fernandez написал: Victor Fernandezunread, Oct 25, 2019, 4:31:40 PM10/25/19 to ITS spec, Wazuh mailing list Hi ITS, I meant that this is not currently possible, there is no option to achieve this use case. Option restrict only applies to the element <directories>, not to <windows_regirstry>. On the other hand, I think this is an interesting use case, and I wonder if you would find that option helpful. I've opened a feature request for you: 4150You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group. Alexunread, Oct 25, 2019, 8:06:02 PM10/25/19 to Wazuh mailing list Hi, Victor. Yes, I find that option very helpful and it will be gratetful, if that option will be implemented. I have some more values from different keys, that i need to ignore, and without this option it makes many problems for me. Thank you, Victor. пятница, 25 октября 2019 г., 8:31:40 UTC+3 пользователь Victor Fernandez написал: --You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group. Victor Fernandezunread, Oct 25, 2019, 9:45:32 PM10/25/19 to Alex, Wazuh mailing list Hi Alex, That's great, let me discuss about that with the team, hope to implement it very soon. We will keep you posted. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Turn on automatic logon in Windows
In this articleThis article describes how to configure Windows to automate the logon process by storing your password and other pertinent information in the registry database. By using this feature, other users can start your computer and use the account that you establish to automatically log on. Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows 10, Windows 11 Original KB number: 324737 Important The autologon feature is provided as a convenience. However, this feature may be a security risk. If you set a computer for autologon, anyone who can physically obtain access to the computer can gain access to all the computer's contents, including any networks it is connected to. Additionally, when autologon is turned on, the password is stored in the registry in plain text. The specific registry key that stores this value can be remotely read by the Authenticated Users group. This setting is recommended only for cases in which the computer is physically secured and steps have been taken to make sure that untrusted users cannot remotely access the registry. Use Registry Editor to turn on automatic logonImportant This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows. To use Registry Editor to turn on automatic logon, follow these steps:
For download and usage details, see Autologon - Sysinternals. After AutoAdminLogon is configured by using the tool, the password will be stored in a Local Security Authority (LSA) secret instead of the Winlogon key. Note
AutoAdminLogon and Active Directory domainsWhen a computer starts up, it may take some time until a network connection is established because of the following reasons:
The group policy (Always wait for the network at computer startup and logon) can help ensure the computer as a domain member waits for a domain network to become available. For more information, see the following articles:
The group policy can be used to delay the logon attempt until the group policy processing on boot is completed. It also ensures a network with domain controllers is available. AutoAdminLogon and Microsoft Entra joined only computersWhen a computer starts up, it may take some time until a network connection is established because of the following reasons:
No settings are available to delay the automatic user logon for a Microsoft Entra ID user until the network connectivity is available. The computer will attempt the logon and fail as no server endpoint is available to process the logon request. Third-party information disclaimer The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. Third-party information and solution disclaimer The information and the solution in this document represents the current view of Microsoft Corporation on these issues as of the date of publication. This solution is available through Microsoft or through a third-party provider. Microsoft does not specifically recommend any third-party provider or third-party solution that this article might describe. There might also be other third-party providers or third-party solutions that this article does not describe. Because Microsoft must respond to changing market conditions, this information should not be interpreted to be a commitment by Microsoft. Microsoft cannot guarantee or endorse the accuracy of any information or of any solution that is presented by Microsoft or by any mentioned third-party provider. Microsoft makes no warranties and excludes all representations, warranties, and conditions whether express, implied, or statutory. These conditions include but are not limited to representations, warranties, or conditions of title, non-infringement, satisfactory condition, merchantability, and fitness for a particular purpose, regarding any service, solution, product, or any other materials or information. In no event will Microsoft be liable for any third-party solution that this article mentions. |