In Windows 10 there is a value - LastLogOffEndTimePerfCounter in key - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.

I need to sysckeck this key, but value LastLogOffEndTimePerfCounter I need to ignore.

I tried add local rule:

`<rule id="100013" level="0"> <if_group>syscheck</if_group> <match>LastLogOffEndTimePerfCounter</match> <description>Ignore changes to winlogon</description> </rule>

`

but it is not helped.

Victor Fernandez

unread,

Oct 24, 2019, 5:36:40 AM10/24/19

to ITS spec, Wazuh mailing list

Hi,

I'm afraid this is not currently possible. Syscheck produces a checksum for the entire key. The agent deliveries the key and its checksum to the manager, but not the values.

Maybe it's possible to implement this kind of filter in the agent-side, with an option like:

<windows_registry restrict="!LastLogOffEndTimePerfCounter">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>

Best regards,

ITS spec

unread,

Oct 24, 2019, 6:44:32 PM10/24/19

to Wazuh mailing list

Hi, Victor.

I did not quite understand, where do I need to add this option?

I tried add it in <! Windows registry entries to monitor. > section in agent.conf, but I've got error in ossec.log:

ERROR: (1243): Invalid attribute 'restrict' in the configuration: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'.

Also, I can't find information about attribute 'restrict' in wazuh docs. Is it undocumented features?

среда, 23 октября 2019 г., 21:36:40 UTC+3 пользователь Victor Fernandez написал:

Victor Fernandez

unread,

Oct 25, 2019, 4:31:40 PM10/25/19

to ITS spec, Wazuh mailing list

Hi ITS,

I meant that this is not currently possible, there is no option to achieve this use case. Option restrict only applies to the element <directories>, not to <windows_regirstry>.

On the other hand, I think this is an interesting use case, and I wonder if you would find that option helpful.

I've opened a feature request for you:

4150

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

Alex

unread,

Oct 25, 2019, 8:06:02 PM10/25/19

to Wazuh mailing list

Hi, Victor.

Yes, I find that option very helpful and it will be gratetful, if that option will be implemented.

I have some more values from different keys, that i need to ignore, and without this option it makes many problems for me.

Thank you, Victor.

пятница, 25 октября 2019 г., 8:31:40 UTC+3 пользователь Victor Fernandez написал:

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

Victor Fernandez

unread,

Oct 25, 2019, 9:45:32 PM10/25/19

to Alex, Wazuh mailing list

Hi Alex,

That's great, let me discuss about that with the team, hope to implement it very soon. We will keep you posted.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Turn on automatic logon in Windows

• Article
• 03/11/2024

In this article

This article describes how to configure Windows to automate the logon process by storing your password and other pertinent information in the registry database. By using this feature, other users can start your computer and use the account that you establish to automatically log on.

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows 10, Windows 11 Original KB number: 324737

Important

The autologon feature is provided as a convenience. However, this feature may be a security risk. If you set a computer for autologon, anyone who can physically obtain access to the computer can gain access to all the computer's contents, including any networks it is connected to. Additionally, when autologon is turned on, the password is stored in the registry in plain text. The specific registry key that stores this value can be remotely read by the Authenticated Users group. This setting is recommended only for cases in which the computer is physically secured and steps have been taken to make sure that untrusted users cannot remotely access the registry.

Use Registry Editor to turn on automatic logon

Important

This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.

To use Registry Editor to turn on automatic logon, follow these steps:

1. Select Start, and then select Run.
2. In the Open box, type Regedit.exe, and then press Enter.
3. Locate the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon subkey in the registry.
4. On the Edit menu, select New, and then point to String Value.
5. Type AutoAdminLogon, and then press Enter.
6. Double-click AutoAdminLogon.
7. In the Edit String dialog box, type 1 and then select OK.
8. Double-click the DefaultUserName entry, type your user name, and then select OK.
9. Double-click the DefaultPassword entry, type your password, and then select OK.

   If the DefaultPassword value doesn't exist, it must be added. To add the value, follow these steps:

   1. On the Edit menu, select New, and then point to String Value.
   2. Type DefaultPassword, and then press Enter.
   3. Double-click DefaultPassword.
   4. In the Edit String dialog, type your password and then select OK. Note If no DefaultPassword string is specified, Windows automatically changes the value of the AutoAdminLogon key from 1 (true) to 0 (false), disabling the AutoAdminLogon feature.
10. If you have joined the computer to a domain, you should add the DefaultDomainName value, and the data for the value should be set as the fully qualified domain name (FQDN) of the domain, for example contoso.com..
11. Exit Registry Editor.
12. Select Start, select Shutdown, and then type a reason in the Comment text box.
13. Select OK to turn off your computer.
14. Restart your computer. You can now log on automatically.

For download and usage details, see Autologon - Sysinternals. After AutoAdminLogon is configured by using the tool, the password will be stored in a Local Security Authority (LSA) secret instead of the Winlogon key.

Note

• To bypass the AutoAdminLogon process and to log on as a different user, press and hold the Shift key after you log off or after Windows restarts.
• This registry change does not work if the Logon Banner value is defined on the server either by a Group Policy object (GPO) or by a local policy. When the policy is changed so that it does not affect the computer, the autologon feature works as expected.
• When Exchange Active Sync (EAS) password restrictions are active, the autologon feature does not work. This behavior is by design. This behavior is caused by a change in Windows 8.1 and does not affect Windows 8 or earlier versions. To work around this behavior in Windows 8.1 and later versions, remove the EAS policies in Control Panel.
• An interactive console logon that has a different user on the server changes the DefaultUserName registry entry as the last logged-on user indicator. AutoAdminLogon relies on the DefaultUserName entry to match the user and password. Therefore, AutoAdminLogon may fail. You can configure a shutdown script to set the correct DefaultUserName.

AutoAdminLogon and Active Directory domains

When a computer starts up, it may take some time until a network connection is established because of the following reasons:

• Configuration of a dynamics IP address through the Dynamic Host Configuration Protocol (DHCP) configuration may necessitate the use of DHCP relays.
• Requirement to authenticate to a wireless network access point.
• Requirement to authenticate to wired network authentication services.
• Other network services are required to establish a connection between the client network and a network with domain controllers.

The group policy (Always wait for the network at computer startup and logon) can help ensure the computer as a domain member waits for a domain network to become available. For more information, see the following articles:

• Logon Optimization

The group policy can be used to delay the logon attempt until the group policy processing on boot is completed. It also ensures a network with domain controllers is available.

AutoAdminLogon and Microsoft Entra joined only computers

When a computer starts up, it may take some time until a network connection is established because of the following reasons:

• Configuration of a dynamics IP address through the DHCP configuration may necessitate the use of DHCP relays.
• Requirement to authenticate to a wireless network access point.
• Requirement to authenticate to wired network authentication services.
• Other network services are required to establish a connection between the client network and a network with Internet connectivity.

No settings are available to delay the automatic user logon for a Microsoft Entra ID user until the network connectivity is available. The computer will attempt the logon and fail as no server endpoint is available to process the logon request.

Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Third-party information and solution disclaimer

The information and the solution in this document represents the current view of Microsoft Corporation on these issues as of the date of publication. This solution is available through Microsoft or through a third-party provider. Microsoft does not specifically recommend any third-party provider or third-party solution that this article might describe. There might also be other third-party providers or third-party solutions that this article does not describe. Because Microsoft must respond to changing market conditions, this information should not be interpreted to be a commitment by Microsoft. Microsoft cannot guarantee or endorse the accuracy of any information or of any solution that is presented by Microsoft or by any mentioned third-party provider.

Microsoft makes no warranties and excludes all representations, warranties, and conditions whether express, implied, or statutory. These conditions include but are not limited to representations, warranties, or conditions of title, non-infringement, satisfactory condition, merchantability, and fitness for a particular purpose, regarding any service, solution, product, or any other materials or information. In no event will Microsoft be liable for any third-party solution that this article mentions.