Welcome to WinForumz.com!
FAQFAQ      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

DhcpNameServer changes after login

  
   Windows XP Arc2 (Home) -> Security Admin RSS
Next:  Firewall cannot turn on?  
Author Message
Spinnerdog

External


Since: Mar 26, 2006
Posts: 2



(Msg. 1) Posted: Sun Mar 26, 2006 2:57 pm
Post subject: DhcpNameServer changes after login
Archived from groups: microsoft>public>windowsxp>security_admin (more info?)
On a network with Server 2003 providing Active Directory and all its
elements, includeing DHCP and DNS, the name servers change a few seconds
after login. On any workstation running "ipconfig /all" within 30 seconds of
login shows the internal DNS servers but a few seconds later running
"ipconfig /all" shows external non-related DNS servers.

Using RegMON I can tell svchost is changing the registry but I don't know
how to determin what is calling svchost. I've also used HiJackThis and found
nothing unusual in the registry or startup. The external nameservers are not
listed in the registry, at least not as text either.

 >> Stay informed about: DhcpNameServer changes after login 
Back to top
Login to vote
Steven L Umbach5

External


Since: Jul 05, 2004
Posts: 585



(Msg. 2) Posted: Sun Mar 26, 2006 9:57 pm
Post subject: Re: DhcpNameServer changes after login [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Does it show that the computer has a new DHCP server also with ipconfig
/all?? If so you may have an unauthorized DHCP server/device on your
network. It is curious that the computer would change so fast as DHCP leases
are usually 8 days unless you or the computer are using something like
ipconfig /release and renew or a scrip that uses netsh command to
reconfigure the settings. I would also run rsop.msc to see if any Group
Policy settings [including scripts] are enforcing DNS servers in computer
configuration. You may also want to post in the server.networking
newsgroup. --- Steve


"Spinnerdog" <Spinnerdog.TakeThisOut@discussions.microsoft.com> wrote in message
news:56D3934F-7555-4086-86B9-F77D589DCCCF@microsoft.com...
> On a network with Server 2003 providing Active Directory and all its
> elements, includeing DHCP and DNS, the name servers change a few seconds
> after login. On any workstation running "ipconfig /all" within 30 seconds
> of
> login shows the internal DNS servers but a few seconds later running
> "ipconfig /all" shows external non-related DNS servers.
>
> Using RegMON I can tell svchost is changing the registry but I don't know
> how to determin what is calling svchost. I've also used HiJackThis and
> found
> nothing unusual in the registry or startup. The external nameservers are
> not
> listed in the registry, at least not as text either.
>
>

 >> Stay informed about: DhcpNameServer changes after login 
Back to top
Login to vote
Spinnerdog

External


Since: Mar 26, 2006
Posts: 2



(Msg. 3) Posted: Mon Mar 27, 2006 4:03 am
Post subject: Re: DhcpNameServer changes after login [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Thanks for the suggestion. The DHCP server address does not change. I also
place my laptop on the network, with firewall turned off, and it never
changed. I suspect one of their standard applications is making the change
but don't know of a way to trace calls to svchost.

"Steven L Umbach" wrote:

> Does it show that the computer has a new DHCP server also with ipconfig
> /all?? If so you may have an unauthorized DHCP server/device on your
> network. It is curious that the computer would change so fast as DHCP leases
> are usually 8 days unless you or the computer are using something like
> ipconfig /release and renew or a scrip that uses netsh command to
> reconfigure the settings. I would also run rsop.msc to see if any Group
> Policy settings [including scripts] are enforcing DNS servers in computer
> configuration. You may also want to post in the server.networking
> newsgroup. --- Steve
>
>
> "Spinnerdog" <Spinnerdog.DeleteThis@discussions.microsoft.com> wrote in message
> news:56D3934F-7555-4086-86B9-F77D589DCCCF@microsoft.com...
> > On a network with Server 2003 providing Active Directory and all its
> > elements, includeing DHCP and DNS, the name servers change a few seconds
> > after login. On any workstation running "ipconfig /all" within 30 seconds
> > of
> > login shows the internal DNS servers but a few seconds later running
> > "ipconfig /all" shows external non-related DNS servers.
> >
> > Using RegMON I can tell svchost is changing the registry but I don't know
> > how to determin what is calling svchost. I've also used HiJackThis and
> > found
> > nothing unusual in the registry or startup. The external nameservers are
> > not
> > listed in the registry, at least not as text either.
> >
> >
>
>
>
 >> Stay informed about: DhcpNameServer changes after login 
Back to top
Login to vote
Steven L Umbach5

External


Since: Jul 05, 2004
Posts: 585



(Msg. 4) Posted: Mon Mar 27, 2006 6:39 pm
Post subject: Re: DhcpNameServer changes after login [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Interesting. I would also run rsop.msc on the computer and look for any
configuration under computer configuration/administrative
templates/network/dnsclient. The other thing you could try is to enable
auditing of process tracking in Local Security Policy to see what
processes/executables are running as shown in the security log just before
you see the change with regmon and also use filemon to see if it can tell
anything useful. --- Steve


"Spinnerdog" <Spinnerdog.TakeThisOut@discussions.microsoft.com> wrote in message
news:C1932133-3DFD-4F1B-BFBC-CBF3FDB31F6A@microsoft.com...
> Thanks for the suggestion. The DHCP server address does not change. I
> also
> place my laptop on the network, with firewall turned off, and it never
> changed. I suspect one of their standard applications is making the
> change
> but don't know of a way to trace calls to svchost.
>
> "Steven L Umbach" wrote:
>
>> Does it show that the computer has a new DHCP server also with ipconfig
>> /all?? If so you may have an unauthorized DHCP server/device on your
>> network. It is curious that the computer would change so fast as DHCP
>> leases
>> are usually 8 days unless you or the computer are using something like
>> ipconfig /release and renew or a scrip that uses netsh command to
>> reconfigure the settings. I would also run rsop.msc to see if any Group
>> Policy settings [including scripts] are enforcing DNS servers in computer
>> configuration. You may also want to post in the server.networking
>> newsgroup. --- Steve
>>
>>
>> "Spinnerdog" <Spinnerdog.TakeThisOut@discussions.microsoft.com> wrote in message
>> news:56D3934F-7555-4086-86B9-F77D589DCCCF@microsoft.com...
>> > On a network with Server 2003 providing Active Directory and all its
>> > elements, includeing DHCP and DNS, the name servers change a few
>> > seconds
>> > after login. On any workstation running "ipconfig /all" within 30
>> > seconds
>> > of
>> > login shows the internal DNS servers but a few seconds later running
>> > "ipconfig /all" shows external non-related DNS servers.
>> >
>> > Using RegMON I can tell svchost is changing the registry but I don't
>> > know
>> > how to determin what is calling svchost. I've also used HiJackThis and
>> > found
>> > nothing unusual in the registry or startup. The external nameservers
>> > are
>> > not
>> > listed in the registry, at least not as text either.
>> >
>> >
>>
>>
>>
 >> Stay informed about: DhcpNameServer changes after login 
Back to top
Login to vote
Display posts from previous:   
   Windows XP Arc2 (Home) -> Security Admin All times are: Eastern Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum

Categories:
 Windows XP
 Windows Vista!
 Win 2000/NT/98/ME

[ Contact us | Terms of Service/Privacy Policy ]