Check or Attack Name: Altered System Value

The System value under the Winlogon registry key has been altered. This value regulates which processes are started by the system during the boot process. Any process listed in this value will run under the user context of LocalSystem, and can be used to add administrator users, or alter any aspect of the operating system. If this value has been altered by an attacker, the system should be viewed as compromised and reloaded from known media.

Determine if this value has been legitimately altered, or if you detect evidence of an attacker. Recommended permissions are Administrators - Full Access, System - Full Access, and Everyone - Read Access.

Altering this key requires either physical access, or a Server Operator or Administrator level account. If an intruder is involved, consider this machine (and if it is a domain controller, the domain) compromised. If you believe that this computer's security is compromised:

1. Immediately remove the computer from the network.
2. Create a backup of the contents of the hard drive, or isolate the data on a non-networked storage device.
3. Perform a low-level format of all hard drives on the computer.
4. Reinstall the operating system.
5. Configure the computer with the original user names, groups, and applications.
6. Run Internet Scanner to determine vulnerabilities, and resolve detected vulnerabilities.
7. Before using the files on the backup, scan all files using an up-to-date antivirus program, and copy only the files you know to be authorized on that computer.
8. Reconnect the computer to the network.