server 2008 - finding oddentries in resource monitors,

Goption
Goption used Ask the Experts™
on
hi all,

 a strange one.

i have a mystery "something" accessing the system process on my DC. in the performance manager it is showing up as using the lsass.exe and the system process and it goes by the name(Address field in the RM) of PCV.

i can also see a dhcp entry in the dhcp server for this, i have tried too ping it but to no avail.

how can i discover what this is?


Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Chris DentPowerShell Developer
Top Expert 2010

Commented:

The DHCP Entry should have a MAC address associated with it, if you can find where that's plugged in it would be a good start.  Are you switches managed (can you view the MAC table)?

Chris

Author

Commented:
nope all unmanaged switches unfortunatly

i have a new entry in it for DHCP aswell...

this is really doing my nut in i tell you....

also i am now seing a whole list of entrys in the resource monitor which are using the dns..... the dns isnt accesible externally so what could be causing this?

thanks
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Are the hosts all showing local IP Addresses?

Chris
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
its also appearing as a domain computer in active directory (pcv is)

can i find what its accessed and what its been doing?

Author

Commented:
nope the dns users are showing as external ip addresses and in some instances are being showed by names like auth200 or indigo

i am concerned by the pcv entry though.....
Chris DentPowerShell Developer
Top Expert 2010

Commented:

You might check the Owner (Security), that may given an indication of who added it to the domain. That won't do much good if it was added by a member of Domain Admins though.

Chris

Author

Commented:
the owner is "domain admins"

:(

is there any way we can see what this machine has done since it has been in the domain?

thanks
Chris DentPowerShell Developer
Top Expert 2010

Commented:

You could try looking through the Security logs, how much is in there depends on the level of auditing you enabled.

How many domain admins do you have? I would just ask who added it, but then, I don't like people having domain admin rights ;)

Chris

Author

Commented:
im the only one thats why i'm a bit shocked!

where should i begin looking?

Author

Commented:
right i have looked in the security log and have found that the "pcv" logs on every few minutes for a few seconds. i cant ping the DHCP address assigned to it thought.

the user that is associated with the pcv machine is "pcv$" i cat find any record for a username like this?

also i can see its an xp machine service pack 3.

what else can i do to determine where this machine is?
Chris DentPowerShell Developer
Top Expert 2010

Commented:

> i cat find any record for a username like this?

That's the machine account sAMAccountName (it means the machine is authenticating), if it's doing that we can make the assumption that it's online.

I guess you can't access the c$ share? It's entirely possible it's running a Firewall preventing you accessing it. It might be worth seeing if WMI is accessible, that would allow us to get things like the PC model, but if there's a firewall...

Lets give it a shot anyway, run this script (it's VbScript, and will need saving as .vbs).  Let me know if it throws an error, but it's likely that the machine isn't accessible if it does.

Chris
' Connect to WMI on the computer PCV
Dim objWMI : Set objWMI = GetObject("winmgmts:\\pcv\root\CIMV2")
 
' Get information about the computer system
Dim colItems : Set colItems = objWMI.ExecQuery("SELECT * FROM Win32_ComputerSystem")
 
For Each objItem In colItems
  WScript.Echo "Name: " & objItem.Name & vbCrLf & _
    "Manufacturer: " & objItem.Manufacturer & vbCrLf & _
    "Model: " & objItem.Model & vbCrlf & _
    "UserName: " & objItem.UserName
Next

Open in new window

Author

Commented:
exactly as you predicted the script pulled back an error that it cant connect to the machine....
Chris DentPowerShell Developer
Top Expert 2010

Commented:

How many machines do you have? You might be only left with the old fashioned way (wandering around prodding people).

Chris

Author

Commented:
not that many any more considering the recession! i'd say about 20!

no one has admin control and i've intergotated everybody about what they may have brought into the network?
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Disable the computer account and see if anyone becomes upset?

Chris
Commented:
i dont know if thats such a good idea :(

i have tyhe following in the event log:

An account was successfully logged on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

New Logon:
      Security ID:            GOMSUK\PCV$
      Account Name:            PCV$
      Account Domain:            GOMSUK
      Logon ID:            0x17909a4c
      Logon GUID:            {6f16ce37-aa62-74a1-ab62-b8cf55fa0643}

Process Information:
      Process ID:            0x0
      Process Name:            -

Network Information:
      Workstation Name:      
      Source Network Address:      192.168.2.85
      Source Port:            4122

Detailed Authentication Information:
      Logon Process:            Kerberos
      Authentication Package:      Kerberos
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial