"You do not have sufficient privileges"

Following the advice in this thread: /search?q= 2159

PsGetSid shows all usergroups are properly linked with machine.xml

Sysinternals process monitor shows the following Access Denied messages associated with the restart of the service

9:14:17.6472213 PM SavService.exe 3728 RegCreateKey HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ACCESS DENIED Desired Access: Read/Write
9:14:17.6475441 PM SavService.exe 3728 RegCreateKey HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ACCESS DENIED Desired Access: Read/Write
9:14:17.6494245 PM SavService.exe 3728 QueryOpen C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp ACCESS DENIED 
9:14:17.6503620 PM SavService.exe 3728 QueryOpen C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp ACCESS DENIED 
9:14:17.6513337 PM SavService.exe 3728 QueryOpen C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files ACCESS DENIED 
9:14:17.6514952 PM SavService.exe 3728 RegOpenKey HKU\S-1-5-18 ACCESS DENIED Desired Access: Create Sub Key
9:14:58.2215241 PM SavService.exe 3212 RegSetValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData ACCESS DENIED Type: REG_SZ, Length: 106, Data: C:\Documents and Settings\All Users\Application Data
9:15:18.6274181 PM SavService.exe 3212 RegCreateKey HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ACCESS DENIED Desired Access: Read/Write
9:15:18.6277040 PM SavService.exe 3212 RegCreateKey HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ACCESS DENIED Desired Access: Read/Write
9:15:18.6297896 PM SavService.exe 3212 QueryOpen C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp ACCESS DENIED 
9:15:18.6314310 PM SavService.exe 3212 QueryOpen C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp ACCESS DENIED 
9:15:18.6323037 PM SavService.exe 3212 QueryOpen C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files ACCESS DENIED 
9:15:18.6324715 PM SavService.exe 3212 RegOpenKey HKU\S-1-5-18 ACCESS DENIED Desired Access: Create Sub Key
9:15:18.6727311 PM SavService.exe 3212 RegCreateKey HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ACCESS DENIED Desired Access: Read/Write
9:15:18.6737879 PM SavService.exe 3212 RegCreateKey HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ACCESS DENIED Desired Access: Read/Write
9:15:18.6759475 PM SavService.exe 3212 QueryOpen C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp ACCESS DENIED 
9:15:18.6768282 PM SavService.exe 3212 QueryOpen C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp ACCESS DENIED 
9:15:18.6776766 PM SavService.exe 3212 QueryOpen C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files ACCESS DENIED 
9:15:18.6778744 PM SavService.exe 3212 RegOpenKey HKU\S-1-5-18 ACCESS DENIED Desired Access: Create Sub Key
9:15:18.7044254 PM SavService.exe 3212 RegCreateKey HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ACCESS DENIED Desired Access: Read/Write
9:15:18.7047111 PM SavService.exe 3212 RegCreateKey HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ACCESS DENIED Desired Access: Read/Write
9:15:18.7064071 PM SavService.exe 3212 QueryOpen C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp ACCESS DENIED 
9:15:18.7077344 PM SavService.exe 3212 QueryOpen C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp ACCESS DENIED 
9:15:18.7085501 PM SavService.exe 3212 QueryOpen C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files ACCESS DENIED 
9:15:18.7087061 PM SavService.exe 3212 RegOpenKey HKU\S-1-5-18 ACCESS DENIED Desired Access: Create Sub Key

I'm confused as to what exactly to do for this step "7. Fix any permission problems on either the registry or files that are incorrect.  Ideally using a reference system to compare ACLs."

I don't have a reference system.  How do I authorize SavService to make registry changes as well as QueryOpen file mods?

Hello MDP,

thanks for not posting the HijackThis log ... and thumbs up for doing your own research before posting here. Are you administering Sophos at your site or are you "just" a user (in which case your Sophos administrator should also be able to help you). Anyway - posts like this deserve a detailed answer.

savservice.exe should run as NT AUTHORITY\LocalService.

Permissions for the the mentioned HKU subkeys should be inherited from HKU\.DEFAULT and be Full Control for SYSTEM and Administrators,  Read for Users and Power Users and Special (Full Control, subkeys only) for CREATOR OWNER. Same permissions for HKU\S-1-5-18, the HKLM\Software tree has additional permissions for Power Users.

C:\WINDOWS\system32\config\systemprofile should have non-inherited Full Control permissions for SYSTEM and Administrators.

If the settings are not as above try to correct them. If your changes don't stick then I guess "something"'s trying to protect you from "something else". You could monitor one of the affected keys. I think it's also possible that some program intercepts the calls. Can't say though if one of the programs you mentioned would cause these symptoms.

Christian

I am using XP Home, so I don't know if that changes/qualifies any responses.  I am an "end user" and my local IT staff is typically unhelpful with such things.

In any case, the HKU\.DEFAULT (nor the S-1-5-18) does not have a Power Users group specified (nor can I seem to add it), but the other groups are set as indicated.  However, drilling to HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon the CREATOR OWNER does NOT have full control to subkeys.

on the indicated folder, using the shrpubw utility, "everyone" has full control to that folder - however a right click on the properties browsing through "my computer" show that I can't view permissions this way because it's a system folder.  Using shrpubw I added the system and administrators to full control for that folder.  However, this also added "The folder is shared with these network users: Microsoft Windows clients".  Is there a way to change permissions without sharing it?  or a way to block outside users from connecting to this folder?

Decided to attempt to uninstall/reinstall sophos.  That did not solve the problem.  Sorry for jumping the gun on that

700+ Access Denied messages in sysinternals process monitor during the install process, all but two from SavService.exe

Those two were

8:20:45.3390147 AM RUNDLL32.EXE 416 CreateFile C:\WINDOWS\system32\drivers\SET27.tmp ACCESS DENIED Desired Access: Generic Write, Read Attributes, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a
8:20:45.3867265 AM RUNDLL32.EXE 416 CreateFile C:\WINDOWS\system32\drivers\SET28.tmp ACCESS DENIED Desired Access: Generic Write, Read Attributes, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a

Right now it's up to 6900 such errors in less than 5 minutes of the system running.

I now also see the following (with two spanning savservice entires for reference)

8:27:24.9730491 AM SavService.exe 2636 RegOpenKey HKU\S-1-5-18 ACCESS DENIED Desired Access: Create Sub Key
8:27:42.0827752 AM MsiExec.exe 528 CreateFile C:\antivirus\sophos\Sophos Anti-Virus\savonaccessdriv.inf ACCESS DENIED Desired Access: Generic Write, Read Attributes, Delete, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: A, ShareMode: None, AllocationSize: 0
8:27:42.0835882 AM MsiExec.exe 528 CreateFile C:\antivirus\sophos\Sophos Anti-Virus\savonaccessdriv.inf ACCESS DENIED Desired Access: Generic Write, Read Attributes, Delete, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: A, ShareMode: Read, Write, AllocationSize: 0
8:27:42.0843658 AM MsiExec.exe 528 CreateFile C:\antivirus\sophos\Sophos Anti-Virus\savonaccessdriv.inf ACCESS DENIED Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: A, ShareMode: Read, Write, AllocationSize: 0
8:27:42.1012176 AM MsiExec.exe 528 CreateFile C:\antivirus\sophos\Sophos Anti-Virus\sdcfilter.inf ACCESS DENIED Desired Access: Generic Write, Read Attributes, Delete, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: A, ShareMode: None, AllocationSize: 0
8:27:42.1019744 AM MsiExec.exe 528 CreateFile C:\antivirus\sophos\Sophos Anti-Virus\sdcfilter.inf ACCESS DENIED Desired Access: Generic Write, Read Attributes, Delete, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: A, ShareMode: Read, Write, AllocationSize: 0
8:27:42.1026931 AM MsiExec.exe 528 CreateFile C:\antivirus\sophos\Sophos Anti-Virus\sdcfilter.inf ACCESS DENIED Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: A, ShareMode: Read, Write, AllocationSize: 0
8:28:55.4088746 AM SavService.exe 4072 RegSetValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData ACCESS DENIED Type: REG_SZ, Length: 106, Data: C:\Documents and Settings\All Users\Application Data

Note the two different PIDs for SavService.  Is that normal? All prior instances were PID 2636, all later 4072 

How do I check what is blocking SavService from writing to the registry?  I'll run the windows live virus scanner again and see if it finds anything new.  This is seeming very virusey.

oooooookay.  as I was running the Microsoft Windows Malicious Software Removal Tool (no files found infected) and running http://onecare.live.com/site/en-us/scanner/default_scan.htm I can suddenly access my Sophos Endpoint Security and Control.

I do not know if a) Microsoft Onecare had somehow knocked out my Sophos between runs b) the virus is able to hide from/disable Sophos but is programmed to be "scared of" Onecare and remove itself from memory and stop blocking Sophos or c) it just took a while for my reinstall of Sophos to "take".

I will let OneCare run today while I'm at work and will report back after my next system reboot if everything is back to normal.

I am using XP Home

Sorry I didn't ask - settings are for Pro. The Home versions offer "limited options" when it comes to security settings.  

the virus is able to hide from/disable Sophos but is programmed to be "scared of" Onecare

:smileyvery-happy: - fancy thought. Who would write something like this? A Microsoft fan? Or someone assuming that users having seen the superiority of OneCare will ditch their third-party scanners on favour of Microsoft's and then mount an attack taking advantage of a uniform environment?

Christian

After the reboot, it went back to the mode where I cannot access Endpoint Security and Control.

So, I decided to try to see if things magically turned on again when I launch OneCare Live.  I tried the "quickscan" option this time - It reported it was about 25% complete when I elected to abort it, as I didn't see a change.  I also am trying the Malicious Software Removal Tool (even though it found nothing last time, I wasn't sure if it "tripped" anything).  I am trying the full virus/spyware scanner of OneCare yet again, but the last run took over 12 hours, so I will probably be aborting it when it's about 5% of the way in.

Thoughts?  Further advice?

poking around, I saw the following

C:\Documents and Settings\temp>net user

User accounts for \\DUOCORE-BExxxxx

------------------------------------------------------------------
Administrator            ASPNET                   Guest
HelpAssistant            SophosSAUDUOCORE-BE0     SUPPORT_388945a0
temp
The command completed successfully.

The SophosSAU user is not in any of the Sophos localgroups.  Is that okay?

Also not sure what the Support or HelpAssistant accounts are for.  Administrator is not one I personally use, but I take that is an umbrella account?

It's correct that the SophosSAU user is in no group. As for the others I quote their descriptions:

SUPPORT_388945a0 - This is a vendor's account for the Help and Support Service

HelpAssistant - Account for Providing Remote Assistance

Administrator - Built-in account for administering the computer/domain

Once it works again check if the settings are still correct before rebooting. Sysinternal's AutoRuns shows you what will run at startup - maybe you find this "something" which reverts the settings. And Process Monitor has a boot logging feature which could help to find out what happens on a reboot.

Christian

As an update, I attempted a series of rollbacks to prior system configurations (saved over the last two weeks prior to this problem occuring).  In all of these, the microsoft protection tool (can't recall the name) reported an error state saying that Sophos (or any other antivirus) were not loaded.  In at least a couple of cases, I could access the Sophos Endpoint Security and Control, but everything but "View Updating Log" were grayed out and I could not even go to Help->About (I could click on it, but it would load an error screen)

I then uninstalled sophos again (autoupdater first, followed by main program)

rebooted

shut down several tray processes (AdAware, BOINC, SoundMax)

installed sophos

did "update now" - resulted in a yellow "!" state of sophos, saying some components needed reboot

disabled (in msconfig) the following:

Services->Cisco Systems, Inc. VPN Service

Startup->

dumprep 0 -k

Adobe ARM

Reader_sl

Microsoft Protection tool still registered error (no antivirus loaded)

Rebooted

Now everything appears loaded (no "protection tool error" and I can access my sophos endpoint.  However, ProcMon still reports periodic Access Denied events to SavService)

I now have ProcMon configured to boot log.  I've downloaded AutoRuns, but there are so many entries I don't know where to start.  Nothing immediately leaps out at me, other than there are a few files that are instructed to be loaded that don't exist.  All of these seem like they would legitimately be part of the WinXP OS though.

I noticed while I was installing Sophos (this time with the sound on), I would perodically hear a "pop" noise - I believe similar to the sound that the computer plays when you "Safely Remove Hardware".  In the past few months I've heard this somewhat frequently, but I do not see any changes to my tray or taskbar, etc when I hear this noise.  Monitoring the task monitor - I don't see anything appear or go away when I hear this noise, but I haven't done any sort of in-depth analysis.  Other than when I heard it during the sophos install, most of the time I hear it is when I move my mouse to interrupt the power save state (ie, monitor off).  Obviously with the monitor off it's difficult for me to visually monitor changes in programs.

In summary - at least for this current reboot, I'm not in an unprotected error state according to the OS.  However, some things that SavService is attempting are still being blocked.