Plse look in your Windows Updates if you installed some around that date. There were a few extra system updtaes around end of April.

Maybe MS changed some modules, which caused this.

I had non-security updates from Microsoft on April 27 (automatic updates disabled!). Firefox 4.0.1 was installed the next day. On the following day, April 29th, I uninstalled several programs I had tried out. May 2nd, Norton was updated (automatic updates disabled!) with the new engine 18.6.0.29. Then, no programs installed or removed until May 6th, a few Microsoft-related. Then on Tuesday, May 10th, yesterday, was the Microsoft monthly security updates. The changes to the actor pid may be Microsoft-related. But the entries began soon after Norton upgraded.

I am still receiving the entry about 2 times per day sine my first log on 5/9/11. I don't know if it has to do with NIS 2011 but it started about 1 hour after my NIS 2011 updated   to 18.6.0.29. Nothing else , to my knowledge, has been installed on my computer since 5/1/11 So I figure it has something to do with NIS 2011 since it first started appearing after the update.

 

In all, I have 7 entries in my NIS 2011 history log since 5/9/11

 

Actor    C:\WINDOWS\SYSTEM32\SVCHOST.EXE

Actor PID   844,832,848,780,848,852,804 (different number each entry to equal 7 times)

Target   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BHDRVX86\0000\Control\

Target PID    0

Action   Set Regietry Security Key

Reaction   Unauthorized access blocked

 

 

I am running Windows Vista Home Premium Service Pack 2 with NIS 2011 18.6.0.29 and IE 8

to all those who are getting this entry-

when you check the actor pid  does it correspond to

Dcom Launch  and Plug and Play?

 

I'm surprised more folks dont notice this

It seems to transend NIS version ( I have 17.8.0.5) and OS ( I have Vista Home Premium 32 bit with Vista SP 2)

 

Am I the only one really concerned about this?

Why don't you try the Microsoft forum and ask them why Windows is setting registry security keys?  It seems more appropriate than wondering why Norton is reporting it and blocking it.

---

delphinium wrote:

Why don't you try the Microsoft forum and ask them why Windows is setting registry security keys?  It seems more appropriate than wondering why Norton is reporting it and blocking it.

---

Del- Thats a good point. Altough no other forum around is as helpful as the Norton forums

 

I will try to post  sometime soon in the microsoft answers forum. If anyone else posts there before me, let me know the thread. If it is indeed a microsoft issue, then I think we all need to post there so that they correct the issue.

 

Del- you had mentioned something about Legacy Drivers. Are they used by Norton products?

(I'm referring to the part of the registry key that reads LEGACY_EECTRL)

Also- To Dell and Send of Jive(and other veteran volunteers)

Do you also see this issue on your machines?

Are Norton staff seeing this same situation on their test machines?

It would help a great deal to know if Norton has detected the same situation on their machines.

I'm not seeing it on my Win 7 machine, but it was a clean install of Win 7, rather than an upgrade from Vista.  There are two Vista boxes on this thread, and it may have something to do with the limited user accounts.  A security key is connected to user access.  Norton is just not allowing Windows to put a security key on two of its drivers.

 

Generally, legacy drivers have been left behind after an application was removed in case it was needed by the operating system later.  So I tend to think that since new applications better fit Windows increased security policies, Microsoft is trying to put a bandaid on older entries.  Norton is doing nothing more than reporting it and preventing it from ocurring.

 

The actual process and reasoning behind it, will have to come from Microsoft.

@delphinium, by your reckoning and the timing of the reports in my logs, the OS may have been setting the key for some time until the new Norton engine found it worth blocking and reporting the action. @Calls, the actor process ID, the numerals that are reported in the logs, changes with each reboot. Also, the task manager, by default, does not show the actor pid column. Now that I know where to look, the services involved are power, plugplay and dcomlaunch under the auspices of the svchost process.