Windows registry subkey creation not generating logs (Windows event ID 4657)

I am experiencing an issue where I am trying to audit a specific registry key via Windows Event ID 4657.

TL; DR: I have tried to setup auditing on a registry key when a new subkey is created under it, but it does not log when this action is performed. After creating the subkey, any changes to the key are then logged. My objective, however, is to log the initial creation of the subkey “\Run” so that I may catch this well know ASEP (Auto-start Extension Point) for signs of malicious activity.

The registry key in question is:

before creation:

“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current1Version\Policies\Explorer”

after creation:

“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run”

As you can see in the below screen shot, this specific path does not exist (the “run” subkey has yet to be created).

Figure 1 – registry before change

The auditing permissions (Right-click -> Permissions -> Advanced -> Auditing -> Add) set on this registry subkey are as follows:

Principal: Everyone

Type: All

Applies to: This key and subkeys

Advanced permissions: Full Control (Query Value, Set Value, Create Subkey, Enumerate Subkeys, Notify, Create link, Delete, Write DAC, Write Owner, and Read Control)

For “Only these audit settings to objects and/or containers within this container” check box, I have tested with and without it checked. ->OK->Apply->OK

Figure 2 – Auditing Entry for “Explorer” subkey

Not sure if this is entirely necessary but also running “gpupdate /force” via admin privileged cmd.exe

Figure 3 – lack of logs

No logs appear to have been generated as a result of the registry change on the registry key (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run) which has inherited the auditing settings from its parent key “Explorer”.

GPO settings are as follows:

Figure 4 – Active Directory Users and Computers settings showing the host being tested has this GP applied

Figure 5 – Group Policy Management showing Link Enabled

Figure 6 – Group Policy Management Editor showing Audit Registry is set to log Success and Failure

Please note that further modifications appear to be logged as expected; creating additional key values & modifying them (under the \Run subkey):

Figure 7 – further modifications are logged

Figure 8 – Only log is generated after subkey creation

So as shown above, once the key is created and new values are added under the newly created key it logs this, but it does not log when the new key itself is created.

Am I missing something here? Any and all help is greatly appreciated in advance!

Additional info:

  • DC where GPO is managed is a Microsoft Windows Server 2012 R2 Standard – 6.3.9600 Build 9600 and is configured as the Primary Domain Controller. The machine I am testing these registry changes on is also a Microsoft Windows Server 2012 R2 Standard – 6.3.9600 Build 9600 configured as a Member Server.

  • Using Sysmon is not an option for my current situation.

Effectiveness of Euler’s totient function and Carmichael’s totient function in generating the public key in RSA encryption

I’m a high school student taking IB and for my EE on Maths, I’m comparing the effectiveness of Euler’s totient function and Carmichael’s totient function in generating the public key in RSA encryption.

In order to compare the ‘effectiveness’ of these functions, I will firstly compare how fast they can generate the public key and then secondly, compare the security of the generated key. For the ‘fastness’ part I will use time complexity. But I have no idea how to compare their security. Can anyone help me figure this out? Maybe an algorithm that is often used to test the security of an encryption key? Or should I just write a code to execute encryption keys made using either Euler’s or Carmichael’s totient function and see how long it takes to decrypt each key?

Thanks!

What kind of numbers are inside a generating open interval of the Borel $\sigma$-algebra?

If it is enough to have all open intervals (a,b) with end points $ a$ and $ b$ belonging to the rational numbers, a < b, in order to generate a Borel $ \sigma$ -algebra on $ \mathbb{R}$ . Asked here: About the open intervals generating a Borel $ \sigma$ -algebra on $ \mathbb{R}$

What kind of numbers do you need to have between $ a$ and $ b$ ? Only rational numbers or real numbers? And why?

Can a minimal generating set for an ideal always be made into a Groebner basis?

Let $ I\subseteq k[x_0,\ldots,x_n]$ be an ideal, generated by some polynomials $ F_1,\ldots,F_r$ , all homogeneous and of the same degree. Suppose $ r$ is the smallest number of generators that will suffice to generate the ideal.

Can one choose a monomial order or change coordinates to ensure that this generating set is also a Groebner basis for the ideal?

For example, consider the ideal $ $ I = (xyz, (x + y + 3z)(x + 7z – y)(y – z + 2x), xy(x – y)).$ $

With respect to the degree reverse lexicographic ordering, it has as a reduced Groebner basis

$ $ \{y^4z – 5y^3z^2 – 17y^2z^3 + 21yz^4, xy^3 – y^4 + 5y^3z + 17y^2z^2 – 21yz^3, x^3 – \frac{1}{2}xy^2 – \frac{1}{2}y^3 + \frac{19}{2}x^2z + \frac{5}{2}y^2z + 16xz^2 + \frac{17}{2}yz^2 – \frac{21}{2}z^3, x^2y – xy^2, xyz\},$ $ which includes nontrivially more elements than just the $ F_j$ .

However, after changing coordinates with the matrix (here I just generated several invertible matrices at random until one had the desired property)

$ \begin{pmatrix}0 && -31 && 1\ 0 && -\frac{5}{6} && 1\ 1 && -2 && 0\end{pmatrix}$ ,

under the same monomial order, the transformed original generators (up to a constant multiple) now make up a reduced Groebner basis for the new ideal:

$ $ (x^3 + \frac{5281}{126}x^2y – \frac{7}{3}x^2z – \frac{4108577}{3348}xyz + \frac{769192975}{140616}y^2z + \frac{22027}{558}xz^2 – \frac{4095575}{23436}yz^2, xy^2 – \frac{191}{155}xyz + \frac{6}{155}xz^2, y^3 – \frac{191}{155}y^2z + \frac{6}{155}yz^2).$ $

Does anyone know whether this is always possible, or of references where this sort of question is addressed? Thanks!

Iteratively generating permutations with repetitions

I tried to solve the simple problem of generating all permutations of length n with m distinct elements where repetition is allowed. Doing this recursively took me like 10 minutes:

void genAllPermsRec(vector<int>& perm, vector<vector<int>>& perms, int n, int m) {     if (perm.size() == n) {         perms.push_back(perm);         return;     }     for (int i = 0; i < m + 1; ++i) {         perm.push_back(i);         genAllPermsRec(perm, perms, n, m);         perm.pop_back();     } } 

I tried to do it iteratively then and it took me a lot longer. I ended up looking exactly at what happens in the recursive version and came up with the following solution:

vector<vector<int>> genAllPerms(int n, int m) {     vector<vector<int>> perms;     vector<int> perm(1, 0);     int i = 0;     while (!perm.empty()) {         if (perm.size() == n) {             perms.push_back(perm);             if (perm.back() < m) {                 perm.pop_back();                 ++i;                 continue; // That is why Python has the while: .. else: construct.             }             while (perm.back() == m) { perm.pop_back(); }             if (!perm.empty()) {                 perm.back() += 1;                 i = 0;             }         } else { perm.push_back(i); }     }     return perms; } 

It seems to work but I am not satisfied with the result. I suspect that there is a more intuitive way to approach the problem that would lead to shorter code. Please enlighten me 🙂

Find compact formula for $B(x)$ such that $ A(x) = P(x) \cdot B(x) $ – generating functions

Let A(x) be generating function of number divides such that contains exactly one (but it can be multi taken) fraction $ 2$ , $ 3$ , $ 5$ .

Let P(x) be generating function of all possible number divides.

Find compact formula for $ B(x)$ such that

$ $ A(x) = P(x) \cdot B(x) $ $

My try

$ $ A(x) = (1+x^2+x^4+…) + (1+x^3+x^6 + … ) + (1+x^5+x^{10}+…) = \\sum_{k} ([k\mod 2 = 0] + [k\mod 3 = 0] + [k\mod 5 = 0])x^k $ $

Now $ P(x)$

$ $ P(x) = \frac{1}{(1-x)(1-x^2)(1-x^3)\cdot…} $ $

But how can I get a compact formula from these calculations? $ $ \text{factor }([k \mod 2 = 0] + [k \mod 3 = 0] + [k \mod 5 = 0]) \text{ makes a problem there}$ $

Need suggestions about how to make an App Generator for generating some Lua Survey Apps [on hold]

So, in resume, I need to create an web interface that some users will use to create an Survey (very specific type of survey, type of questions already defined, etc..) the only thing that changes between the surveys is the title and the questions.. After creating (in a “do it yourself” / “drag and drop” / “create without coding” way), the application, gamefied, in Lua, needs to be generated. I was provided with an already working survey app, as an example, with the code in Lua, and I need to “generalize” that code, leaving it with some “gaps” that will be filled further with specif information about the survey that is being created.

I’ve already have the web part, was made in Java, have a very nice graphical interface and from there the user drag and drop the specific type of question he wants, enter with the title of the question, the options of answer, etc. and all that goes by a JSON to the back and than it fills the gaps in the questions. So I already can generate the questions/question screen. The problem starts with more “complex” parts of the code, like code flow, the flow of the questions (depending of what the user answer some question appear next or not, or it is redirected to another questions, all dynamically). This part, in last case, can be eliminated to simplify the project. Also, other hard part, is that the answers need to be sended to an data base. And in the way it was maded in the example app it is very specific for it’s case and hard to generalize.

About the code. I will provide some important parts later, I just need to get home in some hours and will put it here. Please if you read this question and think you can help come back tomorrow or today later..

I expect some suggestions about how to proceed and maybe suggestions to change the architecture/flow of the code, to generalize it more, and to simplify the generation.

Thanks in advance!