View Full Version : REGISTRY - SavedLegacySettings ?
a[_2_]
January 8th 09, 12:45 AM
hallo
what does the "SavedLegacySettings" item in
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet
Settings\Connections
stand for?
I was monitoring my Windows98 changes
I was running a file downloader (called "USDownloader"):
some files from Rapidshare (no javascript allowed);
some files from Megaupload (javascript allowed);
no other software was running, no keyboard or mouse activity:
nothing was happening... suddenly this (only this) happened:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet
Settings\Connections
Value "SavedLegacySettings": binary data changed
the file downloader kept regularly running.
What's happened?
Jeff Richards
January 8th 09, 01:52 AM
According to MS - "SavedLegacySettings - This entry specifies the
configuration used by network connections other than the default
connection." It appears that the binary content is not documented, although
the key obviously reflects some of the settings you see in the network
configuration dialogs.
This setting can be part of an attempt by a virus or trojan to conceal
itself or to prevent its removal.
--
Jeff Richards
MS MVP (Windows - Shell/User)
"a" > wrote in message
...
> hallo
>
> what does the "SavedLegacySettings" item in
> HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet
> Settings\Connections
> stand for?
>
> I was monitoring my Windows98 changes
>
> I was running a file downloader (called "USDownloader"):
> some files from Rapidshare (no javascript allowed);
> some files from Megaupload (javascript allowed);
> no other software was running, no keyboard or mouse activity:
>
> nothing was happening... suddenly this (only this) happened:
>
> HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet
> Settings\Connections
> Value "SavedLegacySettings": binary data changed
>
> the file downloader kept regularly running.
>
> What's happened?
>
Jeff Richards
January 8th 09, 01:52 AM
According to MS - "SavedLegacySettings - This entry specifies the
configuration used by network connections other than the default
connection." It appears that the binary content is not documented, although
the key obviously reflects some of the settings you see in the network
configuration dialogs.
This setting can be part of an attempt by a virus or trojan to conceal
itself or to prevent its removal.
--
Jeff Richards
MS MVP (Windows - Shell/User)
"a" > wrote in message
...
> hallo
>
> what does the "SavedLegacySettings" item in
> HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet
> Settings\Connections
> stand for?
>
> I was monitoring my Windows98 changes
>
> I was running a file downloader (called "USDownloader"):
> some files from Rapidshare (no javascript allowed);
> some files from Megaupload (javascript allowed);
> no other software was running, no keyboard or mouse activity:
>
> nothing was happening... suddenly this (only this) happened:
>
> HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet
> Settings\Connections
> Value "SavedLegacySettings": binary data changed
>
> the file downloader kept regularly running.
>
> What's happened?
>
a[_2_]
January 8th 09, 01:02 PM
On Thu, 8 Jan 2009 12:52:31 +1100, "Jeff Richards" >
wrote:
>According to MS - "SavedLegacySettings - This entry specifies the
>configuration used by network connections other than the default
>connection." It appears that the binary content is not documented, although
>the key obviously reflects some of the settings you see in the network
>configuration dialogs.
>
>This setting can be part of an attempt by a virus or trojan to conceal
>itself or to prevent its removal.
mmhhh...
how to set the value back, considering that
my IExplorer settings situation seems unchanged?
here
how it was (I perfectly remember it)
and
how it is:
http://img25.imagevenue.com/img.php?image=19695_Image1_122_623lo.jpg
(75 kb)
here the Registry value:
http://img187.imagevenue.com/img.php?image=19981_Image2_122_1078lo.jpg
(26 kb)
note:
I have an ADSL connection, with an ethernet modem/router
a[_2_]
January 8th 09, 01:02 PM
On Thu, 8 Jan 2009 12:52:31 +1100, "Jeff Richards" >
wrote:
>According to MS - "SavedLegacySettings - This entry specifies the
>configuration used by network connections other than the default
>connection." It appears that the binary content is not documented, although
>the key obviously reflects some of the settings you see in the network
>configuration dialogs.
>
>This setting can be part of an attempt by a virus or trojan to conceal
>itself or to prevent its removal.
mmhhh...
how to set the value back, considering that
my IExplorer settings situation seems unchanged?
here
how it was (I perfectly remember it)
and
how it is:
http://img25.imagevenue.com/img.php?image=19695_Image1_122_623lo.jpg
(75 kb)
here the Registry value:
http://img187.imagevenue.com/img.php?image=19981_Image2_122_1078lo.jpg
(26 kb)
note:
I have an ADSL connection, with an ethernet modem/router
a[_2_]
January 8th 09, 04:09 PM
>here
>how it was (I perfectly remember it)
>and
>how it is:
>http://img25.imagevenue.com/img.php?image=19695_Image1_122_623lo.jpg
>(75 kb)
>
>here the Registry value:
>http://img187.imagevenue.com/img.php?image=19981_Image2_122_1078lo.jpg
>(26 kb)
>
>note:
>I have an ADSL connection, with an ethernet modem/router
here maybe the previous value
from a backup I made two days ago
http://img15.imagevenue.com/img.php?image=30718_image3_122_1159lo.jpg
(26 kb)
only two values seem to be involved
but will it be the original, or just another modified one?
how to determine the *real* original one?
a[_2_]
January 8th 09, 04:09 PM
>here
>how it was (I perfectly remember it)
>and
>how it is:
>http://img25.imagevenue.com/img.php?image=19695_Image1_122_623lo.jpg
>(75 kb)
>
>here the Registry value:
>http://img187.imagevenue.com/img.php?image=19981_Image2_122_1078lo.jpg
>(26 kb)
>
>note:
>I have an ADSL connection, with an ethernet modem/router
here maybe the previous value
from a backup I made two days ago
http://img15.imagevenue.com/img.php?image=30718_image3_122_1159lo.jpg
(26 kb)
only two values seem to be involved
but will it be the original, or just another modified one?
how to determine the *real* original one?
Jeff Richards
January 9th 09, 01:06 AM
As far as I know, the actual setting doesn't matter. The only thing that is
important is that you have confirmed that it was not changed by a virus or
trojan. You probably won't find that out by fiddling with this setting -
only a thorough scan with reputable software will ensure that the change was
not associated with some attempt to infiltrate your system.
A forum associated with PC security may have more detailed information
available.
--
Jeff Richards
MS MVP (Windows - Shell/User)
"a" > wrote in message
...
>
>>here
>>how it was (I perfectly remember it)
>>and
>>how it is:
>>http://img25.imagevenue.com/img.php?image=19695_Image1_122_623lo.jpg
>>(75 kb)
>>
>>here the Registry value:
>>http://img187.imagevenue.com/img.php?image=19981_Image2_122_1078lo.jpg
>>(26 kb)
>>
>>note:
>>I have an ADSL connection, with an ethernet modem/router
>
>
> here maybe the previous value
> from a backup I made two days ago
>
> http://img15.imagevenue.com/img.php?image=30718_image3_122_1159lo.jpg
> (26 kb)
>
> only two values seem to be involved
>
> but will it be the original, or just another modified one?
>
> how to determine the *real* original one?
>
>
Jeff Richards
January 9th 09, 01:06 AM
As far as I know, the actual setting doesn't matter. The only thing that is
important is that you have confirmed that it was not changed by a virus or
trojan. You probably won't find that out by fiddling with this setting -
only a thorough scan with reputable software will ensure that the change was
not associated with some attempt to infiltrate your system.
A forum associated with PC security may have more detailed information
available.
--
Jeff Richards
MS MVP (Windows - Shell/User)
"a" > wrote in message
...
>
>>here
>>how it was (I perfectly remember it)
>>and
>>how it is:
>>http://img25.imagevenue.com/img.php?image=19695_Image1_122_623lo.jpg
>>(75 kb)
>>
>>here the Registry value:
>>http://img187.imagevenue.com/img.php?image=19981_Image2_122_1078lo.jpg
>>(26 kb)
>>
>>note:
>>I have an ADSL connection, with an ethernet modem/router
>
>
> here maybe the previous value
> from a backup I made two days ago
>
> http://img15.imagevenue.com/img.php?image=30718_image3_122_1159lo.jpg
> (26 kb)
>
> only two values seem to be involved
>
> but will it be the original, or just another modified one?
>
> how to determine the *real* original one?
>
>
vBulletin® v3.6.4, Copyright ©2000-2024, Jelsoft Enterprises Ltd.