In today’s security freakout, I just had a hard crash on my SLS (went from typing to staring at the boot logo in a tenth of a second), and looked through recently changed files and recent errors in the event viewer (always a bad idea…).
[edit half a year later: probably a combination of a hardware issue and my own paranoia. I ended up doing a full wipe and reinstall, and a lot of the same errors show up. The hard crash happened twice, but hasn’t returned since I swapped the Hynix SSD for a Samsung SSD]
I see some modified files right after the crash in the C:\windows\panther folder, which is a legitimate folder, but it’s pretty rare to see anything about it on the internet. Of the 12 google hits for “c:\windows\panther” from the past year, one of them is on https://segmentfault.com/a/1190000040565520/en mentioning “Unattend.xml sysprep.xml and sysprep.inf file GPP.xml has certain information leakage, they usually exist in the following path: C:\Windows\Panther” and “Once found, find the tags in the Unattend.xml file. It is possible to find the user’s encrypted password.”
I also like this line from Event Viewer: “The AllowInsecureGuestAuth registry value is not configured with default settings.” and the friendly explanation "This event indicates that an administrator has enabled insecure guest logons. " Probably innocuous, but sure looks dubious! Right after that I see this warning: and One or more named pipes or shares have been marked for access by anonymous users. This increases the security risk of the computer by allowing unauthenticated users to connect to this server.
Right after that a warning “Open Key operation failed. Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider, Key Name: (long list of numbers)”
After that I see that Defender attempted to load something that didn’t meet Antimalware signing level requirements: “Code Integrity determined that a process (\Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.2205.7-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\DriverStore\FileRepository\iigd_dch.inf_amd64_d3a7501d49d450c8\igd10iumd64.dll that did not meet the Custom 3 / Antimalware signing level requirements.”
I also see a “MCU Critical Error” for SurfaceService, that one only has two google hits.
So now the question is… nothingburger or real problem? Do I take any action? I changed the main password on my Outlook account that I also use to log on to my PC, not sure what else I could do. Restore from a recent “restore point”? I have one from two days ago. Or just blissfully pretend/assume that nothing happened?