NT Gatekeeper--Exploring the Netlogon Change Log

Get answers to your security-related NT questions

\[Editor's Note: Do you have a security-related question about Windows NT? Send it to [email protected] and you might see the answer in this column!\]

Recently, I attended a Windows NT 4.0 security course. The instructor emphasized the importance of the netlog- on.chg file to replicate SAM changes between domain controllers (DCs). When I used a regular text editor to open the netlogon.chg file, I saw nothing but gibberish. Which tool can I use to read the contents of the file, and what makes the netlogon.chg file so important?

The netlogon.chg file (also known as the Netlogon change log) plays a crucial role in replicating security-database information between the PDC and the BDCs in a Windows domain. A DC's Netlogon service controls this replication process. All changes to the SAM are recorded in the netlogon.chg file along with a serial number that's unique to each change. With each change, the PDC's Netlogon service increases the serial number by one. The netlogon .chg file is a sequential, circular (i.e., newer changes automatically overwrite older ones) log file that resides both in memory and on hard disk.

Periodically (by default every 5 minutes), the PDC's Netlogon service sends a message to the BDCs with the latest serial number recorded in the service's change log. The BDCs then check whether that serial number is higher than the most recently recorded serial number in their local security database. If the serial number is higher, the BDCs automatically retrieve all PDC SAM updates that occurred in the interim. This mechanism ensures that changes are sent only incrementally between a PDC and its BDCs. Microsoft calls this mechanism partial-sync replication. If a BDC's latest serial number is lower than the number of the first change recorded in the PDC's Netlogon change log, the BDC initiates a full-sync replication.

In addition to partial and full replication, NT 4.0 also supports urgent replication of SAM information from the PDC to its BDCs. Urgent replication happens for crucial changes that must be replicated between DCs instantly. Examples of crucial changes are account lockouts, security policy changes, or password changes. To learn more about the SAM replication mechanisms, read the Microsoft article "Windows NT UAS Replication (Windows NT and LAN Manager)" at http://support.microsoft.com/support/ kb/articles/q102/7/17.asp, and see the Web-exclusive sidebar "Understanding the NT Security Database Replication Model," http://www.secadministrator .com, InstantDoc ID 20560.

To analyze the content of the Net-logon change log, you can use the Nltest (nltest.exe) utility from the Microsoft Windows NT Server 4.0 Resource Kit. This command-prompt tool has a special switch, /LIST_DELTAS, that displays the content of the netlogon.chg file in a readable format. Running

nltest /LIST_DELTAS:C: \winnt\netlogon.chg

results in a list (similar to the list that Figure 1 shows) of the changes that occurred in the SAM. Don't forget to specify the complete file-system path of the netlogon.chg file.

When you examine the Nltest tool output, you'll see three subsections: Deltas of built-in database, Deltas of SAM database, and Deltas of LSA database. The subsections parallel the three NT 4.0 security database's subdatabases: the SAM Built-in database, the SAM Accounts database, and the Local Security Authority (LSA) database.

The SAM Built-in database contains all default local groups and accounts installed with the system. Consider the SAM Built-in database the default portion of the SAM database. The SAM Accounts database includes all other SAM objects that you add or change after you install the system. These objects include domain-specific users, global groups, local groups, and security policy settings. The LSA database contains user rights settings, trusted domain objects, and secret objects (e.g., trust passwords).

You can use the ChangeLogSize REG_DWORD value in the HKEY_ LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\Netlogon\Parameters registry subkey to control the size of the Netlogon change log. The ChangeLogSize defaults to 65,536 bytes, which is about 64KB. Given that one change entry is about 32 bytes long, the default Netlogon change log can hold about 2000 changes. The maximum value for ChangeLogSize is 4,194,304 bytes—or about 4MB (about 128,000 changes).

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.