All Products
Search

This Product

    :What do I do if the IP address of a Windows instance is unexpectedly modified?

    Document Center

    :What do I do if the IP address of a Windows instance is unexpectedly modified?

    Last Updated:Mar 24, 2023

    This topic describes the possible causes of and the solution to the issue that the IP address of a Windows Elastic Compute Service (ECS) instance is unexpectedly modified.

    Problem description

    The IP address of a Windows instance is unexpectedly modified. For example, a static IP address is changed to a different IP address or a dynamic IP address that changes from time to time.

    Causes

    The issue may occur due to the following reasons:

    • Antivirus software or security software

    • Manual misoperations

    • Third-party software that modifies IP address configurations

    • Viruses

    • Damaged operating system registries

    Solution

    1. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces and view the GUID value that corresponds to the network interface of the Windows instance. Windows IP address configurations are stored in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces. You can determine the symptom of the issue by viewing the GUID value.

    2. Enable the registry of Group Policy to audit accesses and set the permissions of Everyone to SetValue and Delete in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces to identify which application causes the issue.

    3. Right-click HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces and select Permissions. In the dialog box that appears, audit the values of the Interfaces key and the subkeys and audit the SetValue and Delete permissions of Everyone.

    4. Enable and audit the registry of Group Policy.

      Log on to the Windows operating system as an administrator. Then, in the Run dialog box, enter gpedit.msc and click OK.

    5. Choose Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Object Access. Right-click Audit Registry. In the Audit Registry Properties window, select Success and Failure.

    6. Identify the reason why the registry is modified.

      If the issue persists, enter eventvwr in the Run dialog box and click OK to start Event Viewer. In the Event Viewer window, choose Windows Logs > Security to view the registry-related log and identify which application modifies the registry. The following log indicates that the Microsoft Windows security auditing application modifies the registry.