Re: Event ID 577 & Failed Install of Microsoft Firewall Client

From: Al Smith (asmith_at_qchek.com)
Date: 09/13/03


Date: Sat, 13 Sep 2003 10:44:19 -0400


here's what's at www.eventid.com
              

Event ID: 577
Source Security
Type Success Audit
Description Privileged Service Called:
Server: NT Local Security Authority / Authentication Service
Service: LsaRegisterLogonProcess()
Primary User Name: <computer name>$
Primary Domain: <domain or workgroup name>
Primary Logon ID: (0x0,0x3E7)
Client User Name: <computer name>$
Client Domain: <domain or workgroup name>
Client Logon ID: (0x0,0x3E7)
Privileges: <privilege string>
Comments Adrian Grigorof
This event record indicates that an attempt has been made to use a
privilege to perform a privileged system service.

If the operation is successful, this event is recorded as "Success
Audit" if not it is recorded as "Failure Audit". Depending on you Audit
Policy these type of events may or may not show up. If you receive quite
a few of "Success Audit" 577 events than most probably you have "Audit
privilege use" enable for both cases. There are many normal processes
that use their privileges so naturally the events gets recorded.

This event can also be logged when you used Winmsd and save a report
(see Q811196).

As per Q238185, when you are using a Remote Procedure Call-based
(RPC-based) client/server program, this error may be recorded (in this
case, it does not indicate a security breach; you can safely ignore it).

Privileges: See Q101366 for a list of privileges strings and what they
mean. common ones:
- SeIncreaseBasePriorityPrivilege = Increase Scheduling Priority = The
user can boost the scheduling priority of a process.
- SeTcbPrivilege = To Act as Part of the Operating System = The user can
act as a trusted part of the operating system. Some subsystems have this
privilege granted to them.

Kurt Mosley
This can happen if an application tries to increase it's scheduling
priority on the CPU. Most users do not have the permission to do this,
so the application will fail it's attempt and log this in the security
log. We got this to go away by giving the users the "Increase Scheduling
Priority" right in the local security policy. So far, no ill affects and
the event log has gone away.
Our Approach We found that we had quite a few of Success Audit 577
events on our Security Log. The event description contained info about
the local computer, workgroup, service and the "privilege". The type of
the event is quite explicit, it says on top: "Privileged Service Called"
so most probably we had enabled the logging of the "Privilege use". But
what privilege was occuring so often? In our case it was
"SeIncreaseBasePriorityPrivilege" (listed at the bottom of the
description). We searched for "SeIncreaseBasePriorityPrivilege" at
http://search.microsoft.com and the search returned several links, one
to Q101366 saying that this "string" actually means "Increase Scheduling
Priority" or in other terms, "The user can boost the scheduling priority
of a process". The user name in this case was the computer name itself.
So, at this point it was clear that this is a "normal" event - the
operating system often adjust the thread scheduler so various internal
processes get additional CPU cycles to complete their tasks. Since we
were not that interested in seeing this kind of statistics, we disabled
the audit of "Success" privelege uses through the Local Security Policy
(or if it an AD setting, through Active Directory Group policies).
Links Q174074 , Q811196 , Q238185 , Q101366 , Q299475 , Online Analysis
of Security Event Log
Send comments - Notify me when updated!
Automatic search for "Event 577 Security" at:
Support @ Microsoft - Search @ Microsoft - Google Newsgroups -
Google Microsoft

Source Security
Type Failure Audit
Description Privileged Service Called:
Server: <authentication process>
Service: <service name>
Primary User Name: <computer name>$
Primary Domain: <domain or workgroup name>
Primary Logon ID: <client logon id>
Client User Name: <computer name>$
Client Domain: <domain or workgroup name>
Client Logon ID: <logon id>
Privileges: <privilege string>
Comments Adrian Grigorof (Last update 8/30/2003):
If this is recorded when users attempt to change their password (and
they get "Unable to change the password on this account (C00000BE") then
see Q176978.
Links Q176978
Send comments - Notify me when updated!
Automatic search for "Event 577 Security" at:
Support @ Microsoft - Search @ Microsoft - Google Newsgroups -
Google Microsoft

Automatic search for "Event ID 577" through:
Support @ Microsoft - Search @ Microsoft - Google Newsgroups -
Google Microsoft - EventID.Net Processing Queue

Eric Fitzgerald [MSFT] wrote:

> The event is not an error and is probably not directly related to your
> failed installation.
>



Relevant Pages

  • Event ID 578 logged 4 times every second
    ... Event Source: Security ... Event Category: Privilege Use ... Primary User Name: APP1$ ... Client Domain: PROD ...
    (microsoft.public.win2000.security)
  • Re: Event ID 577 & Failed Install of Microsoft Firewall Client
    ... NT Local Security Authority / Authentication Service ... Primary Domain: <domain or workgroup name> ... Client Domain: ... privilege to perform a privileged system service. ...
    (microsoft.public.win2000.security)
  • Re: Access Always Asks for Authentication
    ... > Neither of those KB articles will help your client, ... > shared-level security. ... Remove the password from the Admin user for his current workgroup. ...
    (microsoft.public.access.security)
  • Re: Access Always Asks for Authentication
    ... Neither of those KB articles will help your client, ... shared-level security. ... Access attempts to open a database or create a new one, ... Use the Workgroup Administrator to join the default workgroup (the ...
    (microsoft.public.access.security)
  • security log in event viewer is constantly growing
    ... My security log in event viewer is constantly growing. ... Event Category: Privilege Use ... Primary Logon ID: ... Client User Name: - ...
    (microsoft.public.windowsxp.security_admin)