Re: Services Security Failure Audit

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 10/31/05

  • Next message: Steven L Umbach: "Re: Netdiags error with Kerberos.....Need some guidance." 
    Date: Sun, 30 Oct 2005 21:05:16 -0600

    Object access errors like that can be hard to track down and usually can be
    ignored if everything is working well. Also look in the system and
    application logs to see if there are any other warning or error messages
    that show about the same timestamp that may give a clue. I have seen that
    Event ID when an account tries access the operating system in such a way
    that requires administrator access but fails.--- Steve

    "Ralish" <ralish@gmail.com> wrote in message
    news:eafmY6D3FHA.2196@tk2msftngp13.phx.gbl...
    > Hello,
    >
    > Yesterday I was reading through the Security Logs in Event Viewer on a
    > Windows Server 2003 Domain Controller when I noticed the following event:
    >
    > Event Type: Failure Audit
    > Event Source: Security
    > Event Category: Object Access
    > Event ID: 560
    > Date: 29/10/2005
    > Time: 1:20:08 PM
    > User: NT AUTHORITY\NETWORK SERVICE
    > Computer: <cut>
    > Description:
    > Object Open:
    > Object Server: SC Manager
    > Object Type: SC_MANAGER OBJECT
    > Object Name: ServicesActive
    > Handle ID: -
    > Operation ID: {0,41170}
    > Process ID: 528
    > Image File Name: C:\WINDOWS\system32\services.exe
    > Primary User Name: <cut>$ (Machine Logon)
    > Primary Domain: <cut>
    > Primary Logon ID: (0x0,0x3E7)
    > Client User Name: NETWORK SERVICE
    > Client Domain: NT AUTHORITY
    > Client Logon ID: (0x0,0x3E4)
    > Accesses: READ_CONTROL
    > Connect to service controller
    > Lock service database for exclusive access
    >
    > Privileges: -
    > Restricted Sid Count: 0
    > Access Mask: 0x20009
    >
    > For more information, see Help and Support Center at
    > http://go.microsoft.com/fwlink/events.asp.
    >
    > A quick bit of experimentation revealed that this Failure Audit occurs
    > only once every reboot, relatively early in the Windows boot-up process.
    >
    > Can anyone provide any advice on the cause of this failure audit, and any
    > likely repercussions from it? I have yet to notice any negative effects
    > from this error, but it would still be nice to know the reason behind this
    > event.
    >
    > Thanks in advance,
    >
    > Ralish
    >

  • Next message: Steven L Umbach: "Re: Netdiags error with Kerberos.....Need some guidance."

    Relevant Pages

    • MSDTC Security Log Failure Audits
      ... While scrolling through the Security logs of a Windows 2003 box, ... Event Type: Failure Audit ... Primary Logon ID: ... Client User Name: - ...
      (microsoft.public.windows.server.security)
    • Re: evnet id 560
      ... > every few seconds i get a failure audit in the security ... > Event Source: Security ... > Client User Name: - ... value Primary User Name: user name Primary Domain: name Primary Logon ID: ...
      (microsoft.public.win2000.security)
    • Failure Audit with ASP.NET
      ... I can't seem to get rid of this Failure Audit, ... have full read access to the WINNT folder (the folder in the event doesn't ... Primary Logon ID: ... Client User Name: - ...
      (microsoft.public.dotnet.framework.setup)
    • Re: Event ID 565
      ... Client User Name: GANDALF$ ... > Event Type: Failure Audit ... > Event Category: Directory Service Access ... > Primary Logon ID: ...
      (microsoft.public.win2000.security)
    • Re: Event ID 565
      ... > Client User Name: GANDALF$ ... >> Event Type: Failure Audit ... >> Event Category: Directory Service Access ... >> Primary Logon ID: ...
      (microsoft.public.win2000.security)