Re: Failure Audit Security Log Event ID 577
Date: Wed, 15 Oct 2003 05:30:02 -0700
I am seeing the exact same error message, every 30
seconds. We have been running Windows XP for over 8 months
and have never seen this error message before. I have
recently installed 2 new clients and it is happening on
those 2, it also has spread to my older clients now...very
weird did you find anything that helped you track this
>You could try profiling what processes are running
>in the account process, perhaps with aid from tools
>Also, does this happen with a newly defined account ?
>Microsoft MVP (Windows Server System: Security)
>MCSE (W2k3,W2k,Nt4) MCDBA
>"Jake" <email@example.com> wrote in message
>> Hi Roger,
>> Privilege use failures are all that is being audited and
>> only one event is recorded, eventID 577. An event is
>> logged every thirty seconds when the user is logged on.
>> The workststion can be idle, ie. screensaver up, and the
>> same event is still logged.
>> I have tried altering the local security 'Increase
>> scheduling priority' policy to 'Authenticated Users' and
>> also 'Not Defined'. This had no apparent effect.
>> >-----Original Message-----
>> >Onr solution is to ease back on the events you are
>> >Assuming you put the ******* in there for privacy,
>> >logging of this is controlled by the "Audit privlege
>> >However, your subject (only) indicates that you are
>> >getting many failures, and _if_ one lessens this
>> >of auditing it is usually to only log failures (not
>> >So in your case you probably need to track down what
>> >******** account is doing when it gets denied.
>> >The user right that the account is not being granted is
>> >one shown in local policy as "Increase scheduling
>> >You may find that profiling the actions of the account
>> >lead you to a solution, for example KB 811196 is a case
>> >where admin accounts trigger this event even though
>> >are granted the user right.
>> >Roger Abell
>> >Microsoft MVP (Windows Server System: Security)
>> >MCSE (W2k3,W2k,Nt4) MCDBA
>> >"Jake" <firstname.lastname@example.org> wrote in message
>> >> Does anyone know how to stop this failure audit event
>> >> being recorded. Its happening on a couple of my
>> >> now and with enforced 90 day log retention I need to
>> >> increasing the log size, I'm not happy with this and
>> >> to know how to stop it.
>> >> Privileged Service Called:
>> >> Server: Security
>> >> Service: -
>> >> Primary User Name: ********
>> >> Primary Domain: *******
>> >> Primary Logon ID: (0x0,0x****)
>> >> Client User Name: -
>> >> Client Domain: -
>> >> Client Logon ID: -
>> >> Privileges: SeIncreaseBasePriorityPrivilege