Re: Failure Audit Security Log Event ID 577

anonymous_at_discussions.microsoft.com
Date: 10/15/03


Date: Wed, 15 Oct 2003 05:30:02 -0700

I am seeing the exact same error message, every 30
seconds. We have been running Windows XP for over 8 months
and have never seen this error message before. I have
recently installed 2 new clients and it is happening on
those 2, it also has spread to my older clients now...very
weird did you find anything that helped you track this
down??

>-----Original Message-----
>You could try profiling what processes are running
>in the account process, perhaps with aid from tools
>from www.sysinternals.com
>Also, does this happen with a newly defined account ?
>
>--
>Roger Abell
>Microsoft MVP (Windows Server System: Security)
>MCSE (W2k3,W2k,Nt4) MCDBA
>"Jake" <j.lomax@mgn.co.uk> wrote in message
>news:0cea01c389f0$9db88da0$a001280a@phx.gbl...
>> Hi Roger,
>> Privilege use failures are all that is being audited and
>> only one event is recorded, eventID 577. An event is
>> logged every thirty seconds when the user is logged on.
>> The workststion can be idle, ie. screensaver up, and the
>> same event is still logged.
>> I have tried altering the local security 'Increase
>> scheduling priority' policy to 'Authenticated Users' and
>> also 'Not Defined'. This had no apparent effect.
>>
>>
>> >-----Original Message-----
>> >Onr solution is to ease back on the events you are
>> auditing.
>> >Assuming you put the ******* in there for privacy,
>> >logging of this is controlled by the "Audit privlege
use"
>> >
>> >However, your subject (only) indicates that you are
>> >getting many failures, and _if_ one lessens this
category
>> >of auditing it is usually to only log failures (not
>> successes).
>> >So in your case you probably need to track down what
the
>> >******** account is doing when it gets denied.
>> >The user right that the account is not being granted is
>> the
>> >one shown in local policy as "Increase scheduling
>> priority"
>> >You may find that profiling the actions of the account
>> will
>> >lead you to a solution, for example KB 811196 is a case
>> >where admin accounts trigger this event even though
they
>> >are granted the user right.
>> >
>> >--
>> >Roger Abell
>> >Microsoft MVP (Windows Server System: Security)
>> >MCSE (W2k3,W2k,Nt4) MCDBA
>> >"Jake" <j.lomax@mgn.co.uk> wrote in message
>> >news:08a601c38917$9ec10990$a301280a@phx.gbl...
>> >> Does anyone know how to stop this failure audit event
>> >> being recorded. Its happening on a couple of my
clients
>> >> now and with enforced 90 day log retention I need to
>> keep
>> >> increasing the log size, I'm not happy with this and
>> want
>> >> to know how to stop it.
>> >>
>> >> Privileged Service Called:
>> >> Server: Security
>> >> Service: -
>> >> Primary User Name: ********
>> >> Primary Domain: *******
>> >> Primary Logon ID: (0x0,0x****)
>> >> Client User Name: -
>> >> Client Domain: -
>> >> Client Logon ID: -
>> >> Privileges: SeIncreaseBasePriorityPrivilege
>> >>
>> >
>> >
>> >.
>> >
>
>
>.
>