Re: Event ID 577 Every few seconds

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 11/29/03 

Date: Sat, 29 Nov 2003 14:49:00 -0700

You see this because you are auditing privilege use.
This privilege, which is normal for an admin account,
grants managing of auditing and the security log.

With auditing of privilege use success enabled, you
see this event for each instance of this event.
Now, what is not normal is that your accounts apparently
doing this so constantly.
The event is written because your account is defining a
hard link to an audited resource. You would need to chase
down what is running within your login session to cause
this, or track it down by the handle to find what is being
accessed. Tracking by handle is not clear-cut for a non-
coding person. 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Dean McCreary" <dean@themccrearys.com> wrote in message
news:eSgmeBrtDHA.1196@TK2MSFTNGP12.phx.gbl...
> Thanks for the response.  The username is mine.  I have admin access.
>
> Dean
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:%23rR5NYotDHA.556@TK2MSFTNGP11.phx.gbl...
> > The importance of this all depends on what you
> > can tell us of the account "username"
> >
> > -- 
> > Roger Abell
> > Microsoft MVP (Windows Server System: Security)
> > MCSE (W2k3,W2k,Nt4)  MCDBA
> > "dean" <anonymous@discussions.microsoft.com> wrote in message
> > news:071b01c3b66d$0f0f3050$a101280a@phx.gbl...
> > > This event is getting logged every few seconds in the
> > > security log. Any ideas?  This feels like a security
> > > breech. Any help would be appreciated.
> > >
> > > Privileged object operation:
> > >   Object Server: EventLog
> > >   Object Handle: 12649776
> > >   Process ID: 568
> > >   Primary User Name: ComputerName$
> > >   Primary Domain: DOMAINNAME
> > >   Primary Logon ID: (0x0,0x3E7)
> > >   Client User Name: username
> > >   Client Domain: DOMAINNAME
> > >   Client Logon ID: (0x0,0x114A6)
> > >   Privileges: SeSecurityPrivilege
> > >
> >
> >
>
>

Relevant Pages

  • Re: ASP.NET Impersonation / delegation
    ... If your security guys will not even allow delegation, ... Bruce - I think this is a major right to grant to the ASPNet account. ... I have included a description on SE_TCB_NAME privilege from one of the MS ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: ASP.NET Impersonation / delegation
    ... there will not be any security risk? ... The MS documention does not recommend SE_TCB_NAME privilege to a any account other than the default LocalSystem. ... Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. ... best alternative for impersonating an account that is specially created for ...
    (microsoft.public.win2000.developer)
  • Re: Adding a Privilege via LsaAddAccountRights()
    ... > Security snapin. ... This privilege was introduced with SP4. ... You can add ASPNET account there as well. ...
    (microsoft.public.platformsdk.security)
  • Re: Installation error, do not have rights to install update
    ... security updates released in July 2004. ... This privilege identifies its holder ... I downloaded the patch from the KB article and> tried to install that way and got an error that stated I do not have the> rights to install this update. ... > that is the account I was using. ...
    (microsoft.public.windowsupdate)
  • Audit Privilege Use - Windows 2003 Security Guide
    ... I'd like some clarification on auditing privilege use on Windows 2003. ... I'm currently performing some security testing. ... the system time or to shut the system down. ...
    (microsoft.public.security)