We help IT Professionals succeed at work.

Event security log errors

ellandrd
ellandrd asked
on
1,784 Views
Last Modified: 2010-08-05
I seem to be getting a lot of these with my users

Privileged Service Called:
       Server:            Security
       Service:            -
       Primary User Name:      *****
       Primary Domain:      ****
       Primary Logon ID:      (0x0,0xD442)
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Privileges:      SeIncreaseBasePriorityPrivilege

For more information, see Help and Support Center at

Source:security
Category:privalage use
Type failed audit

I get them about  every 5 mins

XP connected to 2k servers romaing profile. any more info just ask

Thanks in advance
Comment
Watch Question

Zaheer IqbalTechnical Assurance & Implementation
CERTIFIED EXPERT

Commented:
Pete LongTechnical Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
This privelege is for

SeIncreaseBasePriorityPrivilege                Increase scheduling priority.

if thats any help

Author

Commented:
event id 577
Zaheer IqbalTechnical Assurance & Implementation
CERTIFIED EXPERT

Commented:
From event id.net

Event ID: 577
Source Security  
Type Success Audit  
Description Privileged Service Called:
Server: NT Local Security Authority / Authentication Service
Service: LsaRegisterLogonProcess()
Primary User Name: <computer name>$
Primary Domain: <domain or workgroup name>
Primary Logon ID: (0x0,0x3E7)
Client User Name: <computer name>$
Client Domain: <domain or workgroup name>
Client Logon ID: (0x0,0x3E7)
Privileges: <privilege string>  
Things to understand What is the LSA?  
Comments Adrian Grigorof
This event record indicates that an attempt has been made to use a privilege to perform a privileged system service.

If the operation is successful, this event is recorded as "Success Audit" if not it is recorded as "Failure Audit". Depending on you Audit Policy these type of events may or may not show up. If you receive quite a few of "Success Audit" 577 events than most probably you have "Audit privilege use" enable for both cases. There are many normal processes that use their privileges so naturally the events gets recorded.

This event can also be logged when you used Winmsd and save a report (see Q811196).

As per Q238185, when you are using a Remote Procedure Call-based (RPC-based) client/server program, this error may be recorded (in this case, it does not indicate a security breach; you can safely ignore it).

Privileges: See Q101366 for a list of privileges strings and what they mean. common ones:
- SeIncreaseBasePriorityPrivilege = Increase Scheduling Priority = The user can boost the scheduling priority of a process.
- SeTcbPrivilege = To Act as Part of the Operating System = The user can act as a trusted part of the operating system. Some subsystems have this privilege granted to them.

Kurt Mosley
This can happen if an application tries to increase it's scheduling priority on the CPU. Most users do not have the permission to do this, so the application will fail it's attempt and log this in the security log. We got this to go away by giving the users the "Increase Scheduling Priority" right in the local security policy. So far, no ill affects and the event log has gone away.  


Source Security  
Type Failure Audit  
Description Privileged Service Called:
Server: <authentication process>
Service: <service name>
Primary User Name: <computer name>$
Primary Domain: <domain or workgroup name>
Primary Logon ID: <client logon id>
Client User Name: <computer name>$
Client Domain: <domain or workgroup name>
Client Logon ID: <logon id>
Privileges: <privilege string>  
Comments Rob Bruce (Last update 1/28/2004):
As per Q238182: "The security audit occurs while the RPC subsystem acquires the user's credentials for authenticated RPC. There are two ways for the code to do this. If the first method does not succeed, the second method is tried. In this case, the first method (calling the local security authority [LSA] directly) does not succeed and generates an Audit Failure entry". See the article for a hotfix.

Ionut Marin (Last update 1/28/2004):
As per Microsoft: "This problem may occur when all the following conditions are true:
1. A program that is installed on your Windows XP-based computer makes a call to the SetProcessWorkingSetSize function to release the working set.
2. Auditing of the Audit privilege use category is turned on.
3. Your user account does not have the SeIncreaseBasePriorityPrivilege user right, also known as "Increase Scheduling Priority." See Q831905 for a hotfix.

Faisal Ahmed (Last update 1/28/2004):
Thing can also happen if a user tries to load or unload a driver. Most users do not have the permission to do this, so the driver loading will fail its attempt and log this in the security log. I got this to go away by giving the users the "Load and Unload Device Drivers" right in the local security policy.

Adrian Grigorof (Last update 8/30/2003):
If this is recorded when users attempt to change their password (and they get "Unable to change the password on this account (C00000BE") then see Q176978.  

Author

Commented:
bascially i had set adutit policy on my server (some crappy ones) which dont make sense to man no beast and are filling up my system.

Thanks for you help 1stITMAN
Technical Assurance & Implementation
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.