J
james.blevins
I've spent an hour on Google so far without getting any useful
information. Hopefully someone here knows enough to help me figure this
out.
Here's the background:
All users on our domain have restricted user accounts. This morning,
when a user went to log in, she got a message stating that the security
log was full and that a user with admin rights had to login. Oh, and in
case it matters, this box is running WinXP Pro SP2 w/latest updates.
I went through her security log to find out why it was full, and
discovered the following entries. They began at 1:00 yesterday and
ended at 3:19, averaging 2 per minute. They're all nearly identical
(except for time and operation ID), so I'll just post the first one.
Date: 1/30/2006 Source: Security
Time: 1:00:01 PM Category: Object Access
Type: Failure Aud Event ID: 560
User: <the user on our domain>
Computer: <computer in our domain>
Object Open:
Object Server: SC Manager
Object Type: SERVICE OBJECT
Object Name: CiSvc
Handle ID: -
Operation ID: {0,4208757}
Process ID: 724
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: <the computer's name>
Primary Domain: <our domain>
Primary Logon ID: (0x0,0x3E7)
Client User Name: <her username>
Client Domain: <our domain>
Client Logon ID: (0x0,0x2CB3A)
Accesses: Set service configuration information
Query status of service
Start the service
Stop the service
Privileges: -
Restricted Sid Count: 0
Is this something I should be concerned about, or can I safely ignore
it? The user reports that she was looking up stuff on the internet
using Internet Explorer. Is this possibly an attempted (but failed)
malware installation? I'm completely lost her and will greatly
appreciate any insight.
A million thanks,
James Blevins
information. Hopefully someone here knows enough to help me figure this
out.
Here's the background:
All users on our domain have restricted user accounts. This morning,
when a user went to log in, she got a message stating that the security
log was full and that a user with admin rights had to login. Oh, and in
case it matters, this box is running WinXP Pro SP2 w/latest updates.
I went through her security log to find out why it was full, and
discovered the following entries. They began at 1:00 yesterday and
ended at 3:19, averaging 2 per minute. They're all nearly identical
(except for time and operation ID), so I'll just post the first one.
Date: 1/30/2006 Source: Security
Time: 1:00:01 PM Category: Object Access
Type: Failure Aud Event ID: 560
User: <the user on our domain>
Computer: <computer in our domain>
Object Open:
Object Server: SC Manager
Object Type: SERVICE OBJECT
Object Name: CiSvc
Handle ID: -
Operation ID: {0,4208757}
Process ID: 724
Image File Name: C:\WINDOWS\system32\services.exe
Primary User Name: <the computer's name>
Primary Domain: <our domain>
Primary Logon ID: (0x0,0x3E7)
Client User Name: <her username>
Client Domain: <our domain>
Client Logon ID: (0x0,0x2CB3A)
Accesses: Set service configuration information
Query status of service
Start the service
Stop the service
Privileges: -
Restricted Sid Count: 0
Is this something I should be concerned about, or can I safely ignore
it? The user reports that she was looking up stuff on the internet
using Internet Explorer. Is this possibly an attempted (but failed)
malware installation? I'm completely lost her and will greatly
appreciate any insight.
A million thanks,
James Blevins