SeTcbPrivilege event 577 - how to determine process?

[JasonW]

I am seeing repeated occurances of an failure audit in my security log

MS says that this (SeTcbPrivilege) is a process trying to authenticate as
though it were a user. I have checked the application and system logs and
there does not seem to be a corresponding event. Any suggestions on how I
might track the process accosicated with this event? The hex umber shown
with the Primary Logon ID changes each time, but I don't know any way to
decipher what this means.


Event Type: Failure Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 577
Date: 8/5/2003
Time: 9:23:14 AM
User: J1\RC
Computer: J1
Description:
Privileged Service Called:
Server: Security
Service: -
Primary User Name: RC
Primary Domain: J1
Primary Logon ID: (0x0,0xD82C)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeTcbPrivilege


-JasonW

 

[JasonW]

Unfortunately, that is a real-time readout, rather than showing me a record
of what process was running at a particular time. Do you know of anything
that would keep a record of when processes start or stop? I imagine that the
log file would get pretty large, but it could be useful. It would have been
nice if MS had included that detail in the security log.

-JasonW

 

[Steven L Umbach]

Here is a KB article, that pretty much says to ignore this error - though it
is specific to NT4.0. You could try to enable auditing for process tracking failures,
but not sure if that would show it. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;238185
http://www.eventid.net/display.asp?eventid=577&source=security

 

[JasonW]

Thanks, I guess it is not really a problem then.

-JasonW