577 Privilege Use SeTcbPrivilege error

[Peter Kaufman]

I get this failure audit in my log every time I log in to my W2K SP4
domain from my XP SP1 workstation.

Event Type: Failure Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 577
Date: 29/08/2003
Time: 9:39:39 AM
User: JOMTIEN\peterk
Computer: PETER1
Description:
Privileged Service Called:
Server: Security
Service: -
Primary User Name: peterk
Primary Domain: JOMTIEN
Primary Logon ID: (0x0,0xAAEA56)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeTcbPrivilege

Any ideas on tracking this down would be most appreciated.

Peter Kaufman MCP

 

[Dave Christiansen [MS]]

Note that the failure audit means that you don't have that privilege, which
is, in and of itself, normal.

Are you running any programs that might try to perform system logons, or
create new process tokens?
The TCB privilege used to be required to call the LogonUser API, but with XP
this is no longer the case.

--
Dave Christiansen, Windows Core Security Testing
This message is provided "AS IS" with no warranties, and confers no rights.
This message originates in the State of Washington (USA), where unsolicited
commercial email is legally actionable (see
http://www.wa.gov/ago/junkemail).
Harvesting of this address for purposes of bulk email (including "spam") is
prohibited unless by my expressed prior request. I retaliate viciously
against spammers and spam sites.

 

[Peter Kaufman]

Dave, thanks for the response.

I am not aware of any software on my box that would require system
logons. My software is pretty well mainstream. Is there any way to
identify the program?

What types of programs require new process tokens?

Peter

 

[Peter Kaufman]

What are the chances this is caused by scanner software?

Thanks,

Peter

 

[Dave Christiansen [MS]]

If you mean virus scanners, I suppose anything's possible, but it seems very
unlikely.
If you mean a hacker, it seems more likely, though still not very. Does
this information look legitimate?

....is PETER1 your XP machine? Do you have anything interesting in your
Startup folder or in the registry under HKLM\Software\Microsoft\Windows\Run?

I am not aware of any software on my box that would require system
logons. My software is pretty well mainstream. Is there any way to
identify the program?

If all else fails, you can configure an audit policy on PETER1 to enable
process tracking, logoff and log back on. This should give you a rough
indication of what process (if any) is causing this. From there you can try
to find out what that process is doing.

What types of programs require new process tokens?

System processes and services generally-- it probably won't be a service,
though, because most older services install as LocalSystem, which is granted
the TCB privilege already.

--
Dave Christiansen, Windows Core Security Testing
This message is provided "AS IS" with no warranties, and confers no rights.
This message originates in the State of Washington (USA), where unsolicited
commercial email is legally actionable (see
http://www.wa.gov/ago/junkemail).
Harvesting of this address for purposes of bulk email (including "spam") is
prohibited unless by my expressed prior request. I retaliate viciously
against spammers and spam sites.