Event Viewer/Security

[BrianF]

I seem to be getting a large number of logon entries in this folder, most
successful but an occasional block of five failed entries saying an
incorrect password was attempted. This is quite worrying because I cannot
identify the origin of these attempts.
The PC has been thoroughly scanned for viruses, trojans and malware but all
come back negative - not surprising as I have a NAT router, personal
firewall, AVG, Windows Defender and PestPatrol all active.
On the other hand, I have three PCs running WindowsXP Pro and it is only
this one that has this problem.

An example of one random entry is:

Special privileges assigned to new logon:

User Name: NETWORK SERVICE

Domain: NT AUTHORITY

Logon ID: (0x0,0x3E4)

Privileges: SeAuditPrivilege

SeAssignPrimaryTokenPrivilege

SeChangeNotifyPrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Does this suggest anything to any of the experts here?

 

[Wesley Vogel]

ID: 576
Source: Security
http://www.microsoft.com/technet/su...odVer=5.0&EvtID=576&EvtSrc=Security&LCID=1033

Event ID: 576
Source Security
http://www.eventid.net/display.asp?eventid=576&eventno=58&source=Security&phase=1

No need to subscribe to EventID.net....

M174074 is
Security Event Descriptions
http://support.microsoft.com/kb/174074

M264769 is
Event ID 576 Fills the Security Event Log When Auditing
http://support.microsoft.com/kb/264769

M822774 is
System Performance Decreases, and Many Event ID 576 Entries Are Logged to
the Security Event Log
http://support.microsoft.com/kb/822774

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[BrianF]

ID: 576
Source: Security
http://www.microsoft.com/technet/su...odVer=5.0&EvtID=576&EvtSrc=Security&LCID=1033

Event ID: 576
Source Security
http://www.eventid.net/display.asp?eventid=576&eventno=58&source=Security&phase=1

No need to subscribe to EventID.net....

M174074 is
Security Event Descriptions
http://support.microsoft.com/kb/174074

M264769 is
Event ID 576 Fills the Security Event Log When Auditing
http://support.microsoft.com/kb/264769

M822774 is
System Performance Decreases, and Many Event ID 576 Entries Are Logged to
the Security Event Log
http://support.microsoft.com/kb/822774

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

Thanks Wes. I guess it's not important that none of those articles cover
WinXP Pro specifically. In any case, they led me to the policies section of
Admin Tools where I see there is a whole bunch of stuff that I have never
had reason to look at previously. Consequently, I can confirm that I have
never set any of those policies and I'm not sure that I would dare to make
any changes without a bit more education on the subject.
Presumably all of these entries are relatively insignificant unless
associated with some other more direct warning, such as a flag from Windows
Defender or the AV program.
This morning, I noted 53 entries in the security log during the first 10
minutes after switching on. Five of those were the Audit Fail block that I
mentioned above. Most of the entries are 576 or 528 events. I just can't
understand why this machine logs these events whereas my two others do not,
especially as I have not set the security policies on any of them.

brianf

 

[Wesley Vogel]

Group Policy, look at...
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[BrianF]

Group Policy, look at...
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy

Thanks, Wes. Not sure that I know what I'm doing but I set all to log only
failures.

brianf