Sudden activity of SceCli in Application Log (Event Viewer)

[Shannon Jacobs]

This is the Security Configuration Editor CLIent for Windows. I've
been noticing some suspicious crashes lately, so I looked in the Event
Viewer and didn't find anything obviously helpful, but I'm kind of
mystified by these notations about SceCli that suddenly started
appearing from July 5th. Haven't been able to find any obviously
related discussions here. Most of the discussions that mentioned it
were related to Microsoft's HTTP server, and I'm an Apache user, and
there haven't been any Apache problems. The actual log message is kind
of tricky, but it seems to be saying that the group security has been
successfully applied--but I can't imagine why it started on July 5th.
Frequency is weird, too. About once or twice a day, and usually at
times when I am not home.

So has anyone else noticed this? Explanations? My current hypothesis
is another Microsoft patch, but who can keep track? (Actually, the
installation history shows that was the date I installed Windows 2000
SP4. Perhaps new Microsoft spyware?)

 

[MSFT]

--------------------

From: (e-mail address removed) (Shannon Jacobs)
Newsgroups: microsoft.public.win2000.security
Subject: Sudden activity of SceCli in Application Log (Event Viewer)
Date: 1 Nov 2003 16:57:59 -0800
Organization: http://groups.google.com
Lines: 17
Message-ID: <[email protected]>
NNTP-Posting-Host: 61.125.218.35
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1067734680 1752 127.0.0.1 (2 Nov 2003 00:58:00 GMT)
X-Complaints-To: (e-mail address removed)
NNTP-Posting-Date: Sun, 2 Nov 2003 00:58:00 +0000 (UTC)
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!news-out.cwix.com!newsfeed.cwix.com!news.maxwell.syr.edu!postnews1.google.com!not-for-mail
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:14643
X-Tomcat-NG: microsoft.public.win2000.security

This is the Security Configuration Editor CLIent for Windows. I've
been noticing some suspicious crashes lately, so I looked in the Event
Viewer and didn't find anything obviously helpful, but I'm kind of
mystified by these notations about SceCli that suddenly started
appearing from July 5th. Haven't been able to find any obviously
related discussions here. Most of the discussions that mentioned it
were related to Microsoft's HTTP server, and I'm an Apache user, and
there haven't been any Apache problems. The actual log message is kind
of tricky, but it seems to be saying that the group security has been
successfully applied--but I can't imagine why it started on July 5th.
Frequency is weird, too. About once or twice a day, and usually at
times when I am not home.

So has anyone else noticed this? Explanations? My current hypothesis
is another Microsoft patch, but who can keep track? (Actually, the
installation history shows that was the date I installed Windows 2000
SP4. Perhaps new Microsoft spyware?)

Hi Shannon!

Could you post the actual events that you are seeing in the event viewer? SceCli messages are not necessarily bad- or example, when group policy
successfully processes, it will generate a 1704 message in the Application Log. Any additional information that you could provide would be very helpful.


Thanks-

Siddharth Sawkar
PSS Security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Shannon Jacobs]

As you suggested the message is a 1704, and as I noted, it is only a
notation, not an error message or warning. I could include the Japanese
text, but I doubt you read that language, and the translation would appear
to match your description. So now I think we're back to my original
question: Why did these messages start appearing on July 5th? To the best of
my knowledge, I did nothing to my security configuration, but it appears
that Microsoft may have. What and why?

 

[MSFT]

--------------------

From: "Shannon Jacobs" <[email protected]>
References: <[email protected]> <[email protected]>
Subject: Re: Sudden activity of SceCli in Application Log (Event Viewer)
Date: Tue, 4 Nov 2003 13:09:34 +0900
Lines: 74
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-2022-jp"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <#[email protected]>
Newsgroups: microsoft.public.win2000.security
NNTP-Posting-Host: alaska.yamato.ibm.com 203.141.89.168
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:14794
X-Tomcat-NG: microsoft.public.win2000.security

As you suggested the message is a 1704, and as I noted, it is only a
notation, not an error message or warning. I could include the Japanese
text, but I doubt you read that language, and the translation would appear
to match your description. So now I think we're back to my original
question: Why did these messages start appearing on July 5th? To the best of
my knowledge, I did nothing to my security configuration, but it appears
that Microsoft may have. What and why?

Hi Shannon

What this means is that on July 5th, your system started functioning correctly
Updates and/or hotfixes by themselves will not have changed this behavior.

Glad to hear everything is working!

Siddharth Sawkar
PSS Security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Shannon Jacobs]

MSFT wrote:

What this means is that on July 5th, your system started functioning
correctly Updates and/or hotfixes by themselves will not have
changed this behavior.

Glad to hear everything is working!

Siddharth Sawkar
PSS Security

I take it that you are actually a Microsoft employee. That explains why you
won't give a straight answer to the question--since I haven't paid any extra
money for an answer. But just for grins, let's make it even simpler:

What was broken?

By the way, my current theory is that your update installed some kind of
Microsoft spyware, and the security group policy that is being checked is
some sort of anti-piracy measure for Microsoft's benefit, not mine. I've
already stated that, to the best of my knowledge, I did NOT do anything to
my security policies.