Failure Audit Security Log Event ID 577

Hi Roger,
Privilege use failures are all that is being audited and
only one event is recorded, eventID 577. An event is
logged every thirty seconds when the user is logged on.
The workststion can be idle, ie. screensaver up, and the
same event is still logged.
I have tried altering the local security 'Increase
scheduling priority' policy to 'Authenticated Users' and
also 'Not Defined'. This had no apparent effect.

>-----Original Message-----
>Onr solution is to ease back on the events you are

auditing.

>Assuming you put the ******* in there for privacy,
>logging of this is controlled by the "Audit privlege use"
>
>However, your subject (only) indicates that you are
>getting many failures, and _if_ one lessens this category
>of auditing it is usually to only log failures (not

successes).

>So in your case you probably need to track down what the
>******** account is doing when it gets denied.
>The user right that the account is not being granted is

the

>one shown in local policy as "Increase scheduling

priority"

>You may find that profiling the actions of the account

will

>lead you to a solution, for example KB 811196 is a case
>where admin accounts trigger this event even though they
>are granted the user right.
>
>--
>Roger Abell
>Microsoft MVP (Windows Server System: Security)
>MCSE (W2k3,W2k,Nt4) MCDBA
>"Jake" <j.lomax@mgn.co.uk> wrote in message
>news:08a601c38917$9ec10990$a301280a@phx.gbl...

>> Does anyone know how to stop this failure audit event
>> being recorded. Its happening on a couple of my clients
>> now and with enforced 90 day log retention I need to

keep

>> increasing the log size, I'm not happy with this and

want

>> to know how to stop it.
>>
>> Privileged Service Called:
>> Server: Security
>> Service: -
>> Primary User Name: ********
>> Primary Domain: *******
>> Primary Logon ID: (0x0,0x****)
>> Client User Name: -
>> Client Domain: -
>> Client Logon ID: -
>> Privileges: SeIncreaseBasePriorityPrivilege
>>

>
>
>.
>

You could try profiling what processes are running
in the account process, perhaps with aid from tools
from www.sysinternals.com
Also, does this happen with a newly defined account ?

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Jake" <j.lomax@mgn.co.uk> wrote in message
news:0cea01c389f0$9db88da0$a001280a@phx.gbl...

> Hi Roger,
> Privilege use failures are all that is being audited and
> only one event is recorded, eventID 577. An event is
> logged every thirty seconds when the user is logged on.
> The workststion can be idle, ie. screensaver up, and the
> same event is still logged.
> I have tried altering the local security 'Increase
> scheduling priority' policy to 'Authenticated Users' and
> also 'Not Defined'. This had no apparent effect.
>
>

> >-----Original Message-----
> >Onr solution is to ease back on the events you are

> auditing.

> >Assuming you put the ******* in there for privacy,
> >logging of this is controlled by the "Audit privlege use"
> >
> >However, your subject (only) indicates that you are
> >getting many failures, and _if_ one lessens this category
> >of auditing it is usually to only log failures (not

> successes).

> >So in your case you probably need to track down what the
> >******** account is doing when it gets denied.
> >The user right that the account is not being granted is

> the

> >one shown in local policy as "Increase scheduling

> priority"

> >You may find that profiling the actions of the account

> will

> >lead you to a solution, for example KB 811196 is a case
> >where admin accounts trigger this event even though they
> >are granted the user right.
> >
> >--
> >Roger Abell
> >Microsoft MVP (Windows Server System: Security)
> >MCSE (W2k3,W2k,Nt4) MCDBA
> >"Jake" <j.lomax@mgn.co.uk> wrote in message
> >news:08a601c38917$9ec10990$a301280a@phx.gbl...

> >> Does anyone know how to stop this failure audit event
> >> being recorded. Its happening on a couple of my clients
> >> now and with enforced 90 day log retention I need to

> keep

> >> increasing the log size, I'm not happy with this and

> want

> >> to know how to stop it.
> >>
> >> Privileged Service Called:
> >> Server: Security
> >> Service: -
> >> Primary User Name: ********
> >> Primary Domain: *******
> >> Primary Logon ID: (0x0,0x****)
> >> Client User Name: -
> >> Client Domain: -
> >> Client Logon ID: -
> >> Privileges: SeIncreaseBasePriorityPrivilege
> >>

> >
> >
> >.
> >

I am seeing the exact same error message, every 30
seconds. We have been running Windows XP for over 8 months
and have never seen this error message before. I have
recently installed 2 new clients and it is happening on
those 2, it also has spread to my older clients now...very
weird did you find anything that helped you track this
down??

>-----Original Message-----
>You could try profiling what processes are running
>in the account process, perhaps with aid from tools
>from www.sysinternals.com
>Also, does this happen with a newly defined account ?
>
>--
>Roger Abell
>Microsoft MVP (Windows Server System: Security)
>MCSE (W2k3,W2k,Nt4) MCDBA
>"Jake" <j.lomax@mgn.co.uk> wrote in message
>news:0cea01c389f0$9db88da0$a001280a@phx.gbl...

>> Hi Roger,
>> Privilege use failures are all that is being audited and
>> only one event is recorded, eventID 577. An event is
>> logged every thirty seconds when the user is logged on.
>> The workststion can be idle, ie. screensaver up, and the
>> same event is still logged.
>> I have tried altering the local security 'Increase
>> scheduling priority' policy to 'Authenticated Users' and
>> also 'Not Defined'. This had no apparent effect.
>>
>>

>> >-----Original Message-----
>> >Onr solution is to ease back on the events you are

>> auditing.

>> >Assuming you put the ******* in there for privacy,
>> >logging of this is controlled by the "Audit privlege

use"

>> >
>> >However, your subject (only) indicates that you are
>> >getting many failures, and _if_ one lessens this

category

>> >of auditing it is usually to only log failures (not

>> successes).

>> >So in your case you probably need to track down what

the

>> >******** account is doing when it gets denied.
>> >The user right that the account is not being granted is

>> the

>> >one shown in local policy as "Increase scheduling

>> priority"

>> >You may find that profiling the actions of the account

>> will

>> >lead you to a solution, for example KB 811196 is a case
>> >where admin accounts trigger this event even though

they

>> >are granted the user right.
>> >
>> >--
>> >Roger Abell
>> >Microsoft MVP (Windows Server System: Security)
>> >MCSE (W2k3,W2k,Nt4) MCDBA
>> >"Jake" <j.lomax@mgn.co.uk> wrote in message
>> >news:08a601c38917$9ec10990$a301280a@phx.gbl...
>> >> Does anyone know how to stop this failure audit event
>> >> being recorded. Its happening on a couple of my

clients

>> >> now and with enforced 90 day log retention I need to

>> keep

>> >> increasing the log size, I'm not happy with this and

>> want

>> >> to know how to stop it.
>> >>
>> >> Privileged Service Called:
>> >> Server: Security
>> >> Service: -
>> >> Primary User Name: ********
>> >> Primary Domain: *******
>> >> Primary Logon ID: (0x0,0x****)
>> >> Client User Name: -
>> >> Client Domain: -
>> >> Client Logon ID: -
>> >> Privileges: SeIncreaseBasePriorityPrivilege
>> >>
>> >
>> >
>> >.
>> >

>
>
>.
>

I am surprised that with all the problems you are experiencing, your machine
has not burst into flames an stopped the Blaster Worm.

"Can o&o, QBS software, disk defrag be purchased from
united state retailer?
thanks"

"when i go on the inter net the computer tells me that it
is shutting down in so many seconds and i have control
over it.this happens after about five minutes. can any
one help"

"After selecting a User on XP-Home, an error message
appears which states:
Memory access violation in module kernel 32 at
8175:22294851.
Any idea what this means and how to make it stop
appearing?"

"This is what happened... I was trying to re-install
Windows XP Pro. Well after that got going.. this is what
showed up.
"system is being restarted...." then,

"STOP: c000021a {Fatal System Error} The Windows Logon
Process system process terminated unexpectedly with a
status of 0xc0000034 (0x00000000 0x00000000).
The system has been shut down"

I can not get on my computer at all so I dont know how to
even start going about fixing this. Please Help."

"Anyone out there got a good XP solution for synching
folder contents on multiple machines across a network?
TiA."

"running xp home all updates
defrag error (dfrgfat.exe application error,,the
instruction at 0x77f52a84 referenced memory at 0x00000000
the memory could not be written
have tried in safe mode also ran scannow with xp cd loaded
hard drive free space 592mb, used space 4.29gb
thanks for any assistance"


<anonymous@discussions.microsoft.com> wrote in message
news:0bc501c392fd$edb96fc0$a301280a@phx.gbl...

> when i go on the inter net the computer tells me that it
> is shutting down in so many seconds and i have control
> over it.this happens after about five minutes. can any
> one help
>

<anonymous@discussions.microsoft.com> wrote in message
news:240701c39318$0e2379d0$7d02280a@phx.gbl...

> I am seeing the exact same error message, every 30
> seconds. We have been running Windows XP for over 8 months
> and have never seen this error message before. I have
> recently installed 2 new clients and it is happening on
> those 2, it also has spread to my older clients now...very
> weird did you find anything that helped you track this
> down??
>
>
>

> >-----Original Message-----
> >You could try profiling what processes are running
> >in the account process, perhaps with aid from tools
> >from www.sysinternals.com
> >Also, does this happen with a newly defined account ?
> >
> >--
> >Roger Abell
> >Microsoft MVP (Windows Server System: Security)
> >MCSE (W2k3,W2k,Nt4) MCDBA
> >"Jake" <j.lomax@mgn.co.uk> wrote in message
> >news:0cea01c389f0$9db88da0$a001280a@phx.gbl...

> >> Hi Roger,
> >> Privilege use failures are all that is being audited and
> >> only one event is recorded, eventID 577. An event is
> >> logged every thirty seconds when the user is logged on.
> >> The workststion can be idle, ie. screensaver up, and the
> >> same event is still logged.
> >> I have tried altering the local security 'Increase
> >> scheduling priority' policy to 'Authenticated Users' and
> >> also 'Not Defined'. This had no apparent effect.
> >>
> >>
> >> >-----Original Message-----
> >> >Onr solution is to ease back on the events you are
> >> auditing.
> >> >Assuming you put the ******* in there for privacy,
> >> >logging of this is controlled by the "Audit privlege

> use"

> >> >
> >> >However, your subject (only) indicates that you are
> >> >getting many failures, and _if_ one lessens this

> category

> >> >of auditing it is usually to only log failures (not
> >> successes).
> >> >So in your case you probably need to track down what

> the

> >> >******** account is doing when it gets denied.
> >> >The user right that the account is not being granted is
> >> the
> >> >one shown in local policy as "Increase scheduling
> >> priority"
> >> >You may find that profiling the actions of the account
> >> will
> >> >lead you to a solution, for example KB 811196 is a case
> >> >where admin accounts trigger this event even though

> they

> >> >are granted the user right.
> >> >
> >> >--
> >> >Roger Abell
> >> >Microsoft MVP (Windows Server System: Security)
> >> >MCSE (W2k3,W2k,Nt4) MCDBA
> >> >"Jake" <j.lomax@mgn.co.uk> wrote in message
> >> >news:08a601c38917$9ec10990$a301280a@phx.gbl...
> >> >> Does anyone know how to stop this failure audit event
> >> >> being recorded. Its happening on a couple of my

> clients

> >> >> now and with enforced 90 day log retention I need to
> >> keep
> >> >> increasing the log size, I'm not happy with this and
> >> want
> >> >> to know how to stop it.
> >> >>
> >> >> Privileged Service Called:
> >> >> Server: Security
> >> >> Service: -
> >> >> Primary User Name: ********
> >> >> Primary Domain: *******
> >> >> Primary Logon ID: (0x0,0x****)
> >> >> Client User Name: -
> >> >> Client Domain: -
> >> >> Client Logon ID: -
> >> >> Privileges: SeIncreaseBasePriorityPrivilege
> >> >>
> >> >
> >> >
> >> >.
> >> >

> >
> >
> >.
> >

removing real one player worked for me

>-----Original Message-----
>I am surprised that with all the problems you are

experiencing, your machine

>has not burst into flames an stopped the Blaster Worm.
>
>"Can o&o, QBS software, disk defrag be purchased from
>united state retailer?
>thanks"
>
>"when i go on the inter net the computer tells me that it
>is shutting down in so many seconds and i have control
>over it.this happens after about five minutes. can any
>one help"
>
>"After selecting a User on XP-Home, an error message
>appears which states:
>Memory access violation in module kernel 32 at
>8175:22294851.
>Any idea what this means and how to make it stop
>appearing?"
>
>"This is what happened... I was trying to re-install
>Windows XP Pro. Well after that got going.. this is what
>showed up.
>"system is being restarted...." then,
>
>"STOP: c000021a {Fatal System Error} The Windows Logon
>Process system process terminated unexpectedly with a
>status of 0xc0000034 (0x00000000 0x00000000).
>The system has been shut down"
>
>I can not get on my computer at all so I dont know how to
>even start going about fixing this. Please Help."
>
>"Anyone out there got a good XP solution for synching
>folder contents on multiple machines across a network?
>TiA."
>
>"running xp home all updates
>defrag error (dfrgfat.exe application error,,the
>instruction at 0x77f52a84 referenced memory at 0x00000000
>the memory could not be written
>have tried in safe mode also ran scannow with xp cd

loaded

>hard drive free space 592mb, used space 4.29gb
>thanks for any assistance"
>
>
><anonymous@discussions.microsoft.com> wrote in message
>news:0bc501c392fd$edb96fc0$a301280a@phx.gbl...

>> when i go on the inter net the computer tells me that

it

>> is shutting down in so many seconds and i have control
>> over it.this happens after about five minutes. can any
>> one help
>>

>
><anonymous@discussions.microsoft.com> wrote in message
>news:240701c39318$0e2379d0$7d02280a@phx.gbl...

>> I am seeing the exact same error message, every 30
>> seconds. We have been running Windows XP for over 8

months

>> and have never seen this error message before. I have
>> recently installed 2 new clients and it is happening on
>> those 2, it also has spread to my older clients

now...very

>> weird did you find anything that helped you track this
>> down??
>>
>>
>>

>> >-----Original Message-----
>> >You could try profiling what processes are running
>> >in the account process, perhaps with aid from tools
>> >from www.sysinternals.com
>> >Also, does this happen with a newly defined account ?
>> >
>> >--
>> >Roger Abell
>> >Microsoft MVP (Windows Server System: Security)
>> >MCSE (W2k3,W2k,Nt4) MCDBA
>> >"Jake" <j.lomax@mgn.co.uk> wrote in message
>> >news:0cea01c389f0$9db88da0$a001280a@phx.gbl...
>> >> Hi Roger,
>> >> Privilege use failures are all that is being

audited and

>> >> only one event is recorded, eventID 577. An event is
>> >> logged every thirty seconds when the user is logged

on.

>> >> The workststion can be idle, ie. screensaver up,

and the

>> >> same event is still logged.
>> >> I have tried altering the local security 'Increase
>> >> scheduling priority' policy to 'Authenticated

Users' and

>> >> also 'Not Defined'. This had no apparent effect.
>> >>
>> >>
>> >> >-----Original Message-----
>> >> >Onr solution is to ease back on the events you are
>> >> auditing.
>> >> >Assuming you put the ******* in there for privacy,
>> >> >logging of this is controlled by the "Audit

privlege

>> use"

>> >> >
>> >> >However, your subject (only) indicates that you are
>> >> >getting many failures, and _if_ one lessens this

>> category

>> >> >of auditing it is usually to only log failures (not
>> >> successes).
>> >> >So in your case you probably need to track down

what

>> the

>> >> >******** account is doing when it gets denied.
>> >> >The user right that the account is not being

granted is

>> >> the
>> >> >one shown in local policy as "Increase scheduling
>> >> priority"
>> >> >You may find that profiling the actions of the

account

>> >> will
>> >> >lead you to a solution, for example KB 811196 is a

case

>> >> >where admin accounts trigger this event even though

>> they

>> >> >are granted the user right.
>> >> >
>> >> >--
>> >> >Roger Abell
>> >> >Microsoft MVP (Windows Server System: Security)
>> >> >MCSE (W2k3,W2k,Nt4) MCDBA
>> >> >"Jake" <j.lomax@mgn.co.uk> wrote in message
>> >> >news:08a601c38917$9ec10990$a301280a@phx.gbl...
>> >> >> Does anyone know how to stop this failure audit

event

>> >> >> being recorded. Its happening on a couple of my

>> clients

>> >> >> now and with enforced 90 day log retention I

need to

>> >> keep
>> >> >> increasing the log size, I'm not happy with this

and

>> >> want
>> >> >> to know how to stop it.
>> >> >>
>> >> >> Privileged Service Called:
>> >> >> Server: Security
>> >> >> Service: -
>> >> >> Primary User Name: ********
>> >> >> Primary Domain: *******
>> >> >> Primary Logon ID: (0x0,0x****)
>> >> >> Client User Name: -
>> >> >> Client Domain: -
>> >> >> Client Logon ID: -
>> >> >> Privileges: SeIncreaseBasePriorityPrivilege
>> >> >>
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >

>
>.
>