Failure Audit Security Log Event ID 577

Posted: 10-02-2003, 07:01 PM
Does anyone know how to stop this failure audit event
being recorded. Its happening on a couple of my clients
now and with enforced 90 day log retention I need to keep
increasing the log size, I'm not happy with this and want
to know how to stop it.

Privileged Service Called:
Server: Security
Service: -
Primary User Name: ********
Primary Domain: *******
Primary Logon ID: (0x0,0x****)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeIncreaseBasePriorityPrivilege

Failure Audit Security Log Event ID 577


Responses to "Failure Audit Security Log Event ID 577"

Roger Abell
Guest
Posts: n/a
 
Re: Failure Audit Security Log Event ID 577
Posted: 10-03-2003, 07:15 AM
Onr solution is to ease back on the events you are auditing.
Assuming you put the ******* in there for privacy,
logging of this is controlled by the "Audit privlege use"

However, your subject (only) indicates that you are
getting many failures, and _if_ one lessens this category
of auditing it is usually to only log failures (not successes).
So in your case you probably need to track down what the
******** account is doing when it gets denied.
The user right that the account is not being granted is the
one shown in local policy as "Increase scheduling priority"
You may find that profiling the actions of the account will
lead you to a solution, for example KB 811196 is a case
where admin accounts trigger this event even though they
are granted the user right.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Jake" <[email protected]> wrote in message
news:08a601c38917$9ec10990$[email protected]..
> Does anyone know how to stop this failure audit event
> being recorded. Its happening on a couple of my clients
> now and with enforced 90 day log retention I need to keep
> increasing the log size, I'm not happy with this and want
> to know how to stop it.
>
> Privileged Service Called:
> Server: Security
> Service: -
> Primary User Name: ********
> Primary Domain: *******
> Primary Logon ID: (0x0,0x****)
> Client User Name: -
> Client Domain: -
> Client Logon ID: -
> Privileges: SeIncreaseBasePriorityPrivilege
>

Jake
Guest
Posts: n/a
 
Re: Failure Audit Security Log Event ID 577
Posted: 10-03-2003, 08:55 PM
Hi Roger,
Privilege use failures are all that is being audited and
only one event is recorded, eventID 577. An event is
logged every thirty seconds when the user is logged on.
The workststion can be idle, ie. screensaver up, and the
same event is still logged.
I have tried altering the local security 'Increase
scheduling priority' policy to 'Authenticated Users' and
also 'Not Defined'. This had no apparent effect.

>-----Original Message-----
>Onr solution is to ease back on the events you are
auditing.
>Assuming you put the ******* in there for privacy,
>logging of this is controlled by the "Audit privlege use"
>
>However, your subject (only) indicates that you are
>getting many failures, and _if_ one lessens this category
>of auditing it is usually to only log failures (not
successes).
>So in your case you probably need to track down what the
>******** account is doing when it gets denied.
>The user right that the account is not being granted is
the
>one shown in local policy as "Increase scheduling
priority"
>You may find that profiling the actions of the account
will
>lead you to a solution, for example KB 811196 is a case
>where admin accounts trigger this event even though they
>are granted the user right.
>
>--
>Roger Abell
>Microsoft MVP (Windows Server System: Security)
>MCSE (W2k3,W2k,Nt4) MCDBA
>"Jake" <[email protected]> wrote in message
>news:08a601c38917$9ec10990$[email protected]..
>> Does anyone know how to stop this failure audit event
>> being recorded. Its happening on a couple of my clients
>> now and with enforced 90 day log retention I need to
keep
>> increasing the log size, I'm not happy with this and
want
>> to know how to stop it.
>>
>> Privileged Service Called:
>> Server: Security
>> Service: -
>> Primary User Name: ********
>> Primary Domain: *******
>> Primary Logon ID: (0x0,0x****)
>> Client User Name: -
>> Client Domain: -
>> Client Logon ID: -
>> Privileges: SeIncreaseBasePriorityPrivilege
>>
>
>
>.
>
Roger Abell
Guest
Posts: n/a
 
Re: Failure Audit Security Log Event ID 577
Posted: 10-04-2003, 05:33 AM
You could try profiling what processes are running
in the account process, perhaps with aid from tools
from www.sysinternals.com
Also, does this happen with a newly defined account ?

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Jake" <[email protected]> wrote in message
news:0cea01c389f0$9db88da0$[email protected]..
> Hi Roger,
> Privilege use failures are all that is being audited and
> only one event is recorded, eventID 577. An event is
> logged every thirty seconds when the user is logged on.
> The workststion can be idle, ie. screensaver up, and the
> same event is still logged.
> I have tried altering the local security 'Increase
> scheduling priority' policy to 'Authenticated Users' and
> also 'Not Defined'. This had no apparent effect.
>
>
> >-----Original Message-----
> >Onr solution is to ease back on the events you are
> auditing.
> >Assuming you put the ******* in there for privacy,
> >logging of this is controlled by the "Audit privlege use"
> >
> >However, your subject (only) indicates that you are
> >getting many failures, and _if_ one lessens this category
> >of auditing it is usually to only log failures (not
> successes).
> >So in your case you probably need to track down what the
> >******** account is doing when it gets denied.
> >The user right that the account is not being granted is
> the
> >one shown in local policy as "Increase scheduling
> priority"
> >You may find that profiling the actions of the account
> will
> >lead you to a solution, for example KB 811196 is a case
> >where admin accounts trigger this event even though they
> >are granted the user right.
> >
> >--
> >Roger Abell
> >Microsoft MVP (Windows Server System: Security)
> >MCSE (W2k3,W2k,Nt4) MCDBA
> >"Jake" <[email protected]> wrote in message
> >news:08a601c38917$9ec10990$[email protected]..
> >> Does anyone know how to stop this failure audit event
> >> being recorded. Its happening on a couple of my clients
> >> now and with enforced 90 day log retention I need to
> keep
> >> increasing the log size, I'm not happy with this and
> want
> >> to know how to stop it.
> >>
> >> Privileged Service Called:
> >> Server: Security
> >> Service: -
> >> Primary User Name: ********
> >> Primary Domain: *******
> >> Primary Logon ID: (0x0,0x****)
> >> Client User Name: -
> >> Client Domain: -
> >> Client Logon ID: -
> >> Privileges: SeIncreaseBasePriorityPrivilege
> >>
> >
> >
> >.
> >

Guest
Posts: n/a
 
Re: Failure Audit Security Log Event ID 577
Posted: 10-15-2003, 12:30 PM
I am seeing the exact same error message, every 30
seconds. We have been running Windows XP for over 8 months
and have never seen this error message before. I have
recently installed 2 new clients and it is happening on
those 2, it also has spread to my older clients now...very
weird did you find anything that helped you track this
down??


>-----Original Message-----
>You could try profiling what processes are running
>in the account process, perhaps with aid from tools
>from www.sysinternals.com
>Also, does this happen with a newly defined account ?
>
>--
>Roger Abell
>Microsoft MVP (Windows Server System: Security)
>MCSE (W2k3,W2k,Nt4) MCDBA
>"Jake" <[email protected]> wrote in message
>news:0cea01c389f0$9db88da0$[email protected]..
>> Hi Roger,
>> Privilege use failures are all that is being audited and
>> only one event is recorded, eventID 577. An event is
>> logged every thirty seconds when the user is logged on.
>> The workststion can be idle, ie. screensaver up, and the
>> same event is still logged.
>> I have tried altering the local security 'Increase
>> scheduling priority' policy to 'Authenticated Users' and
>> also 'Not Defined'. This had no apparent effect.
>>
>>
>> >-----Original Message-----
>> >Onr solution is to ease back on the events you are
>> auditing.
>> >Assuming you put the ******* in there for privacy,
>> >logging of this is controlled by the "Audit privlege
use"
>> >
>> >However, your subject (only) indicates that you are
>> >getting many failures, and _if_ one lessens this
category
>> >of auditing it is usually to only log failures (not
>> successes).
>> >So in your case you probably need to track down what
the
>> >******** account is doing when it gets denied.
>> >The user right that the account is not being granted is
>> the
>> >one shown in local policy as "Increase scheduling
>> priority"
>> >You may find that profiling the actions of the account
>> will
>> >lead you to a solution, for example KB 811196 is a case
>> >where admin accounts trigger this event even though
they
>> >are granted the user right.
>> >
>> >--
>> >Roger Abell
>> >Microsoft MVP (Windows Server System: Security)
>> >MCSE (W2k3,W2k,Nt4) MCDBA
>> >"Jake" <[email protected]> wrote in message
>> >news:08a601c38917$9ec10990$[email protected]..
>> >> Does anyone know how to stop this failure audit event
>> >> being recorded. Its happening on a couple of my
clients
>> >> now and with enforced 90 day log retention I need to
>> keep
>> >> increasing the log size, I'm not happy with this and
>> want
>> >> to know how to stop it.
>> >>
>> >> Privileged Service Called:
>> >> Server: Security
>> >> Service: -
>> >> Primary User Name: ********
>> >> Primary Domain: *******
>> >> Primary Logon ID: (0x0,0x****)
>> >> Client User Name: -
>> >> Client Domain: -
>> >> Client Logon ID: -
>> >> Privileges: SeIncreaseBasePriorityPrivilege
>> >>
>> >
>> >
>> >.
>> >
>
>
>.
>
Wesley VogelX
Guest
Posts: n/a
 
Re: Failure Audit Security Log Event ID 577
Posted: 10-15-2003, 03:36 PM
I am surprised that with all the problems you are experiencing, your machine
has not burst into flames an stopped the Blaster Worm.

"Can o&o, QBS software, disk defrag be purchased from
united state retailer?
thanks"

"when i go on the inter net the computer tells me that it
is shutting down in so many seconds and i have control
over it.this happens after about five minutes. can any
one help"

"After selecting a User on XP-Home, an error message
appears which states:
Memory access violation in module kernel 32 at
8175:22294851.
Any idea what this means and how to make it stop
appearing?"

"This is what happened... I was trying to re-install
Windows XP Pro. Well after that got going.. this is what
showed up.
"system is being restarted...." then,

"STOP: c000021a {Fatal System Error} The Windows Logon
Process system process terminated unexpectedly with a
status of 0xc0000034 (0x00000000 0x00000000).
The system has been shut down"

I can not get on my computer at all so I dont know how to
even start going about fixing this. Please Help."

"Anyone out there got a good XP solution for synching
folder contents on multiple machines across a network?
TiA."

"running xp home all updates
defrag error (dfrgfat.exe application error,,the
instruction at 0x77f52a84 referenced memory at 0x00000000
the memory could not be written
have tried in safe mode also ran scannow with xp cd loaded
hard drive free space 592mb, used space 4.29gb
thanks for any assistance"


<[email protected]> wrote in message
news:0bc501c392fd$edb96fc0$[email protected]..
> when i go on the inter net the computer tells me that it
> is shutting down in so many seconds and i have control
> over it.this happens after about five minutes. can any
> one help
>
<[email protected]> wrote in message
news:240701c39318$0e2379d0$[email protected]..
> I am seeing the exact same error message, every 30
> seconds. We have been running Windows XP for over 8 months
> and have never seen this error message before. I have
> recently installed 2 new clients and it is happening on
> those 2, it also has spread to my older clients now...very
> weird did you find anything that helped you track this
> down??
>
>
>
> >-----Original Message-----
> >You could try profiling what processes are running
> >in the account process, perhaps with aid from tools
> >from www.sysinternals.com
> >Also, does this happen with a newly defined account ?
> >
> >--
> >Roger Abell
> >Microsoft MVP (Windows Server System: Security)
> >MCSE (W2k3,W2k,Nt4) MCDBA
> >"Jake" <[email protected]> wrote in message
> >news:0cea01c389f0$9db88da0$[email protected]..
> >> Hi Roger,
> >> Privilege use failures are all that is being audited and
> >> only one event is recorded, eventID 577. An event is
> >> logged every thirty seconds when the user is logged on.
> >> The workststion can be idle, ie. screensaver up, and the
> >> same event is still logged.
> >> I have tried altering the local security 'Increase
> >> scheduling priority' policy to 'Authenticated Users' and
> >> also 'Not Defined'. This had no apparent effect.
> >>
> >>
> >> >-----Original Message-----
> >> >Onr solution is to ease back on the events you are
> >> auditing.
> >> >Assuming you put the ******* in there for privacy,
> >> >logging of this is controlled by the "Audit privlege
> use"
> >> >
> >> >However, your subject (only) indicates that you are
> >> >getting many failures, and _if_ one lessens this
> category
> >> >of auditing it is usually to only log failures (not
> >> successes).
> >> >So in your case you probably need to track down what
> the
> >> >******** account is doing when it gets denied.
> >> >The user right that the account is not being granted is
> >> the
> >> >one shown in local policy as "Increase scheduling
> >> priority"
> >> >You may find that profiling the actions of the account
> >> will
> >> >lead you to a solution, for example KB 811196 is a case
> >> >where admin accounts trigger this event even though
> they
> >> >are granted the user right.
> >> >
> >> >--
> >> >Roger Abell
> >> >Microsoft MVP (Windows Server System: Security)
> >> >MCSE (W2k3,W2k,Nt4) MCDBA
> >> >"Jake" <[email protected]> wrote in message
> >> >news:08a601c38917$9ec10990$[email protected]..
> >> >> Does anyone know how to stop this failure audit event
> >> >> being recorded. Its happening on a couple of my
> clients
> >> >> now and with enforced 90 day log retention I need to
> >> keep
> >> >> increasing the log size, I'm not happy with this and
> >> want
> >> >> to know how to stop it.
> >> >>
> >> >> Privileged Service Called:
> >> >> Server: Security
> >> >> Service: -
> >> >> Primary User Name: ********
> >> >> Primary Domain: *******
> >> >> Primary Logon ID: (0x0,0x****)
> >> >> Client User Name: -
> >> >> Client Domain: -
> >> >> Client Logon ID: -
> >> >> Privileges: SeIncreaseBasePriorityPrivilege
> >> >>
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >
tkk
Guest
Posts: n/a
 
Re: Failure Audit Security Log Event ID 577
Posted: 11-14-2003, 06:35 PM
removing real one player worked for me
>-----Original Message-----
>I am surprised that with all the problems you are
experiencing, your machine
>has not burst into flames an stopped the Blaster Worm.
>
>"Can o&o, QBS software, disk defrag be purchased from
>united state retailer?
>thanks"
>
>"when i go on the inter net the computer tells me that it
>is shutting down in so many seconds and i have control
>over it.this happens after about five minutes. can any
>one help"
>
>"After selecting a User on XP-Home, an error message
>appears which states:
>Memory access violation in module kernel 32 at
>8175:22294851.
>Any idea what this means and how to make it stop
>appearing?"
>
>"This is what happened... I was trying to re-install
>Windows XP Pro. Well after that got going.. this is what
>showed up.
>"system is being restarted...." then,
>
>"STOP: c000021a {Fatal System Error} The Windows Logon
>Process system process terminated unexpectedly with a
>status of 0xc0000034 (0x00000000 0x00000000).
>The system has been shut down"
>
>I can not get on my computer at all so I dont know how to
>even start going about fixing this. Please Help."
>
>"Anyone out there got a good XP solution for synching
>folder contents on multiple machines across a network?
>TiA."
>
>"running xp home all updates
>defrag error (dfrgfat.exe application error,,the
>instruction at 0x77f52a84 referenced memory at 0x00000000
>the memory could not be written
>have tried in safe mode also ran scannow with xp cd
loaded
>hard drive free space 592mb, used space 4.29gb
>thanks for any assistance"
>
>
><[email protected]> wrote in message
>news:0bc501c392fd$edb96fc0$[email protected]..
>> when i go on the inter net the computer tells me that
it
>> is shutting down in so many seconds and i have control
>> over it.this happens after about five minutes. can any
>> one help
>>
>
><[email protected]> wrote in message
>news:240701c39318$0e2379d0$[email protected]..
>> I am seeing the exact same error message, every 30
>> seconds. We have been running Windows XP for over 8
months
>> and have never seen this error message before. I have
>> recently installed 2 new clients and it is happening on
>> those 2, it also has spread to my older clients
now...very
>> weird did you find anything that helped you track this
>> down??
>>
>>
>>
>> >-----Original Message-----
>> >You could try profiling what processes are running
>> >in the account process, perhaps with aid from tools
>> >from www.sysinternals.com
>> >Also, does this happen with a newly defined account ?
>> >
>> >--
>> >Roger Abell
>> >Microsoft MVP (Windows Server System: Security)
>> >MCSE (W2k3,W2k,Nt4) MCDBA
>> >"Jake" <[email protected]> wrote in message
>> >news:0cea01c389f0$9db88da0$[email protected]..
>> >> Hi Roger,
>> >> Privilege use failures are all that is being
audited and
>> >> only one event is recorded, eventID 577. An event is
>> >> logged every thirty seconds when the user is logged
on.
>> >> The workststion can be idle, ie. screensaver up,
and the
>> >> same event is still logged.
>> >> I have tried altering the local security 'Increase
>> >> scheduling priority' policy to 'Authenticated
Users' and
>> >> also 'Not Defined'. This had no apparent effect.
>> >>
>> >>
>> >> >-----Original Message-----
>> >> >Onr solution is to ease back on the events you are
>> >> auditing.
>> >> >Assuming you put the ******* in there for privacy,
>> >> >logging of this is controlled by the "Audit
privlege
>> use"
>> >> >
>> >> >However, your subject (only) indicates that you are
>> >> >getting many failures, and _if_ one lessens this
>> category
>> >> >of auditing it is usually to only log failures (not
>> >> successes).
>> >> >So in your case you probably need to track down
what
>> the
>> >> >******** account is doing when it gets denied.
>> >> >The user right that the account is not being
granted is
>> >> the
>> >> >one shown in local policy as "Increase scheduling
>> >> priority"
>> >> >You may find that profiling the actions of the
account
>> >> will
>> >> >lead you to a solution, for example KB 811196 is a
case
>> >> >where admin accounts trigger this event even though
>> they
>> >> >are granted the user right.
>> >> >
>> >> >--
>> >> >Roger Abell
>> >> >Microsoft MVP (Windows Server System: Security)
>> >> >MCSE (W2k3,W2k,Nt4) MCDBA
>> >> >"Jake" <[email protected]> wrote in message
>> >> >news:08a601c38917$9ec10990$[email protected]..
>> >> >> Does anyone know how to stop this failure audit
event
>> >> >> being recorded. Its happening on a couple of my
>> clients
>> >> >> now and with enforced 90 day log retention I
need to
>> >> keep
>> >> >> increasing the log size, I'm not happy with this
and
>> >> want
>> >> >> to know how to stop it.
>> >> >>
>> >> >> Privileged Service Called:
>> >> >> Server: Security
>> >> >> Service: -
>> >> >> Primary User Name: ********
>> >> >> Primary Domain: *******
>> >> >> Primary Logon ID: (0x0,0x****)
>> >> >> Client User Name: -
>> >> >> Client Domain: -
>> >> >> Client Logon ID: -
>> >> >> Privileges: SeIncreaseBasePriorityPrivilege
>> >> >>
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>.
>
 
LinkBack Thread Tools Display Modes
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
A New Vista Security Policy on Audit:Force Audit Policy Subcategor Gayle Windows Vista Security 1 10-19-2007 04:51 PM
Security log failure audit tec_nickel Windows XP Security & Administration 1 09-18-2003 09:30 AM
MS Baseline Security Audit Failure Chris Windows XP Security & Administration 0 09-06-2003 02:41 PM
Security Audit Failure Jerry Windows XP Security & Administration 0 07-22-2003 12:48 AM
Event log: Failure audit privilege use event 577 Graham Hughes Windows XP Security & Administration 0 07-18-2003 07:41 PM