Audit Failure Event 578 May Be Logged When You Save the Winmsd Report (821458)
The information in this article applies to:
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
SYMPTOMS
If you turn on Audit Privilege Usage auditing for both success and failure, and you then save the system information file while you are using an administrator account, audit failure event 578 is logged. The entry that appears is similar to the following:
Event Type: Failure Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 578
Date: 12/3/2002
Time: 3:23:33 PM
User: Name \Administrator
Computer: Name
Description:
Privileged object operation:
Object Server: Eventlog
Object Handle: 0
Process ID: 264
Primary User Name: Name
Primary Domain: Name
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator
Client Domain: Name
Client Logon ID: (0x0,0x9792)
Privileges: SeSecurityPrivilege
CAUSE
This behavior is an expected result of using the SeSecurityPriviledge privilege.
SeSecurityPriviledge privileges are required to make NTEventLog calls. If the token does not have this privilege, event 578 is logged. Because the default administrator token has the SeSecurityPriviledge disabled, and Local Remote Procedure Calls (LRPC) remove nonenabled attributes across the call, this privilege is also removed from this token. When the NTEventLog calls are then made, NTEventLog does not see the SeSecurityPriviledge privilege, and it logs event 578.
Content Maintenance:7985
Windows SE:41259
| Modification Type: | Major | Last Reviewed: | 12/2/2003 |
|---|
| Keywords: | kbprb kberrmsg KB821458 kbAudITPRO |
|---|
|