remote calls to sam calls being restricted then it says sam loggiing events for remote clients not sure what to make of this?

Question

while trading on 9/3/21 my computer became unresponsive . i was unable to send an order out, i had internet . i was running 2 computers at the time . i went back thru events and found this , not sure what it means or if someone can help me to decipher the logs from that time period ?

Log Name: System
Source: Microsoft-Windows-Directory-Services-SAM
Date: 9/3/2021 2:19:40 PM
Event ID: 16962
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: DESKTOP-C426NS4
Description:
Remote calls to the SAM database are being restricted using the default security descriptor: O:SYG:SYD:(A;;RC;;;BA).
For more information please see http://go.microsoft.com/fwlink/?LinkId=787651.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Directory-Services-SAM" Guid="{0d4fdc09-8c27-494a-bda0-505e4fd8adae}" />
<EventID>16962</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2021-09-03T21:19:40.2009877Z" />
<EventRecordID>22694</EventRecordID>
<Correlation ActivityID="{64b8957a-a109-0002-c995-b86409a1d701}" />
<Execution ProcessID="888" ThreadID="892" />
<Channel>System</Channel>
<Computer>DESKTOP-C426NS4</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="SAMMSG_RESTRICT_REMOTE_SAM_DEFAULT_SD">
<Data Name="Default SD String:">O:SYG:SYD:(A;;RC;;;BA)</Data>
</EventData>
</Event>

---

Log Name: System
Source: Microsoft-Windows-Directory-Services-SAM
Date: 9/3/2021 2:19:40 PM
Event ID: 16983
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: DESKTOP-C426NS4
Description:
The security account manager is now logging periodic summary events for remote clients that call legacy password change or set RPC methods.

For more information please see https://go.microsoft.com/fwlink/?linkid=2150956.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Directory-Services-SAM" Guid="{0d4fdc09-8c27-494a-bda0-505e4fd8adae}" />
<EventID>16983</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2021-09-03T21:19:40.2071498Z" />
<EventRecordID>22696</EventRecordID>
<Correlation ActivityID="{64b8957a-a109-0002-c995-b86409a1d701}" />
<Execution ProcessID="888" ThreadID="892" />
<Channel>System</Channel>
<Computer>DESKTOP-C426NS4</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData Name="SAMMSG_AUDIT_LEGACY_PWD_RPC_METHODS_OFF">
</EventData>
</Event>

Answer 1

Hello @Weill986754,

I am not sure whether a SAM call can block your PC, and I suspect that might have been something eventual related to other thing. These events are Information level, and should not suppose any issue. In case you want to check further, I would focus on the Warning and Error events that happened 2-3min prior and after the system hang.

All in all you can remove the access to SAM calls following the next Microsoft article.
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls

At the same time, I would recommend to run a fill virus and malware scan just in case.

Hope this helps,

Best regards,