Share via

Security Event Error 521

Belan Marek 56 Reputation points
2022-12-07T10:55:36.93+00:00

On one of our DC we are starting have event 521. On second DC its ok.521 have 0x80000005 which means access denied.

How can we find process which trying to write co sec events?

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System> <Provider Name="Security" />
<EventID Qualifiers="0">521</EventID>
<Level>0</Level>
<Task>1</Task>
<Keywords>0xa0000000000000</Keywords>
<TimeCreated SystemTime="2022-12-07T06:22:45.203496300Z" />
<EventRecordID>2604507626</EventRecordID>
<Channel>Security</Channel>
<Computer>DC1</Computer>
<Security UserID="S-1-5-18" />
</System> - <EventData> <Data>0x80000005</Data> <Data>0</Data> <Data>1</Data> </EventData> </Event>

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,751 Reputation points
    2022-12-08T10:28:16.433+00:00

    Hello there,

    You can use process monitor to find the process. This event is logged if Windows was unable to write events to the Security event log. The code for the reason of occurrence. Whether the system should halt when not able to write to security log.

    Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

    ----------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.