powershell Scheduled Task throws SeTcbPrivilege security message

Question

I have a Scheduled Task that runs a powershell script. The script copies a file from a remote server to the local server and then deletes the local file if the date-modified is older than 30 mins. The task is using an Active Directory resource account. This resource account is not in any local groups.

Powershell:

Copy-Item -Path \\server.example.com\directory\file.txt -Destination D:\directory\file.txt
Get-ChildItem -path D:\directory | where {$_.Lastwritetime -lt (date).addminutes(-30)} | remove-item



The script works when the Task is ran but I see an 'Audit Failure' message in the Security log that mentions SeTcbPrivilege.

Is this something I should worry about?
If so then how should I fix this?

Answer 1

Hi,
SeTcbPrivilege acts as part of the operating system and allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. Typically, only low-level authentication services require this privilege.

As for the security warning, kindly check following KB:
4673(S, F): A privileged service was called.
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
Act as part of the operating system
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system

----------

Hope this helps and please help to accept as Answer if the response is useful.

Thanks,
Jenny