Hundreds of 6417 Events in Windows 10 Security Log

J Andrew Johnson 1 Reputation point
2021-08-17T23:18:28.247+00:00

I'm a bit of a Security Log neophyte, but have had to learn as much as possible over the last several months as I have solid evidence that my home network has been breeched (why? who? no clue).

But this is something I have never seen on this machine before, and it just started within the last 36 hours. My security log has begun to be filled with hundreds of event 6417... 1517 of them to be exact. Here are a few examples, starting with the first instance:

Record Date Time Type Event PID Process Name
10093 8/16/2021 3:42:46 AM Audit Success 6417 00000250 C:\Windows\System32\csrss.exe
10124 8/16/2021 3:42:51 AM Audit Success 6417 000002DC C:\Windows\System32\LogonUI.exe
10860 8/16/2021 3:53:08 AM Audit Success 6417 000002DC C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
12176 8/15/2021 9:13:03 PM Audit Success 6417 00000B58 C:\Program Files\WindowsApps\
Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe

The PIDs and Process names run through hundreds of different executables, but the largest represented process is msedge.com.

I'm running an older machine:

Device name *********
Processor Intel(R) Core(TM)2 Duo CPU E4600 @ 2.40GHz 2.40 GHz
Installed RAM 6.00 GB
Device ID 4372B41C-30C5-42F9-824C-81C7D*******
Product ID 00330-80000-00000-AA314
System type 64-bit operating system, x64-based processor
Pen and touch No pen or touch input is available for this display
Edition Windows 10 Pro
Version 21H1
Installed on ‎8/‎14/‎2021
OS build 19043.1165
Experience Windows Feature Experience Pack 120.2212.3530.0

...with an older TPM (v 1.2), but have never seen a single 6417 event, let alone 1500.

When I look in the system log for events 14 or 17, I find 11 event 14 entries, three of which occurred in the same time frame as the 6417 events in the system log:

Type Date Time Event Source Category User Computer
Information 8/17/2021 10:53:14 AM 14 Microsoft-Windows-Wininit None \SYSTEM *****
Information 8/16/2021 3:42:49 AM 14 Microsoft-Windows-Wininit None \SYSTEM *****
Information 8/15/2021 9:11:30 PM 14 Microsoft-Windows-Wininit None \SYSTEM *****

Interestingly enough, these events look nothing like event 14 as represented here:

https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/tpm-device-driver-error-log

As the entire entry consists of one line: 'Credential Guard configuration: 0,0'

My machine is a workgroup on a small home network, not in a domain with an AD server, so I'm not sure why Credential Guard enters into this.

Am I correct in thinking this is a bit unusual?

Any insight would be appreciated, and thanks ahead of time!

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Gary Nebbett 6,216 Reputation points
    2021-08-18T14:13:59.353+00:00

    Hello @J Andrew Johnson ,

    Good to see that you corrected your self-description - it makes things a lot clearer :-)

    You have probably recently enabled the policy "System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms"; disabling the policy should also cause these events to stop.

    124332-image.png

    Gary


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.