Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, August 30, 2013 3:01 PM
lsass.exe will generate numerous Audit Failures, in groups of three or more, because it is requesting SeTcbPrivileges but, other times, it will be granted the requested privilege. I would like to know why it is generating all these failures but, ultimately, I just want to make them stop filling up my Security Log. As it stands, the System, Administrators and users all have "Read & Execute" permissions. Only the "TrustedInstaller" has full permissions. OS is 2008 r2, x64 w/SP1.
Also, this is happening across all servers in the domain and it started long before I inherited the system so i can't trace it back to some patch or change in roll/feature.
Thanks in advance.
All replies (9)
Monday, September 9, 2013 8:57 AM ✅Answered
Hi,
You may enable the “Audit privilege use” policy below which create the Event ID 4673: A privileged service was called.
Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Privilege Use
If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful attempts, and failure audits record unsuccessful attempts.
If you want to make the Audit Failures stop filling up Security Log, please disable the policy to see the issue if still exists.
Regards,
Mandy Ye
Monday, September 2, 2013 10:46 AM
Unnecessary Security Failure Audit (Event 577):
http://support.microsoft.com/kb/238185/en-us
Also, look the below discussion.
77 Many failures pertaining to SeTcbPrivilege in Security Log:
Devaraj G | Technical solution architect
Tuesday, September 3, 2013 2:16 PM
I ran across both of those, in the past, and neither are applicable.
Friday, September 6, 2013 9:55 AM
Hi,
Is there any error message in the event log? Please provide more detailed error message about your question.
Regards,
Mandy Ye
Friday, September 6, 2013 2:27 PM
Here is the Event Log entry.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 9/5/2013 10:58:43 PM
Event ID: 4673
Task Category: Sensitive Privilege Use
Level: Information
Keywords: Audit Failure
User: N/A
Computer: [FQDN]
Description:
A privileged service was called.
Subject:
Security ID: SYSTEM
Account Name: [Server$]
Account Domain: [Domain]
Logon ID: 0x3e7
Service:
Server: Security Account Manager
Service Name: Security Account Manager
Process:
Process ID: 0x204
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
Event Xml:
<Event xmlns= [unallowed Microsoft link] >
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4673</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13056</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2013-09-06T03:58:43.577381900Z" />
<EventRecordID>4291998</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="532" />
<Channel>Security</Channel>
<Computer>[FQDN]</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">[Server$]</Data>
<Data Name="SubjectDomainName">[Domain]</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="ObjectServer">Security Account Manager</Data>
<Data Name="Service">Security Account Manager</Data>
<Data Name="PrivilegeList">SeTcbPrivilege</Data>
<Data Name="ProcessId">0x204</Data>
<Data Name="ProcessName">C:\Windows\System32\lsass.exe</Data>
</EventData>
</Event>
Friday, September 6, 2013 2:33 PM
And, here is a successful event that happened a few seconds later. I realize that it is being called by a different service but i don't understand why the privilege levels are different.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 9/5/2013 10:58:51 PM
Event ID: 4673
Task Category: Sensitive Privilege Use
Level: Information
Keywords: Audit Success
User: N/A
Computer: [FQDN]
Description:
A privileged service was called.
Subject:
Security ID: SYSTEM
Account Name: [Server$]
Account Domain: [Domain]
Logon ID: 0x3e7
Service:
Server: NT Local Security Authority / Authentication Service
Service Name: LsaRegisterLogonProcess()
Process:
Process ID: 0x204
Process Name: C:\Windows\System32\lsass.exe
Service Request Information:
Privileges: SeTcbPrivilege
Event Xml:
<Event xmlns= [unallowed Microsoft link]>
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4673</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13056</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2013-09-06T03:58:51.939035500Z" />
<EventRecordID>4292000</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="532" />
<Channel>Security</Channel>
<Computer>[FQDN]</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">[Server$]</Data>
<Data Name="SubjectDomainName">[Domain]</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="ObjectServer">NT Local Security Authority / Authentication Service</Data>
<Data Name="Service">LsaRegisterLogonProcess()</Data>
<Data Name="PrivilegeList">SeTcbPrivilege</Data>
<Data Name="ProcessId">0x204</Data>
<Data Name="ProcessName">C:\Windows\System32\lsass.exe</Data>
</EventData>
</Event>
Monday, November 17, 2014 8:24 PM | 1 vote
This is not an answer. Suggesting that the policy to log the errors be disabled doesn't answer the question of "WHY THEY ARE FAILING".
Friday, May 6, 2016 3:32 PM
Check the object that is failing login:
<Data Name="PrivilegeList">SeTcbPrivilege</Data>
| SE_TCB_NAME TEXT("SeTcbPrivilege") | This privilege identifies its holder as part of the trusted computer base. Some trusted protected subsystems are granted this privilege. User Right: Act as part of the operating system. |
The selected user name does not have the privilege assigned to their user account -
https://msdn.microsoft.com/en-us/library/windows/desktop/bb530716(v=vs.85).aspx
I know, a year later but if you are still having that issue try looking at your user account privileges for the listed user account. Hopefully that solves everyone's issues because I myself spent some time looking into the Event ID 4672,4673, and 4674. I could write up an explanation but check that and see if it is because your user account just does have privilege access to SeTcbPrivilege (you are on your own on how to put it in place but Microsoft provides info on how)
Monday, May 21, 2018 3:49 PM
I have this issue for a user that does have "Act as part of the operating system". In Windows 10 or 2016, if you log in as an Administrator (or DOMAIN\Admins), a good portion of the CTRL-I configuration screens error out when you click on them. This error is logged.
The only workaround I've found is to enable "Admin Approval Mode" via gpedit.msc.