Microsoft KB Archive/821458

= Audit Failure Event 578 May Be Logged When You Save the Winmsd Report =

Article ID: 821458

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server

-



SYMPTOMS
If you turn on Audit Privilege Usage auditing for both success and failure, and you then save the system information file while you are using an administrator account, audit failure event 578 is logged. The entry that appears is similar to the following:

Event Type: Failure Audit

Event Source: Security

Event Category: Privilege Use

Event ID: 578

Date: 12/3/2002

Time: 3:23:33 PM

User:  \Administrator

Computer:

Description:

Privileged object operation:

Object Server: Eventlog

Object Handle: 0

Process ID: 264

Primary User Name:

Primary Domain:

Primary Logon ID: (0x0,0x3E7)

Client User Name: Administrator

Client Domain:

Client Logon ID: (0x0,0x9792)

Privileges: SeSecurityPrivilege



CAUSE
This behavior is an expected result of using the SeSecurityPriviledge privilege.

SeSecurityPriviledge privileges are required to make NTEventLog calls. If the token does not have this privilege, event 578 is logged. Because the default administrator token has the SeSecurityPriviledge disabled, and Local Remote Procedure Calls (LRPC) remove nonenabled attributes across the call, this privilege is also removed from this token. When the NTEventLog calls are then made, NTEventLog does not see the SeSecurityPriviledge privilege, and it logs event 578.



Keywords: kberrmsg kbprb KB821458

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.