Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, November 15, 2016 3:48 PM
Hi Folks,
I am facing an issue with two node cluster Windows 2008 SP2 Enterprise edition where huge number of events are getting logged in Security logs and fills it. We have automatic backup of event logs and it fills the C: drive in result.
Below is the event log detail :
An operation was attempted on a privileged object.
Subject:
Security ID: LOCAL SERVICE
Account Name: LOCAL SERVICE
Account Domain: NT AUTHORITY
Logon ID: 0x3e5
Object:
Object Server: Security
Object Type: -
Object Name: -
Object Handle: 0x36f8
Process Information:
Process ID: 0x290
Process Name: C:\Windows\System32\svchost.exe
Requested Operation:
Desired Access: 1048576
Privileges: SeBackupPrivilege
I checked the Process ID and it was Event log service. SeBackupPrivilege - looks like its backing up or restoring something but i am not able to figure it out. I know that we can disable logging to get rid of these events. However, I need to find out what is causing this.
Any help will be greatly appreciated!
All replies (4)
Wednesday, November 16, 2016 6:07 AM
Hi,
>>I checked the Process ID and it was Event log service. SeBackupPrivilege - looks like its backing up or restoring something but i am not able to figure it out. I know that we can disable logging to get rid of these events. However, I need to find out what is causing this.
Event 4674 is generated by security polices,please check this link for your reference:
Audit Sensitive Privilege Use
https://technet.microsoft.com/en-us/library/dd772724(v=ws.10).aspx
Best Regards,
Cartman
Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, November 16, 2016 12:25 PM
Hi Cartman,
Thank you for your response. I checked the URL. Is there any way to find out what actually is happening when this event is getting logged.
Friday, November 18, 2016 2:13 AM
Hi,
》》Thank you for your response. I checked the URL. Is there any way to find out what actually is happening when this event is getting logged.
Account name in the subject of this event could tell.Check this one,it may help:
4674(S, F): An operation was attempted on a privileged object.
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4674
Best Regards,
Cartman
Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, November 22, 2016 7:13 AM
Hi,
I am checking to see if the problem has been resolved. If there's anything you'd like to know, don't hesitate to ask.
Best Regards,
Cartman
Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].