Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, August 23, 2017 11:44 AM
Hello,
I have multiple events (around 350) on different computers on the network with the event id 4673.
269 4673 Failure Audit Security 8/14/2017 8:43:59 AM 8/14/2017 3:45:00 PM
A privileged service was called.
Subject:
Security ID: S-1-5-21-2435269519-786360451-118518248-8614
Account Name: <g class="gr_ gr_33 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="33" id="33">userloginx</g>
Account Domain: BOT
Logon ID: 0xF675165
Service:
Server: Security
Service Name: -
Process:
Process ID: 0x4
Process Name:
Service Request Information:
Privileges: SeBackupPrivilege
I notice that there is not Process Name or other information, only the Process ID but it does not too important because when I see the reports the Process Id it's gone.
This particular user does not have the rights to log in on other computers. For audit porpuses, I need to check why this user appears in other computers trying to get Backup privileges.
I wonder if someone can help me with this.
Thanks in advance.
All replies (6)
Wednesday, August 23, 2017 12:34 PM | 1 vote
This event is generated when sensitive privileges is used.
The event you provided means that the 0x4 process(System) is attemping to backup some files or folders.
For detailed information, please refer to the links below:
Audit Sensitive Privilege Use:
https://technet.microsoft.com/en-us/library/dd772724(v=ws.10).aspx
Windows Security Log Event ID 4673:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4673
Solution for Active Directory auditing, monitoring and management.
Wednesday, August 23, 2017 3:05 PM
@v18s " because when I see the reports the Process Id it's gone."
when the process with ID 4 is gone, the system is shutting down.
Wednesday, August 23, 2017 6:44 PM
Dear RomanMulley,
Thanks for your comment.
I understand that for some reason the system tries to perform that task.
My major question is why the user (Account Name) is calling that activity. There are around 6 workstations that had too many events of that user. I would like to know if some computer is infected (I do not know because the logs do not show to many things) and is trying to get information from other computers in the network.
The events were at the same time during one day.
Regarding the link:
https://technet.microsoft.com/en-us/library/dd772724%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
I notice that all the computers are windows 10. That article applies for Win7 and WinSvr2k8R2. I suppose that applies for win10 too, right?
Thanks in advance for any comment.
Wednesday, August 23, 2017 6:44 PM
I am sorry for that comment. I was confused about that process.
Thanks.
Thursday, August 24, 2017 3:02 AM
Hi,
SeBackupPrivilege belongs to the under Computer configuration, Windows settings, security settings, local policies, user rights assignments, in the right pane "Back up files and directories". Check your scripts and scheduled tasks if there is something configured that could require this permissions."
Also you could check the link below about 4673(S, F): A privileged service was called.
/en-us/windows/device-security/auditing/event-4673
Hope it will be helpful to you
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, August 24, 2017 6:06 PM
Thanks for your comment. I checked that and I found that in the properties the only groups in that policy are Administrators and Backup Operators. The user in the event logs is not listed here and this user is not part of these groups.
Also, I notice that happened in computers with windows 10. Also, these events occur during the whole day, in different computers while the user was not logged.
Can someone give me some light?
Thanks in advance.