Event ID 577 & Failed Install of Microsoft Firewall Client

  • Thread starter Thread starter Shawn Berg
  • Start date Start date
S

Shawn Berg

Upon attempting to install the Microsoft Firewall Client
software Event ID 577 is generated in the security log
(details below) and approximately half-way through the
install it rolls back and brings me to a window that
states "Installation Wizard was completed with an ERROR!".
No clue what the exact error is. Have just found out that
this event is being logged at the same time. I am logged
on as the domain administrator. Anyone have ANY clues?
Searched newsgroups and web endlessly without finding
anything at all.

Event details:

Privileged Service Called:
Server: Security
Service: -
Primary User Name: administrator
Primary Domain: SPACEAGE
Primary Logon ID: (0x0,0x5EEA12)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeIncreaseBasePriorityPrivilege
 
The event is not an error and is probably not directly related to your
failed installation.

--
Eric Fitzgerald
Program Manager, Windows Auditing
Microsoft Corporation

The above message is provided "AS-IS" with no warranties, and confers no
rights.
 
here's what's at www.eventid.com


Event ID: 577
Source Security
Type Success Audit
Description Privileged Service Called:
Server: NT Local Security Authority / Authentication Service
Service: LsaRegisterLogonProcess()
Primary User Name: <computer name>$
Primary Domain: <domain or workgroup name>
Primary Logon ID: (0x0,0x3E7)
Client User Name: <computer name>$
Client Domain: <domain or workgroup name>
Client Logon ID: (0x0,0x3E7)
Privileges: <privilege string>
Comments Adrian Grigorof
This event record indicates that an attempt has been made to use a
privilege to perform a privileged system service.

If the operation is successful, this event is recorded as "Success
Audit" if not it is recorded as "Failure Audit". Depending on you Audit
Policy these type of events may or may not show up. If you receive quite
a few of "Success Audit" 577 events than most probably you have "Audit
privilege use" enable for both cases. There are many normal processes
that use their privileges so naturally the events gets recorded.

This event can also be logged when you used Winmsd and save a report
(see Q811196).

As per Q238185, when you are using a Remote Procedure Call-based
(RPC-based) client/server program, this error may be recorded (in this
case, it does not indicate a security breach; you can safely ignore it).

Privileges: See Q101366 for a list of privileges strings and what they
mean. common ones:
- SeIncreaseBasePriorityPrivilege = Increase Scheduling Priority = The
user can boost the scheduling priority of a process.
- SeTcbPrivilege = To Act as Part of the Operating System = The user can
act as a trusted part of the operating system. Some subsystems have this
privilege granted to them.

Kurt Mosley
This can happen if an application tries to increase it's scheduling
priority on the CPU. Most users do not have the permission to do this,
so the application will fail it's attempt and log this in the security
log. We got this to go away by giving the users the "Increase Scheduling
Priority" right in the local security policy. So far, no ill affects and
the event log has gone away.
Our Approach We found that we had quite a few of Success Audit 577
events on our Security Log. The event description contained info about
the local computer, workgroup, service and the "privilege". The type of
the event is quite explicit, it says on top: "Privileged Service Called"
so most probably we had enabled the logging of the "Privilege use". But
what privilege was occuring so often? In our case it was
"SeIncreaseBasePriorityPrivilege" (listed at the bottom of the
description). We searched for "SeIncreaseBasePriorityPrivilege" at
http://search.microsoft.com and the search returned several links, one
to Q101366 saying that this "string" actually means "Increase Scheduling
Priority" or in other terms, "The user can boost the scheduling priority
of a process". The user name in this case was the computer name itself.
So, at this point it was clear that this is a "normal" event - the
operating system often adjust the thread scheduler so various internal
processes get additional CPU cycles to complete their tasks. Since we
were not that interested in seeing this kind of statistics, we disabled
the audit of "Success" privelege uses through the Local Security Policy
(or if it an AD setting, through Active Directory Group policies).
Links Q174074 , Q811196 , Q238185 , Q101366 , Q299475 , Online Analysis
of Security Event Log
Send comments - Notify me when updated!
Automatic search for "Event 577 Security" at:
Support @ Microsoft - Search @ Microsoft - Google Newsgroups -
Google Microsoft

Source Security
Type Failure Audit
Description Privileged Service Called:
Server: <authentication process>
Service: <service name>
Primary User Name: <computer name>$
Primary Domain: <domain or workgroup name>
Primary Logon ID: <client logon id>
Client User Name: <computer name>$
Client Domain: <domain or workgroup name>
Client Logon ID: <logon id>
Privileges: <privilege string>
Comments Adrian Grigorof (Last update 8/30/2003):
If this is recorded when users attempt to change their password (and
they get "Unable to change the password on this account (C00000BE") then
see Q176978.
Links Q176978
Send comments - Notify me when updated!
Automatic search for "Event 577 Security" at:
Support @ Microsoft - Search @ Microsoft - Google Newsgroups -
Google Microsoft

Automatic search for "Event ID 577" through:
Support @ Microsoft - Search @ Microsoft - Google Newsgroups -
Google Microsoft - EventID.Net Processing Queue
 
Good. then your PC should be safer than you were just trying to make
it. go get Zonealarm of one of the other firewalls the YOU control and
know what is happenings.
 
Back
Top