Event ID 578 and HPBPRO dot exe

  • Thread starter Thread starter John Collins
  • Start date Start date
J

John Collins

Our Windows 2000 print server (in AD as a member server) is filling up the
security event log with #578's like below. I understand it to be a "take
ownership" privilege log entry. It's the same user's ID (my bosses actually)
and has anywhere from 24 to over 50 identical entries with the exact same
time. Each group of identical entries is separated by only seconds, say 30
or 45 seconds between groups.

The user is not logged into the server but does have four printers defined
in his printer folder on his desktop. The entries show up whether he is
printing or not. The user is a member of the local administrators group on
the server.

While troubleshooting this and looking at the Task Manger I noticed that
periodically, every minute or so, an Image Name of hpbpro.e x e shows up
(usually two or three at a time) with the User Name of this user ID and the
session number indicates the console. He is not logged into the console at
the times that this happens. These processes show up and disappear in the
blink of an eye. And are quite regular, almost coincidental with the above
messages.

Any idea?



========= Event Description Below ===============
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 578
Date: 05-Apr-04
Time: 12:29:52
User: Domain\UserID
Computer: SERVER
Description:
Privileged object operation:
Object Server: Security
Object Handle: 496
Process ID: 3056
Primary User Name: UserID
Primary Domain: Domain
Primary Logon ID: (0x0,0x1E91EEDF)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeTakeOwnershipPrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
Neither of those printers have ever been installed on this print server.


Alan Morris(MSFT) said:
HP might be a better place to ask. This binary comes with the Business
inkjet 2300 and the 3000

http://search.hp.com/gwuseng/query....=4&qt=hpbpro.exe&la=en&col=hpcom+ccen+ccenfor

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

John Collins said:
Our Windows 2000 print server (in AD as a member server) is filling up the
security event log with #578's like below. I understand it to be a "take
ownership" privilege log entry. It's the same user's ID (my bosses actually)
and has anywhere from 24 to over 50 identical entries with the exact same
time. Each group of identical entries is separated by only seconds, say 30
or 45 seconds between groups.

The user is not logged into the server but does have four printers defined
in his printer folder on his desktop. The entries show up whether he is
printing or not. The user is a member of the local administrators group on
the server.

While troubleshooting this and looking at the Task Manger I noticed that
periodically, every minute or so, an Image Name of hpbpro.e x e shows up
(usually two or three at a time) with the User Name of this user ID and the
session number indicates the console. He is not logged into the console at
the times that this happens. These processes show up and disappear in the
blink of an eye. And are quite regular, almost coincidental with the above
messages.

Any idea?



========= Event Description Below ===============
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 578
Date: 05-Apr-04
Time: 12:29:52
User: Domain\UserID
Computer: SERVER
Description:
Privileged object operation:
Object Server: Security
Object Handle: 496
Process ID: 3056
Primary User Name: UserID
Primary Domain: Domain
Primary Logon ID: (0x0,0x1E91EEDF)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeTakeOwnershipPrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Click to expand...
Click to expand...
 
Hello John,

Thank you for posting here.

This behavior is an expected result of using the SeSecurityPriviledge
privilege.

SeSecurityPriviledge privileges are required to make NTEventLog calls. If
the token does not have this privilege, event 578 is logged. Because the
default administrator token has the SeSecurityPriviledge disabled, and
Local Remote Procedure Calls (LRPC) remove nonenabled attributes across the
call, this privilege is also removed from this token. When the NTEventLog
calls are then made, NTEventLog does not see the SeSecurityPriviledge
privilege, and it logs event 578.

For more informatin you may browse the following web sites:

Audit Failure Event 578 May Be Logged When You Save the Winmsd Report
http://support.microsoft.com/default.aspx?scid=kb;en-us;821458
Take Ownership Remotely Does Not Log Security Event
http://support.microsoft.com/default.aspx?scid=kb;en-us;170834
Event 578 May Be Logged During Logoff or Shutdown
http://support.microsoft.com/default.aspx?scid=kb;en-us;266282

I would like to offer you the following suggestions:

1. Search hpbpro.exe in the computer and rename them to test.

2. Go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors, delete
any monitor that is not one of the following:
BJ Language Monitor
Local Port
PJL Language Monitor
Standard TCP/IP Port
USB Monitor
Windows NT Fax Monitor
AppleTalk Printing Devices

3. Backup the registry key and remove third party monitor.

I hope the information proves helpful!
If you have any questions please do not hesitate to let me know. I am glad
to be of assistance.
Thanks and regards,
Alex Zhang
Microsoft Partner Online Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "John Collins" <[email protected]>
References: <[email protected]>
<[email protected]>
Subject: Re: Event ID 578 and HPBPRO dot exe
Date: Mon, 5 Apr 2004 20:15:39 -0400
Lines: 86
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1209
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1213
Message-ID: <#[email protected]>
Newsgroups:
microsoft.public.win2000.printing,microsoft.public.win2000.security
NNTP-Posting-Host: 216-190-182-207.nrp2.mon.ny.frontiernet.net
216.190.182.207
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:24767
microsoft.public.win2000.printing:11833
X-Tomcat-NG: microsoft.public.win2000.printing

Neither of those printers have ever been installed on this print server.


Alan Morris(MSFT) said:
HP might be a better place to ask. This binary comes with the Business
inkjet 2300 and the 3000

http://search.hp.com/gwuseng/query.html?submit.x=6&submit.y=4&qt=hpbpro.exe&
la=en&col=hpcom+ccen+ccenfor

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

John Collins said:
Our Windows 2000 print server (in AD as a member server) is filling up the
security event log with #578's like below. I understand it to be a "take
ownership" privilege log entry. It's the same user's ID (my bosses actually)
and has anywhere from 24 to over 50 identical entries with the exact same
time. Each group of identical entries is separated by only seconds, say 30
or 45 seconds between groups.

The user is not logged into the server but does have four printers defined
in his printer folder on his desktop. The entries show up whether he is
printing or not. The user is a member of the local administrators group on
the server.

While troubleshooting this and looking at the Task Manger I noticed that
periodically, every minute or so, an Image Name of hpbpro.e x e shows up
(usually two or three at a time) with the User Name of this user ID and the
session number indicates the console. He is not logged into the console at
the times that this happens. These processes show up and disappear in the
blink of an eye. And are quite regular, almost coincidental with the above
messages.

Any idea?



========= Event Description Below ===============
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 578
Date: 05-Apr-04
Time: 12:29:52
User: Domain\UserID
Computer: SERVER
Description:
Privileged object operation:
Object Server: Security
Object Handle: 496
Process ID: 3056
Primary User Name: UserID
Primary Domain: Domain
Primary Logon ID: (0x0,0x1E91EEDF)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeTakeOwnershipPrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Click to expand...
Click to expand...
 
Alex,

The articles don't exactly cover my situation but were helpful nonetheless.

I'm hesitant to perform the deleting of monitors as suggested below as this
is a production print server that is printing fine. It's just annoying that
it fills up the logs with these messages.

I need more information because the monitors that I would delete per your
suggestion are:

HP JetDirect Port (which is for 22 of my printers)
HP Laserjet 5 Lanugage Monitor (which I suspect is for the couple of LJ 5
printers I have)
HP Master Monitor
HP Standard TCP/IP Port (which is for 28 of my printers)
hpzint04
LPR Port (which is for four copiers)
P2P-IP

Can you point me to further information on these monitors? I don't want to
remove them while I'm in production. Do you have ant further guidance?

Regards,

John


Alex Zhang(MSFT) said:
Hello John,

Thank you for posting here.

This behavior is an expected result of using the SeSecurityPriviledge
privilege.

SeSecurityPriviledge privileges are required to make NTEventLog calls. If
the token does not have this privilege, event 578 is logged. Because the
default administrator token has the SeSecurityPriviledge disabled, and
Local Remote Procedure Calls (LRPC) remove nonenabled attributes across the
call, this privilege is also removed from this token. When the NTEventLog
calls are then made, NTEventLog does not see the SeSecurityPriviledge
privilege, and it logs event 578.

For more informatin you may browse the following web sites:

Audit Failure Event 578 May Be Logged When You Save the Winmsd Report
http://support.microsoft.com/default.aspx?scid=kb;en-us;821458
Take Ownership Remotely Does Not Log Security Event
http://support.microsoft.com/default.aspx?scid=kb;en-us;170834
Event 578 May Be Logged During Logoff or Shutdown
http://support.microsoft.com/default.aspx?scid=kb;en-us;266282

I would like to offer you the following suggestions:

1. Search hpbpro.exe in the computer and rename them to test.

2. Go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors, delete
any monitor that is not one of the following:
BJ Language Monitor
Local Port
PJL Language Monitor
Standard TCP/IP Port
USB Monitor
Windows NT Fax Monitor
AppleTalk Printing Devices

3. Backup the registry key and remove third party monitor.

I hope the information proves helpful!
If you have any questions please do not hesitate to let me know. I am glad
to be of assistance.
Thanks and regards,
Alex Zhang
Microsoft Partner Online Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "John Collins" <[email protected]>
References: <[email protected]>
<[email protected]>
Subject: Re: Event ID 578 and HPBPRO dot exe
Date: Mon, 5 Apr 2004 20:15:39 -0400
Lines: 86
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1209
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1213
Message-ID: <#[email protected]>
Newsgroups:
microsoft.public.win2000.printing,microsoft.public.win2000.security
NNTP-Posting-Host: 216-190-182-207.nrp2.mon.ny.frontiernet.net
216.190.182.207
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:24767
microsoft.public.win2000.printing:11833
X-Tomcat-NG: microsoft.public.win2000.printing

Neither of those printers have ever been installed on this print server.


Alan Morris(MSFT) said:
HP might be a better place to ask. This binary comes with the Business
inkjet 2300 and the 3000
Click to expand...
http://search.hp.com/gwuseng/query.html?submit.x=6&submit.y=4&qt=hpbpro.exe&
la=en&col=hpcom+ccen+ccenfor

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

John Collins said:
Our Windows 2000 print server (in AD as a member server) is filling up the
security event log with #578's like below. I understand it to be a "take
ownership" privilege log entry. It's the same user's ID (my bosses actually)
and has anywhere from 24 to over 50 identical entries with the exact same
time. Each group of identical entries is separated by only seconds,
Click to expand...
say
30
or 45 seconds between groups.

The user is not logged into the server but does have four printers defined
in his printer folder on his desktop. The entries show up whether he is
printing or not. The user is a member of the local administrators
Click to expand...
group
on
the server.

While troubleshooting this and looking at the Task Manger I noticed that
periodically, every minute or so, an Image Name of hpbpro.e x e shows up
(usually two or three at a time) with the User Name of this user ID
Click to expand...
and
the
session number indicates the console. He is not logged into the
Click to expand...
console
at
the times that this happens. These processes show up and disappear in the
blink of an eye. And are quite regular, almost coincidental with the above
messages.

Any idea?



========= Event Description Below ===============
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 578
Date: 05-Apr-04
Time: 12:29:52
User: Domain\UserID
Computer: SERVER
Description:
Privileged object operation:
Object Server: Security
Object Handle: 496
Process ID: 3056
Primary User Name: UserID
Primary Domain: Domain
Primary Logon ID: (0x0,0x1E91EEDF)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeTakeOwnershipPrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Click to expand...
Click to expand...
Click to expand...
 
Hello John,

Thank you for your reply.

I am afraid that other issues will occur when you delete these monitors,
because these monitors all come from HP. Therefore, I suggest that you
should contact HP for more information.

Thanks and regards,
Alex Zhang
Microsoft Partner Online Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "John Collins" <[email protected]>
References: <[email protected]>
<[email protected]>
<#[email protected]>
<[email protected]>
Subject: Re: Event ID 578 and HPBPRO dot exe
Date: Fri, 9 Apr 2004 09:06:50 -0400
Lines: 206
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.win2000.printing
NNTP-Posting-Host: 129.29.72.7
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.printing:11902
X-Tomcat-NG: microsoft.public.win2000.printing

Alex,

The articles don't exactly cover my situation but were helpful nonetheless.

I'm hesitant to perform the deleting of monitors as suggested below as this
is a production print server that is printing fine. It's just annoying that
it fills up the logs with these messages.

I need more information because the monitors that I would delete per your
suggestion are:

HP JetDirect Port (which is for 22 of my printers)
HP Laserjet 5 Lanugage Monitor (which I suspect is for the couple of LJ 5
printers I have)
HP Master Monitor
HP Standard TCP/IP Port (which is for 28 of my printers)
hpzint04
LPR Port (which is for four copiers)
P2P-IP

Can you point me to further information on these monitors? I don't want to
remove them while I'm in production. Do you have ant further guidance?

Regards,

John


Alex Zhang(MSFT) said:
Hello John,

Thank you for posting here.

This behavior is an expected result of using the SeSecurityPriviledge
privilege.

SeSecurityPriviledge privileges are required to make NTEventLog calls. If
the token does not have this privilege, event 578 is logged. Because the
default administrator token has the SeSecurityPriviledge disabled, and
Local Remote Procedure Calls (LRPC) remove nonenabled attributes across the
call, this privilege is also removed from this token. When the NTEventLog
calls are then made, NTEventLog does not see the SeSecurityPriviledge
privilege, and it logs event 578.

For more informatin you may browse the following web sites:

Audit Failure Event 578 May Be Logged When You Save the Winmsd Report
http://support.microsoft.com/default.aspx?scid=kb;en-us;821458
Take Ownership Remotely Does Not Log Security Event
http://support.microsoft.com/default.aspx?scid=kb;en-us;170834
Event 578 May Be Logged During Logoff or Shutdown
http://support.microsoft.com/default.aspx?scid=kb;en-us;266282

I would like to offer you the following suggestions:

1. Search hpbpro.exe in the computer and rename them to test.

2. Go to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors, delete
any monitor that is not one of the following:
BJ Language Monitor
Local Port
PJL Language Monitor
Standard TCP/IP Port
USB Monitor
Windows NT Fax Monitor
AppleTalk Printing Devices

3. Backup the registry key and remove third party monitor.

I hope the information proves helpful!
If you have any questions please do not hesitate to let me know. I am glad
to be of assistance.
Thanks and regards,
Alex Zhang
Microsoft Partner Online Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "John Collins" <[email protected]>
References: <[email protected]>
<[email protected]>
Subject: Re: Event ID 578 and HPBPRO dot exe
Date: Mon, 5 Apr 2004 20:15:39 -0400
Lines: 86
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1209
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1213
Message-ID: <#[email protected]>
Newsgroups:
microsoft.public.win2000.printing,microsoft.public.win2000.security
NNTP-Posting-Host: 216-190-182-207.nrp2.mon.ny.frontiernet.net
216.190.182.207
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:24767
microsoft.public.win2000.printing:11833
X-Tomcat-NG: microsoft.public.win2000.printing

Neither of those printers have ever been installed on this print server.


Alan Morris(MSFT) said:
HP might be a better place to ask. This binary comes with the Business
inkjet 2300 and the 3000
Click to expand...
http://search.hp.com/gwuseng/query.html?submit.x=6&submit.y=4&qt=hpbpro.exe&
la=en&col=hpcom+ccen+ccenfor

--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto

This posting is provided "AS IS" with no warranties, and confers no rights.

John Collins said:
Our Windows 2000 print server (in AD as a member server) is filling up the
security event log with #578's like below. I understand it to be a "take
ownership" privilege log entry. It's the same user's ID (my bosses actually)
and has anywhere from 24 to over 50 identical entries with the exact same
time. Each group of identical entries is separated by only seconds,
Click to expand...
say
30
or 45 seconds between groups.

The user is not logged into the server but does have four printers defined
in his printer folder on his desktop. The entries show up whether he is
printing or not. The user is a member of the local administrators
Click to expand...
group
on
the server.

While troubleshooting this and looking at the Task Manger I noticed that
periodically, every minute or so, an Image Name of hpbpro.e x e shows up
(usually two or three at a time) with the User Name of this user ID
Click to expand...
and
the
session number indicates the console. He is not logged into the
Click to expand...
console
at
the times that this happens. These processes show up and disappear in the
blink of an eye. And are quite regular, almost coincidental with the above
messages.

Any idea?



========= Event Description Below ===============
Event Type: Success Audit
Event Source: Security
Event Category: Privilege Use
Event ID: 578
Date: 05-Apr-04
Time: 12:29:52
User: Domain\UserID
Computer: SERVER
Description:
Privileged object operation:
Object Server: Security
Object Handle: 496
Process ID: 3056
Primary User Name: UserID
Primary Domain: Domain
Primary Logon ID: (0x0,0x1E91EEDF)
Client User Name: -
Client Domain: -
Client Logon ID: -
Privileges: SeTakeOwnershipPrivilege

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Click to expand...
Click to expand...
Click to expand...
 
Back
Top