Question on 4674 events Expand / Collapse
Author
Message
Posted 7/1/2010 8:22:50 PM
Forum Member

Forum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum Member

Group: Forum Members
Last Login: 2/24/2012 7:49:27 PM
Posts: 26, Visits: 12
Randy,

I am seeing a ton of 4674 events related to a user's admin account as below. Any ideas?

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4674</EventID><Version>0</Version><Level>Information</Level><Task>Sensitive Privilege Use</Task><Opcode>Info</Opcode><Keywords>Audit Success</Keywords><TimeCreated SystemTime='2010-07-01T00:00:03.765568100Z'/><EventRecordID>429068634</EventRecordID><Correlation/><Execution ProcessID='892' ThreadID='948'/><Channel>Security</Channel><Computer>computer.xxx.com</Computer><Security/></System><EventData>An operation was attempted on a privileged object.

Subject:
 Security ID:  DOMAIN\admin-xxxxx

 Account Name:  admin-xxxxx
 Account Domain:  DOMAIN
 Logon ID:  0x1027f0c975

Object:
 Object Server: SC Manager
 Object Type: SC_MANAGER OBJECT
 Object Name: ServicesActive
 Object Handle: 0xfffffa600d374b18

Process Information:
 Process ID: 0x370
 Process Name: C:\Windows\System32\services.exe

Requested Operation:
 Desired Access: DELETE
   READ_CONTROL
   WRITE_DAC
   Connect to service controller
   Create a new service
   Enumerate services
   Lock service database for exclusive access
   Query service database lock state
   Set last-known-good state of service database
   
 Privileges:  SeTakeOwnershipPrivilege</EventData></Event>

Post #400
Posted 7/7/2010 2:42:09 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
As indicated in my encyclopedia these events are of limited value.  The specific example you supplied indicates the account in question was doing something with Services on the computer.  Maybe starting, stopping or installing a new service
Post #406
Posted 7/15/2010 9:42:59 AM
Forum Member

Forum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum Member

Group: Forum Members
Last Login: 2/24/2012 7:49:27 PM
Posts: 26, Visits: 12
Thx again Randy

Jeff
Post #417
Posted 8/1/2010 7:10:12 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
no problem
Post #421
Posted 7/19/2017 9:12:18 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/27/2017 5:09:54 PM
Posts: 1, Visits: 22
I have a network consisting of Windows Server 2012, 2 DCs, and approximately 65 Dell OptiPlex 7040MT workstations with Windows 10 Enterprise with military Secure Host Basline (SHB). All users constantly get the taskbar pop-up: "Windows needs your current credentials. Please lock then unlock using your most recent password or smart card." My admin account also gets it constantly. It makes no difference whether I or any other user locks and unlocks or whether you just ignore it. When it occurs, the event log gives the 4674 Event ID. Is there any way of getting rid of this ridiculously annoying pop-up. Already tried checking the account options checkbox for "Do not require Kerberos preauthentication" and it has made no difference. In addition when user's passwords expire and they create a new password, they get an error of "The encryption type requested is not supported by the KDC." Are these two somehow related?
Post #7387
Posted 8/14/2017 4:54:42 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 212, Visits: 0
This event does not really tell you much. It seems like an issue with the secure configurations. Are there any other events at the time this issue is seen that may help?
Post #7399
Posted 9/14/2017 4:13:56 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 9/14/2017 4:09:54 PM
Posts: 3, Visits: 9
Does the message say "Audit Failure"? There are a lot of privileged permissions that get used during normal business. If accounts do not have these privileges then I would expect that windows would try to elevate so that what ever task it's trying to do can be completed. I would look a the event and determine what privilege it is trying to use and see if that user has it. These are not the normal things you think of as permissions (system, local admin). I believe the right term is "user rights". https://technet.microsoft.com/en-us/library/dn221963(v=ws.11).aspx

Requested Operation:

Desired Access: 0
Privileges: [highlight=#ffff11]SeShutdownPrivilege[/highlight]
Post #7409
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 6:10pm