Event ID - 577

Event Id577
DescriptionPrivileged Service Called:
Server: NT Local Security Authority / Authentication Service
Service: LsaRegisterLogonProcess()
Primary User Name: <computer name>$
Primary Domain: <domain or workgroup name>
Primary Logon ID: (0x0,0x3E7)
Client User Name: <computer name>$
Client Domain: <domain or workgroup name>
Client Logon ID: (0x0,0x3E7)
Privileges: <privilege string>
Event InformationAccording to Microsoft :
Cause :
This event record indicates that an attempt has been made to use a privilege to perform a privileged system service.


This may be a success audit or failure audit. Changes to a users privileges or attempts to use privileges in an unauthorized manner might require investigation. Below given link to Microsoft article will give more information about this event.

Microsoft recommendations for Monitoring the Use of User Rights:
Windows NT and Windows 2000 include the ability to audit the use of user rights (also known as privileges). This setting can be either enabled or disabled, but you cannot choose which rights to audit it is all or nothing. Auditing the use of user rights will generate a very large number of audits, and in most cases the information these events provide will not outweigh the management considerations.

Enabling success and failure auditing for the "Use of User Rights" category will enable the following events:
576         Special privileges assigned to new logon

577         Privileged Service Called

578         Privileged object operation

Recommendation Do not audit the use of user rights unless it is strictly necessary for your environment. If you must audit the use of user rights, it is advisable to purchase or write an event-analysis tool that can filter only on the user rights of interest to you.

Not all user rights are audited even if the "Use Of User Rights" category is enabled in the systems Audit policy. However, auditing of these events would cause the event logs to rapidly fill with events of little or no value.
The following user rights are never audited:
• Bypass Traverse Checking (SeChangeNotifyPrivilege)
• Generate Security Audits (SeAuditPrivilege)
• Create A Token
Reference LinksEvent ID 577 from Source Security

Alternate Event ID in Vista and Windows Server 2008 is 4673.

Windows XP
Window 2000

Unnecessary Security Failure Audit (Event 577)

Security Event Descriptions

Event ID 577 appears repeatedly in the security event log of your Windows XP-based computer

Failure Audit Event 577 Is Logged When You Save the Winmsd Report

Privilege use events

Error C00000BE When Changing Password

Auditing User Right Assignment Changes

Win2K SP4 Tightens Security for Programs and Services

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.