| Event Id | 577 |
| Source | Security |
| Description | Privileged Service Called: Server: NT Local Security Authority / Authentication Service Service: LsaRegisterLogonProcess() Primary User Name: <computer name>$ Primary Domain: <domain or workgroup name> Primary Logon ID: (0x0,0x3E7) Client User Name: <computer name>$ Client Domain: <domain or workgroup name> Client Logon ID: (0x0,0x3E7) Privileges: <privilege string> |
| Event Information | According to Microsoft : Cause : This event record indicates that an attempt has been made to use a privilege to perform a privileged system service. ------------------------------------------------------------------------------------------------ This may be a success audit or failure audit. Changes to a users privileges or attempts to use privileges in an unauthorized manner might require investigation. Below given link to Microsoft article will give more information about this event. Microsoft recommendations for Monitoring the Use of User Rights: Windows NT and Windows 2000 include the ability to audit the use of user rights (also known as privileges). This setting can be either enabled or disabled, but you cannot choose which rights to audit it is all or nothing. Auditing the use of user rights will generate a very large number of audits, and in most cases the information these events provide will not outweigh the management considerations. Enabling success and failure auditing for the "Use of User Rights" category will enable the following events: 576 Special privileges assigned to new logon 577 Privileged Service Called 578 Privileged object operation Recommendation Do not audit the use of user rights unless it is strictly necessary for your environment. If you must audit the use of user rights, it is advisable to purchase or write an event-analysis tool that can filter only on the user rights of interest to you. Not all user rights are audited even if the "Use Of User Rights" category is enabled in the systems Audit policy. However, auditing of these events would cause the event logs to rapidly fill with events of little or no value. The following user rights are never audited: • Bypass Traverse Checking (SeChangeNotifyPrivilege) • Generate Security Audits (SeAuditPrivilege) • Create A Token |
| Reference Links | Event ID 577 from Source Security Alternate Event ID in Vista and Windows Server 2008 is 4673. Windows XP Window 2000 Unnecessary Security Failure Audit (Event 577) Security Event Descriptions Event ID 577 appears repeatedly in the security event log of your Windows XP-based computer Failure Audit Event 577 Is Logged When You Save the Winmsd Report Privilege use events Error C00000BE When Changing Password Auditing User Right Assignment Changes Win2K SP4 Tightens Security for Programs and Services |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.