Home
Resources
Training
About Us
eStore
<a href="http://www.isdecisions.com/en/software/userlock/?xtor=SEC-230"><img src="http://www.isdecisions.com/images/pubs/Randy/userlock.gif" alt="UserLock" border="0" /></a>

>

resources > security log resource center > encyclopedia > event 578

 

 

 

 

 

 

 

Latest Blog: WinReporter 4.0 Makes It Easy to Assess Attack Surface

  

Windows Security Log Events by ID

look up more events by Event ID or Category

Event ID

578

Title

Privileged object operation
Type: Example: Randy's Comments:
Success
Failure

OS:

All versions

Category:

Privilege Use

Privileged object operation:
Object Server:EventLog
Object Handle:0
Process ID:248
Primary User Name:W2DC$
Primary Domain:ELMW2
Primary Logon ID:(0x0,0x3E7)
Client User Name:administrator
Client Domain:ELMW2
Client Logon ID:(0x0,0x804C2)
Privileges:SeSecurityPrivilege

This event indicates that the specified user exercised the user right specified in the Privileges field. To understand Primary and User fields see event 560.

Some user rights are logged by this event - others by 577. Still other, "high-volume" rights are not logged when they are exercised but simply noted as being held by a user at the time th user logs by event 576.

On Windows Server 2000, this event is logged for the "SeSecurityPrivilege" whenever the security log is viewed or cleared because these operations require the use of the "Manage auditing and security log right" (aka SeSecurityPrivilege). For some reason Windows Server 2003, in the same situation, does not log this event. Occurrences for SeTakeOwnershipPrivilege also appear however the object handle can't be found in any other events in the log so there is no way to identify the object that the "client" user took ownership of. Likewise, Windows Server 2003 does not log this event.

Note: 576, 577 and 578 do not log any activity associated with LogonRights such as the SeNetworkLogonRight.

Do not confuse 576, 577 or 578 with events 608, 609, 620 and 621 which document rights assignment changes as opposed to the exercise of rights which is the purpose of 576, 577 and 578.

Microsoft's Comments:

These are high volume events, which typically do not contain sufficient information to act upon since they do not describe what operation occurred.

Next:

Get all the tools you need in one newsletter!
Free log parser scripts, clear explanations of Microsoft's latest security bulletins, and more. View a sample issue.
Email Address:
Your email address will not be shared. You may unsubscribe at any time.


Upcoming Webinars by Randy Franklin Smith

How to Secure Web Based Applications with 2-Factor Authentication

Eliminating Admin Rights on Workstations and Laptops: Avoiding the Pitfalls and Making it Work in the Real World

Beyond Single Event Analysis: Analyzing Multiple Events to Reduce False Positives and Gain Deeper Insight into the Security Log

Auditing File Access with the Windows Server 2008 Security Log: The Good, Bad and Ugly


Additional Links

A
D
V

Sick of LimitLogin? Get UserLock for real logon control

NEW! GFI EventsManager 8 Extends Event Management Capabilities. Find Out More.

Get Randy's Security Log Resource Kit


Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2007 Monterey Technology Group, All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.

Site Map