2003 Server with recurring Security Event problem

[Russell]

My Security Events log contains the following 3 security
event literally hundreds of times per day. I see this
over and over only a few seconds apart all day long. Any
ideas what my problem is?

Event ID:538
User Logoff:
User Name: SERVER1$
Domain: hilldale
Logon ID: (0x0,0x2D02675)
Logon Type: 3

Event ID: 576
Special privileges assigned to new logon:
User Name: SERVER1$
Domain: hilldale
Logon ID: (0x0,0x2D78DBD)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeEnableDelegationPrivilege

Event ID: 540
Successful Network Logon:
User Name: SERVER1$
Domain: hilldale
Logon ID: (0x0,0x2D78DBD)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {10d95654-c7f0-fbf0-e6b1-
a38d1809a1eb}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -

[JeffK]

I am extremely interested in this issue. We have been fighting this problem
for months to no avail. I did come across a hot fix described in KB 822774
which seemed to take care of the event ID 576. I still have the problem with
events 540, 538 over and over and over again. In our case, the problem hits
us 10 hours after a PC is brought up. It streams the events 538, 540 for
about 2 minutes and then stops. Not all PCs show the problem. A failing PC
does not fail every day. Has anybody got any ideas?

"Russell" wrote:

> My Security Events log contains the following 3 security
> event literally hundreds of times per day. I see this
> over and over only a few seconds apart all day long. Any
> ideas what my problem is?
>
> Event ID:538
> User Logoff:
> User Name: SERVER1$
> Domain: hilldale
> Logon ID: (0x0,0x2D02675)
> Logon Type: 3
>
> Event ID: 576
> Special privileges assigned to new logon:
> User Name: SERVER1$
> Domain: hilldale
> Logon ID: (0x0,0x2D78DBD)
> Privileges: SeSecurityPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeTakeOwnershipPrivilege
> SeDebugPrivilege
> SeSystemEnvironmentPrivilege
> SeLoadDriverPrivilege
> SeImpersonatePrivilege
> SeEnableDelegationPrivilege
>
> Event ID: 540
> Successful Network Logon:
> User Name: SERVER1$
> Domain: hilldale
> Logon ID: (0x0,0x2D78DBD)
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name:
> Logon GUID: {10d95654-c7f0-fbf0-e6b1-
> a38d1809a1eb}
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
>
>

[jk]

I think I found a solution to at least part of the problem.
First a bit of background on our version of the problem just to hold you
in suspense.
We are running a Point of Sale system running on Windows XP. It made no
difference pre or post SP2. We connect via a share to a Windows 2003 server.
10 hours after turning the registers on, many but not all of the registers
would stream the events Russell mentions. This would last for up to two
minutes. If enough registers hit the server at the same time, the server
service LSASS.EXE would take so much CPU (>50%) that files would get locked
and not unlock and registers became so unresponsive they went off-line.
Early this week we installed the hot fix referenced in Knowledge Base
article 822774
(http://support.microsoft.com/default...uct=winsvr2003).
This killed the 576 events. We are still seeing the steaming of the 538, 540
events but not the 576. LSASS.EXE barely even glitches now. Registers are
not going off-line. We are not seeing the file contention. We are still
watching and waiting but it is looking good.
I have seen other references to 538, 540 events that say to just turn off
logging. As we do not seem to be impacting production now, I plan on turning
off this logging just to get rid of the excess I/O and clean up the event
log.

Jeff K.


"Russell" <russellmroberts@yahoo.com> wrote in message
news:2c8e01c4a8ee$83cf72f0$a401280a@phx.gbl...
> My Security Events log contains the following 3 security
> event literally hundreds of times per day. I see this
> over and over only a few seconds apart all day long. Any
> ideas what my problem is?
>
> Event ID:538
> User Logoff:
> User Name: SERVER1$
> Domain: hilldale
> Logon ID: (0x0,0x2D02675)
> Logon Type: 3
>
> Event ID: 576
> Special privileges assigned to new logon:
> User Name: SERVER1$
> Domain: hilldale
> Logon ID: (0x0,0x2D78DBD)
> Privileges: SeSecurityPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeTakeOwnershipPrivilege
> SeDebugPrivilege
> SeSystemEnvironmentPrivilege
> SeLoadDriverPrivilege
> SeImpersonatePrivilege
> SeEnableDelegationPrivilege
>
> Event ID: 540
> Successful Network Logon:
> User Name: SERVER1$
> Domain: hilldale
> Logon ID: (0x0,0x2D78DBD)
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name:
> Logon GUID: {10d95654-c7f0-fbf0-e6b1-
> a38d1809a1eb}
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
>