KnowledgeBase Event Repository

This site is the central interface to the Adiscon Event Repository

  • Details for this entry
  • Eventlog Type:
    Eventlog Source:
    Event ID:
    Full Description:
    A user attempted to perform a privileged system service operation.
    Parameter Description:
    Privileged Service Called:%n
    %tPrimary User Name:%t%3%n
    %tPrimary Domain:%t%4%n
    %tPrimary Logon ID:%t%5%n
    %tClient User Name:%t%6%n
    %tClient Domain:%t%7%n
    %tClient Logon ID:%t%8%n
    More Informations:

    This is an event logged in whenever a user attempted use a privilege to perform a privileged system service operation. This may be a success audit or failure audit. Changes to a users privileges or attempts to use privileges in an unauthorized manner might require investigation. Below given link to Microsoft article will give more information about this event.

    Microsoft recommendations for Monitoring the Use of User Rights: Windows NT and Windows 2000 include the ability to audit the use of user rights (also known as privileges). This setting can be either enabled or disabled, but you cannot choose which rights to audit it is all or nothing. Auditing the use of user rights will generate a very large number of audits, and in most cases the information these events provide will not outweigh the management considerations.

    Enabling success and failure auditing for the "Use of User Rights" category will enable the following events:

    576 Special privileges assigned to new logon
    577 Privileged Service Called
    578 Privileged object operation

    Recommendation Do not audit the use of user rights unless it is strictly necessary for your environment. If you must audit the use of user rights, it is advisable to purchase or write an event-analysis tool that can filter only on the user rights of interest to you.

    Not all user rights are audited even if the "Use Of User Rights" category is enabled in the systems Audit policy. However, auditing of these events would cause the event logs to rapidly fill with events of little or no value. The following user rights are never audited:

    • Bypass Traverse Checking (SeChangeNotifyPrivilege)
    • Generate Security Audits (SeAuditPrivilege)
    • Create A Token Object (SeCreateTokenPrivilege)
    • Debug Programs (SeDebugPrivilege)
    • Replace A Process Level Token (SeAssignPrimaryTokenPrivilege)

    The following user rights are audited only if a specific registry setting is present:

    • Backup Files and Directories (SeBackupPrivilege)
    • Restore Files and Directories (SeRestorePrivilege)

    The registry value to enable auditing of the backup and restore privileges is HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing (REG_DWORD). Set the value to 1 to enable auditing. This setting can also be set through the security policy user interface in Windows 2000.

    Search for this Event::
    Search in Knowledge Base  •  Search in this Forum  •  Search on
  • Software Vendor: Microsoft
    Accessed: 10039

Discuss the Event

Discussion for KB Entry 54 - Event ID 577

by knowledgebase on Thu May 29, 2008 10:14 pm

This is the discussion thread for the Knowledge Base Entry 54

Eventlog Type: Security
Eventlog Source: Security
Event ID: 577
Link to KB Entry

Short Description:
A user attempted to perform a privileged system service operation.
Forum Bot
Posts: 170
Joined: Wed May 28, 2008 10:09 am

About the KnowledgeBase Event Repository

This is a repository of known Windows Events, hopefully together with a description of what it means, when it appears and how to troubleshoot it. The event repository was initially provided as a tool for parser creation but has since evolved. It is now part of the overall knowledgebase in the hope that it provides a useful service to the community. Please add your comments and questions (which we try to answer), as this increases the event repository usefulness for all of us.

Return to