OT: Event Logs

Started by JTaylor, April 02, 2019, 03:17:58 PM

Previous topic - Next topic

JTaylor

Not sure where to turn as all my googling, reading and trying different things have failed to provide a solution so thought I would try the Windows experts if any are willing to offer suggestions.   Over the last 3 days I have had over 36,000 security events which is a bit annoying due to the do-doot sounds as well as it grabbing focus every few seconds.     A solution would be GREATLY appreciated.   If I should delete this and not ask this here just tell me.   I am sure it is coincidence but seemed to start when I started processing huge files using WinBatch...if that is enough of a hook to post the question :)     

I have tried shutting down all the machines on my network (just a basic home/windows network)
Turning off my internet
closing most applications
uninstalled a few things
etc.

The events mostly comprise the following in large quantities:

###############################################################################
Audit Success   4/2/2019 1:42:01 PM   Microsoft Windows security auditing.   4798   User Account Management   
Process Information:
   Process ID:      0x56a8
   Process Name:      C:\Windows\explorer.exe
###############################################################################
Audit Success   4/2/2019 1:41:07 PM   Microsoft Windows security auditing.   4672   Special Logon
Subject:
   Security ID:      SYSTEM
   Account Name:      SYSTEM
   Account Domain:      NT AUTHORITY
   Logon ID:      0x3E7

Privileges:      SeAssignPrimaryTokenPrivilege
         SeTcbPrivilege
         SeSecurityPrivilege
         SeTakeOwnershipPrivilege
         SeLoadDriverPrivilege
         SeBackupPrivilege
         SeRestorePrivilege
         SeDebugPrivilege
         SeAuditPrivilege
         SeSystemEnvironmentPrivilege
         SeImpersonatePrivilege
         SeDelegateSessionUserImpersonatePrivilege

#######################################################################
Audit Success   4/2/2019 1:41:07 PM   Microsoft Windows security auditing.   4624   Logon
     An account was successfully logged on.

###############################################################
Audit Success   4/2/2019 1:33:51 PM   Microsoft Windows security auditing.   5061   System Integrity
       Cryptographic operation.

Subject:
   Security ID:      MyMachine/login
   Account Name:      login
   Account Domain:      machine
   Logon ID:      0x4CB10

Cryptographic Parameters:
   Provider Name:   Microsoft Software Key Storage Provider
   Algorithm Name:   RSA
   Key Name:   TB_0_office365.com
   Key Type:   User key.

Cryptographic Operation:
   Operation:   Open Key.
   Return Code:   0x0
################################################

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          4/2/2019 3:34:35 PM
Event ID:      5058
Task Category: Other System Events
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      machine
Description:
Key file operation.

Process Information:
   Process ID:      16332
   Process Creation Time:   ?2019?-?04?-?02T20:34:29.444247200Z

Cryptographic Parameters:
   Provider Name:   Microsoft Software Key Storage Provider
   Algorithm Name:   UNKNOWN
   Key Name:   te-aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
   Key Type:   User key.

Key File Operation Information:
   File Path:   C:\Users\.......\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-111111110-1111111174-655555555-1001\0afsdfasdfasdfasdfasdfasdfasdfa7_9asdfasd-15ertwert-bere-cfhghfghfghc
   Operation:   Read persisted key from file.
   Return Code:   0x0

ChuckC

The 1st and most obvious question to ask:

What changed in your environment approximately 3 days ago when these event log entries started being generated in large quantities?

kdmoyers

off-the-wall theory: maybe, just as an experiment, it might be good to log off/disconnect/uninstall  office365, just to see if that has an effect?  You can always reconnect later, I think.   It seems like something is stuck in some sort of authentication loop, and I've heard that office365 does some pretty complex logic in that area...

Not even $0.02,
Kirby
The mind is everything; What you think, you become.

td

A few other random unlikely possibilities include; a viral infection, old and invalid cached credentials,  a changed email password, or none of the above. 
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

JTaylor

Thanks all.   Nothing changed of which I am aware but obviously something did.   Became aware of it when I started processing tens of gigs of data but that seemed like an unlikely cause and more likely just was something with which it more blatantly interfered.   Hadn't noticed the office-365 note until gathering the stuff for the post so will look in that direction.   Although, one thing that does come to mind is that Windows was complaining the other day about a login being bad and I told it to fix it.   Maybe something with that, which could be office365 related.   I have a personal business acount and another work related account.   Maybe they are fighting with each other???

Thanks again.    This was helpful.

Jim

JTaylor

Thought I should report back since you were kind enough to reply.   Still a problem but in some ways better.   I think it does have something to do with the LARGE files with which I am working.  Logged out of Office365 and then the error messages started referencing Carbonite.   Realized it was backing up the files with which I am working so told it to skip those folders.   Still get the Events though but has quieted down some.  If I go and work on other stuff then it almost quits but when I return to those folders and that project it picks back up again.  Oh well, I do appreciate the suggestions.  Will see what happens when I finish this project.

Thanks again.

Jim

JTaylor

Turns out it was my mouse and also maybe my web cam.   Didn't realize it would generate such errors if a mouse was bad but finally ran across a post somewhere in which someone mentioned a similar issue and their resolution.   It got better after disconnecting my web cam but was getting worse again so just swapped mice and so far the problem has stopped.

Jim

kdmoyers

wow! that's instructive. the mouse!
Thanks for posting Jim.
-K
The mind is everything; What you think, you become.