Security event log shows Administrator success audit 100 times/sec

[bdoub1eu]

In the event log of one of my DC's, I'm seeing a success audit for the Administrator Account about 75 to 100 times a second...Any ideas?

Successful Network Logon:
User Name: Administrator
Domain: Domain
Logon ID: (0x0,0x6C406A8)
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: DAYTONA

Successful Network Logon:
User Name: Administrator
Domain: Domain
Logon ID: (0x0,0x6C40693)
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: DAYTONA

User Logoff:
User Name: Administrator
Domain: Domain
Logon ID: (0x0,0x6C4065F)
Logon Type: 3

 

[spike0724]

looks like there is a service setup to use the Administrator account... possibly Anti-Virus or another automated service setup to check for updates.

S. Mike Harris

"If there we 90 seconds in a minute, I might get everything done in a day" - S. M. Harris

 

[bdoub1eu]

Yes, that's possible...But would I see it 30 times in the event log a the exact same time over and over again?

 

[spike0724]

Could be possible... For example in my environment do to the security policies and auditing I have to run I get an average of 8-15+ events a second at all times.

If your antivirus is not set to randomize the updates the server will hit as many at a time as possible.

S. Mike Harris

"If there we 90 seconds in a minute, I might get everything done in a day" - S. M. Harris