Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security success & system eventlog spam

Status
Not open for further replies.

Leozack

MIS
Oct 25, 2002
867
GB
Hi all - anyone got any bright ideas why 1 PC of many on a domain is spamming thousands of events like those below - we're talking multiple 20m event log archives created per day, often within minutes!
Looking at WudfUsbccidDriver I've tried disabling the smartcard service but that hasn't helped. The problem may relate to the keyboard they use being a dell one with a smartcard reader, and it is used via a KvM which may also be related to the issue but other KvM setups are ok?

The security event :

Code:
A handle to an object was requested.

Subject:
	Security ID:		SYSTEM
	Account Name:		WK7-I0027151$
	Account Domain:		DOMAIN
	Logon ID:		0x3e7

Object:
	Object Server:		PlugPlayManager
	Object Type:		Security
	Object Name:		PlugPlaySecurityObject
	Handle ID:		0x0

Process Information:
	Process ID:		0x31c
	Process Name:		C:\Windows\System32\svchost.exe

Access Request Information:
	Transaction ID:		{00000000-0000-0000-0000-000000000000}
	Accesses:		Unknown specific access (bit 1)
				
	Access Reasons:		-
	Access Mask:		0x2
	Privileges Used for Access Check:	-
	Restricted SID Count:	0]
XML:
- <Event xmlns="[URL unfurl="true"]http://schemas.microsoft.com/win/2004/08/events/event">[/URL]
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
  <EventID>4656</EventID> 
  <Version>1</Version> 
  <Level>0</Level> 
  <Task>12804</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2016-05-23T14:04:00.255315900Z" /> 
  <EventRecordID>15507885</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="640" ThreadID="704" /> 
  <Channel>Security</Channel> 
  <Computer>WK7-I0027151.domain.com</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data> 
  <Data Name="SubjectUserName">WK7-I0027151$</Data> 
  <Data Name="SubjectDomainName">DOMAIN</Data> 
  <Data Name="SubjectLogonId">0x3e7</Data> 
  <Data Name="ObjectServer">PlugPlayManager</Data> 
  <Data Name="ObjectType">Security</Data> 
  <Data Name="ObjectName">PlugPlaySecurityObject</Data> 
  <Data Name="HandleId">0x0</Data> 
  <Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data> 
  <Data Name="AccessList">%%1553</Data> 
  <Data Name="AccessReason">-</Data> 
  <Data Name="AccessMask">0x2</Data> 
  <Data Name="PrivilegeList">-</Data> 
  <Data Name="RestrictedSidCount">0</Data> 
  <Data Name="ProcessId">0x31c</Data> 
  <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data> 
  </EventData>
  </Event>

The system event :

Code:
Device responded with an error status.
Status: ReaderCompletionUnknownMsgType
XML:
- <Event xmlns="[URL unfurl="true"]http://schemas.microsoft.com/win/2004/08/events/event">[/URL]
- <System>
  <Provider Name="WudfUsbccidDriver" Guid="{22C370A7-A3DB-4390-ADE5-3A1ACCF4B5D5}" /> 
  <EventID>7</EventID> 
  <Version>0</Version> 
  <Level>2</Level> 
  <Task>1</Task> 
  <Opcode>10</Opcode> 
  <Keywords>0x8000000000000000</Keywords> 
  <TimeCreated SystemTime="2016-05-20T15:44:05.760398500Z" /> 
  <EventRecordID>459827291</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="1320" ThreadID="2044" /> 
  <Channel>System</Channel> 
  <Computer>WK7-I0027151.domain.com</Computer> 
  <Security UserID="S-1-5-19" /> 
  </System>
- <EventData>
  <Data Name="Name">ReaderCompletionUnknownMsgType</Data> 
  <Data Name="Value">0x0</Data> 
  </EventData>
  </Event>

_________________________________
Leozack
Code:
MakeUniverse($infinity,1,42);
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top