Hi all - anyone got any bright ideas why 1 PC of many on a domain is spamming thousands of events like those below - we're talking multiple 20m event log archives created per day, often within minutes!
Looking at WudfUsbccidDriver I've tried disabling the smartcard service but that hasn't helped. The problem may relate to the keyboard they use being a dell one with a smartcard reader, and it is used via a KvM which may also be related to the issue but other KvM setups are ok?
The security event :
The system event :
_________________________________
Leozack
Looking at WudfUsbccidDriver I've tried disabling the smartcard service but that hasn't helped. The problem may relate to the keyboard they use being a dell one with a smartcard reader, and it is used via a KvM which may also be related to the issue but other KvM setups are ok?
The security event :
Code:
A handle to an object was requested.
Subject:
Security ID: SYSTEM
Account Name: WK7-I0027151$
Account Domain: DOMAIN
Logon ID: 0x3e7
Object:
Object Server: PlugPlayManager
Object Type: Security
Object Name: PlugPlaySecurityObject
Handle ID: 0x0
Process Information:
Process ID: 0x31c
Process Name: C:\Windows\System32\svchost.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: Unknown specific access (bit 1)
Access Reasons: -
Access Mask: 0x2
Privileges Used for Access Check: -
Restricted SID Count: 0]
XML:
- <Event xmlns="[URL unfurl="true"]http://schemas.microsoft.com/win/2004/08/events/event">[/URL]
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4656</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2016-05-23T14:04:00.255315900Z" />
<EventRecordID>15507885</EventRecordID>
<Correlation />
<Execution ProcessID="640" ThreadID="704" />
<Channel>Security</Channel>
<Computer>WK7-I0027151.domain.com</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WK7-I0027151$</Data>
<Data Name="SubjectDomainName">DOMAIN</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="ObjectServer">PlugPlayManager</Data>
<Data Name="ObjectType">Security</Data>
<Data Name="ObjectName">PlugPlaySecurityObject</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%1553</Data>
<Data Name="AccessReason">-</Data>
<Data Name="AccessMask">0x2</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="RestrictedSidCount">0</Data>
<Data Name="ProcessId">0x31c</Data>
<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
</EventData>
</Event>The system event :
Code:
Device responded with an error status.
Status: ReaderCompletionUnknownMsgType
XML:
- <Event xmlns="[URL unfurl="true"]http://schemas.microsoft.com/win/2004/08/events/event">[/URL]
- <System>
<Provider Name="WudfUsbccidDriver" Guid="{22C370A7-A3DB-4390-ADE5-3A1ACCF4B5D5}" />
<EventID>7</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>1</Task>
<Opcode>10</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2016-05-20T15:44:05.760398500Z" />
<EventRecordID>459827291</EventRecordID>
<Correlation />
<Execution ProcessID="1320" ThreadID="2044" />
<Channel>System</Channel>
<Computer>WK7-I0027151.domain.com</Computer>
<Security UserID="S-1-5-19" />
</System>
- <EventData>
<Data Name="Name">ReaderCompletionUnknownMsgType</Data>
<Data Name="Value">0x0</Data>
</EventData>
</Event>_________________________________
Leozack
Code:
MakeUniverse($infinity,1,42);