Microsoft Knowledge Base Archive

Symptoms

After installing Service Pack 1 or Service Pack 2 on Windows Server 2003, you may notice logon events are being logged for a user in the Security log, although the user was not active on the computer at that time. For example:

Event Type:       Success Audit
Event Source:   Security
Event Category:               Logon/Logoff
Event ID:             552
User:                    NT AUTHORITY\SYSTEM
Computer:         <Computer>
Description:
Logon attempt using explicit credentials:
Logged on user:
                User Name:       <Computer$>
                Domain:                              <Domain>
                Logon ID:                            (0x0,0x3E7)
                Logon GUID:      -
User whose credentials were used:
                Target User Name:         <User>
                Target Domain:                <Domain>
                Target Logon GUID: -
Target Server Name:    localhost
Target Server Info:        localhost
Caller Process ID:           <PID>
Source Network Address:          -
Source Port:     -

Event Type:       Success Audit
Event Source:   Security
Event Category:               Logon/Logoff
Event ID:             540
Computer:         <computer>
Successful Network Logon:
User Name: <User>
Domain: <Domain>
Logon ID: (ID)
Logon Type: 3
Logon Process: Authz
Authentication Package: Kerberos
Workstation Name: <Computer>
Logon GUID: -

Event Type:       Success Audit
Event Source:   Security
Event Category:               Logon/Logoff
Event ID:             576
Computer:         <computer>
Special privileges assigned to new logon:
User Name: <User>
Domain: <Domain>
Logon ID: (ID)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege

Event Type:       Success Audit
Event Source:   Security
Event Category:               Logon/Logoff
Event ID:             538
Computer:         <computer>
User Logoff:
User Name: <User>
Domain: <Domain>
Logon ID: (ID)
Logon Type: 3

The "Logon Process" of "AuthZ" in Event ID 540 indicates this is not an actual user logon, but an authorization check that is based on the user's Active Directory security group memberships.

When inspecting the Caller Process ID (PID) in Event ID 552, you see it is the SVCHOST process that is hosting the WMI service as well as other services.

To verify that WMI is causing the events to be logged, you can move the WMI service to a separate process using the following case-sensitive command:

rundll32 %WINDIR%\system32\wbem\WMISvc.dll, MoveToAlone 4

After restarting the WinMgmt service, the Caller Process ID in Event ID 552 should now specify the process ID of the separated service process.

Note: After the problem is resolved, please follow the steps in the More Information section to move back the WMI service into a shared service executable.

↑ Back to the top

Cause

During service pack install, the user installing the service pack may have his security identifier (SID) added as CreatorSid in the SCM.MOF file.

When WMI starts, it checks that this user is member of the Administrators group. To do that, it performs a S4U logon of the user to get a token with the list of group SIDs which is then checked for the SID of the built-in Administrators group.

↑ Back to the top

Resolution

The solution is to change SCM.MOF so it uses a proper user SID for the task. There are three places in the MOF file where you find the lines where the CreatorSid is used with a different SID than the LocalSystem SID (binary representation {1,1,0,0,0,0,0,5,18,0,0,0}). Please follow these steps:

Backup the SCM.MOF file from the %WINDIR%\System32\wbem folder in case the settings have to be reverted.
Review the following lines to the SCM.MOF file (will be at the bottom of the file..), and change as needed:

instance of NTEventLogEventConsumer

{
Name = "SCM Event Log Consumer";
SourceName = "Service Control Manager";
EventType = 1;
Category = 0;
NameOfUserSIDProperty = "sid";
CreatorSid = {1,1,0,0,0,0,0,5,18,0,0,0};
};

/////////////////////////////////////////////////////////////////////////////

// SCM Event Log filter

instance of __EventFilter

{
Name = "SCM Event Log Filter";
QueryLanguage = "WQL";
Query = "select * from MSFT_SCMEventLogEvent";
EventNamespace = "root\\cimv2";
CreatorSid = {1,1,0,0,0,0,0,5,18,0,0,0};
};

/////////////////////////////////////////////////////////////////////////////

// SCM Event Log filter-to-consumer binding

instance of __FilterToConsumerBinding

{
Consumer = "NTEventLogEventConsumer.Name=\"SCM Event Log Consumer\"";
Filter = "__EventFilter.Name=\"SCM Event Log Filter\"";
CreatorSid = {1,1,0,0,0,0,0,5,18,0,0,0};
};
Save the file as SCM.MOF after making the changes.
Open a command prompt and navigate to the %WINDIR%\System32\wbem folder.
Execute the following command in a system command prompt:

mofcomp.exe scm.mof

Note To open a system command prompt, use the following command:

at <time> /interactive cmd.exe

Note The <time> placeholder represents the time for when the command will run.
Restart the computer.

↑ Back to the top

More Information

When you have put WMI into a separate service process, you should undo the action using the following case-sensitive command:

rundll32 %WINDIR%\system32\wbem\WMISvc.dll, MoveToShared

A related problem is discussed in the following Microsoft Knowledge Base article:

917463 A Service Control Manager (SCM) event cannot be logged in the System event log on a Windows Server 2003-based computer

↑ Back to the top

Article ID	:	2002335
Revision	:	1
Created on	:	1/8/2017
Published on	:	3/8/2010
Exists online	:	False
Views	:	115

Microsoft KB Archive Search

Logon Audit Events Seen After Installing Service Pack on Windows Server 2003

Symptoms

Cause

Resolution

More Information