I have an isolated desktop computer in my office that I run weekly security audits on. I check the logs for odd behavior then export and clear them out.
The logs are filled with "Audit failure Microsoft Windows Security Auditing Event ID 4673"
A privileged service was called
Subject:
Security ID: System Account Name: Standalone_System_2$ Account Domain: WORKGROUP Logon ID: 0x307
Service:
Server: Security Account Manager Service Name: Security Account Manager
Process:
Process ID: 0x208 Process Name: C:\Windows\System32\lsass.ese
Service Request Information:
Privileges: SeTcbPrivilege
I found this Technet post which advised that I turn off "Audit Privilege Use"… Not the route I need to take.
Some have suggested that it could be the antivirus causing these log entries… I'm not sure how to identify the offending account or service. I checked services on the system and I see a service named "Security Accounts Manager", however this service is not named "Security Account Manager".
Not sure where to go but I want to get this audit log under control! All these useless entries make it nearly impossible to find actual events.
Best Answer
The last entry on this thread talks about using a specific tool to determine the user in question for this error (Login ID is unique since boot, but after a reboot changes so you need to see what account is connected to this request) and validate whether they should have permissions to do what they are attmepting: http://answers.microsoft.com/en-us/windows/forum/windows_xp-security/577-many-failures-pertaining-to-setcbprivilege-in/3944f31c-dda4-46d9-adbf-74a9953dedeb
Reproduced here because the forum is a bit hard to read: