Logon Audit Events Seen After Installing Service Pack on Windows Server 2003


Symptoms


After installing Service Pack 1 or Service Pack 2 on Windows Server 2003, you may notice logon events are being logged for a user in the Security log, although the user was not active on the computer at that time. For example:

Event Type:       Success Audit
Event Source:   Security
Event Category:               Logon/Logoff
Event ID:             552
User:                    NT AUTHORITY\SYSTEM
Computer:         <Computer>
Description:
Logon attempt using explicit credentials:
 Logged on user:
                User Name:       <Computer$>
                Domain:                              <Domain>
                Logon ID:                            (0x0,0x3E7)
                Logon GUID:      -
 User whose credentials were used:
                Target User Name:         <User>
                Target Domain:                <Domain>
                Target Logon GUID: -
 Target Server Name:    localhost
 Target Server Info:        localhost
 Caller Process ID:           <PID>
 Source Network Address:          -
 Source Port:     -



Event Type:       Success Audit
Event Source:   Security
Event Category:               Logon/Logoff
Event ID:             540
Computer:         <computer>
Successful Network Logon:
User Name: <User>
Domain: <Domain>
Logon ID: (ID)
Logon Type: 3
Logon Process: Authz
Authentication Package: Kerberos
Workstation Name: <Computer>
Logon GUID: -




Event Type:       Success Audit
Event Source:   Security
Event Category:               Logon/Logoff
Event ID:             576
Computer:         <computer>
Special privileges assigned to new logon:
User Name: <User>
Domain: <Domain>
Logon ID: (ID)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege




Event Type:       Success Audit
Event Source:   Security
Event Category:               Logon/Logoff
Event ID:             538
Computer:         <computer>
User Logoff:
User Name: <User>
Domain: <Domain>
Logon ID: (ID)
Logon Type: 3


The "Logon Process" of "AuthZ" in Event ID 540 indicates this is not an actual user logon, but an authorization check that is based on the user's Active Directory security group memberships.

When inspecting the Caller Process ID (PID) in Event ID 552, you see it is the SVCHOST process that is hosting the WMI service as well as other services.

To verify that WMI is causing the events to be logged, you can move the WMI service to a separate process using the following case-sensitive command:

rundll32 %WINDIR%\system32\wbem\WMISvc.dll, MoveToAlone 4

After restarting the WinMgmt service, the Caller Process ID in Event ID 552 should now specify the process ID of the separated service process.

Note: After the problem is resolved, please follow the steps in the More Information section to move back the WMI service into a shared service executable.

Cause


During service pack install, the user installing the service pack may have his security identifier (SID) added as CreatorSid in the SCM.MOF file.

When WMI starts, it checks that this user is member of the Administrators group. To do that, it performs a S4U logon of the user to get a token with the list of group SIDs which is then checked for the SID of the built-in Administrators group.

Resolution


The solution is to change SCM.MOF so it uses a proper user SID for the task. There are three places in the MOF file where you find the lines where the CreatorSid is used with a different SID than the LocalSystem SID (binary representation {1,1,0,0,0,0,0,5,18,0,0,0}). Please follow these steps:

  1. Backup the SCM.MOF file from the %WINDIR%\System32\wbem folder in case the settings have to be reverted.

  2. Review the following lines to the SCM.MOF file (will be at the bottom of the file..), and change as needed:

    instance of NTEventLogEventConsumer

    {
    Name = "SCM Event Log Consumer";
    SourceName = "Service Control Manager";
    EventType = 1;
    Category = 0;
    NameOfUserSIDProperty = "sid";
    CreatorSid = {1,1,0,0,0,0,0,5,18,0,0,0};
    };

    /////////////////////////////////////////////////////////////////////////////

    // SCM Event Log filter

    instance of __EventFilter

    {
    Name = "SCM Event Log Filter";
    QueryLanguage = "WQL";
    Query = "select * from MSFT_SCMEventLogEvent";
    EventNamespace = "root\\cimv2";
    CreatorSid = {1,1,0,0,0,0,0,5,18,0,0,0};
    };

    /////////////////////////////////////////////////////////////////////////////

    // SCM Event Log filter-to-consumer binding

    instance of __FilterToConsumerBinding

    {
    Consumer = "NTEventLogEventConsumer.Name=\"SCM Event Log Consumer\"";
    Filter = "__EventFilter.Name=\"SCM Event Log Filter\"";
    CreatorSid = {1,1,0,0,0,0,0,5,18,0,0,0};
    };

  3. Save the file as SCM.MOF after making the changes.

  4. Open a command prompt and navigate to the %WINDIR%\System32\wbem folder.

  5. Execute the following command in a system command prompt:  

    mofcomp.exe scm.mof

    Note To open a system command prompt, use the following command:

    at <time> /interactive cmd.exe

    Note The <time> placeholder represents the time for when the command will run.

  6. Restart the computer.

More Information


When you have put WMI into a separate service process, you should undo the action using the following case-sensitive command:

rundll32 %WINDIR%\system32\wbem\WMISvc.dll, MoveToShared

A related problem is discussed in the following Microsoft Knowledge Base article:

917463 A Service Control Manager (SCM) event cannot be logged in the System event log on a Windows Server 2003-based computer