I was monitoring the Windows logs from a client network and I noticed that a few boxes were constantly generating audit failure 577 events:
WinEvtLog: Security: AUDIT_FAILURE(577): Security: xxx: XX-HQ: YY-HQ: Privileged Service Called: Server: Security Primary User Name: abc Primary Domain: XX-HQ Privileges: SeIncreaseBasePriorityPrivilege
To make it worse, ossec was alerting me by e-mail every time of “Rule: 18151 fired (level 10) -> “Multiple failed attempts to perform a privileged operation by the same user.””. My initial thought was that these machines were infected by spyware or something similar, so I went investigating them. I didn’t want to disable this rule on ossec, because it is fairly important for “normal” systems.
After some research, I found out that their problem was having Windows XP installed 🙂 (without the latest Service pack). Basically there is a bug on Windows that causes this behavior.. If you ever experience this problem, check the following link: http://support.microsoft.com/kb/831905 and make sure to install the latest updates.
.