D
David Chase89
Guest
Today I noticed MANY event id 4624, 4634 and 4672 in our Windows Logs - Security Log when I open pages from a web site solution in Visual Studio 2017 on workstations. It is generating thousands of these log entries every minute. I have even tried this when I am the only logged in user on the server.
1. There was no RDP to the server when the excess security logging was happening and I have tried this on a different workstation with VS 2017 and the same thing happens. The solution opens an asp.net website located on the server and if I close the solution the event entries stop.
2. I watched the task manager on the server and it showed a high volume of disk activity as soon as I opened the Visual Studio project that was opening a web site on the server. The disk activity went way down as soon as I closed the VS project. I tried this same website in Visual Studio on another PC and it did the same thing.
3. Below is a sample of the 4624 events that are being created at extremely high volume (3,000/minute) until I close the project.
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: SYSTEM
Account Name: LIFEDEV2012$
Account Domain: DEVDOMAIN.LIFETIMEINC.COM
Logon ID: 0x2AE8B48
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {d0ee44fd-bf09-2a46-d015-2c5191e3f823}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::5efe:169.254.148.196
Source Port: 57478
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
We have Windows Server 2016. How can I stop this activity?
Continue reading...
1. There was no RDP to the server when the excess security logging was happening and I have tried this on a different workstation with VS 2017 and the same thing happens. The solution opens an asp.net website located on the server and if I close the solution the event entries stop.
2. I watched the task manager on the server and it showed a high volume of disk activity as soon as I opened the Visual Studio project that was opening a web site on the server. The disk activity went way down as soon as I closed the VS project. I tried this same website in Visual Studio on another PC and it did the same thing.
3. Below is a sample of the 4624 events that are being created at extremely high volume (3,000/minute) until I close the project.
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: SYSTEM
Account Name: LIFEDEV2012$
Account Domain: DEVDOMAIN.LIFETIMEINC.COM
Logon ID: 0x2AE8B48
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {d0ee44fd-bf09-2a46-d015-2c5191e3f823}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: fe80::5efe:169.254.148.196
Source Port: 57478
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
We have Windows Server 2016. How can I stop this activity?
Continue reading...