Windows 10: Too Many 'Audit Success' Security-Auditing Events Happening

Discus and support Too Many 'Audit Success' Security-Auditing Events Happening in Windows 10 Performance & Maintenance to solve the problem; Hi! I've been using Windows 10 for a while now and except for one time where my start button and notification tray stopped working (solved that by... Discussion in 'Windows 10 Performance & Maintenance' started by Katylar, Nov 2, 2015.

  1. Katylar Win User

    Too Many 'Audit Success' Security-Auditing Events Happening


    Hi! I've been using Windows 10 for a while now and except for one time where my start button and notification tray stopped working (solved that by migrating to a new user account), I haven't had any problems.

    Except maybe a week ago.

    Consistently during use (either for simple browsing or whatever), I keep hearing multiple instances of the sound I hear whenever a new device is plugged in (i.e. USB Flash Disk). It's REALLY annoying.

    At first I though it was because my graphics card was failing (it is). I though that because of this, whenever my PC needed to do graphics-processing intensive tasks, like downloading a large image, the card bugged out and so the PC responded by believing that the hardware was being plugged back in and out.

    Apparently, this is wrong. I finally got fed up and checked my event viewer. Everything is hunky-dory EXCEPT the 'Security' category, which has an overwhelming number of events. I then monitored it and was witness to new events being created (as signified by the sound being played). Therefore, I can reliably assume that the sound I've been hearing has actually been this event happening over and over again.

    Basically, every minute or so, a new event is created. It has the Event ID of 4798, Source: Security-Auditing, Task Category: User Account Management and Keywords: Audit Success.

    I have hundreds of this. Please see attached image.

    Any idea what could be the problem? Thanks!


    Too Many 'Audit Success' Security-Auditing Events Happening [​IMG]


    :)
     
    Katylar, Nov 2, 2015
    #1
  2. JayG500 Win User

    Auditing UAC use in Windows 10

    Is there a way to see the program someone is running when they utilize elevated rights through UAC?

    I tried setting Group Policy, auditing settings are located within Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy:

    Audit Privilege Use - success/failure

    Audit Process Tracking - success/failure

    I receive several messages - event IDs: 4611, 4648, 4799, 4624 --- but they don't tell me the program the user is launching. Some of the messages that mention process name, but always mention "consent.exe"
    instead of the program the user is requesting.

    Additionally -- the UAC "Applications and Services Logs" is empty. Not sure if there is a way to enable this to provide more information?

    Thank you.
     
    JayG500, Nov 2, 2015
    #2
  3. Audit success Audit faliure

    If your event log looks like mine you have audit success followed by audit failure with this string 51a92691-66f1-280f-d0db-59fad4f73491 for both the success and the failure. The success is 5058 the failure is 5061. I used the string in using find then f3
    for find next.

    In the success it says algorithm unknown in the failure is says algorithm RSA if that help anything.

    I use regedit and found two entries for this string. first HKEY local Machine system control set001 cryptography ngc keytranspoet key perdevicekey keytranspot key d2bf6f-------------

    Second in still Hkey Local Machine system now in courrentcontrolset control cryptography ngc same as above.

    Now if the audit goes in order than the first I would think would be the 5058 and a split second later 5061 would be the second entry.

    I haven't done anything yet as I always put a lot of thought when working in regedit. So I'm posting this as and idea and for discussion. I think deleting the second string would stop this and also error 131 which on my Acer Laptop Asprire 7741z4433 is common.

    Likely someone knows more than me and can say both are needed or not.

    Thoughts.
     
    Littlebear626, Nov 2, 2015
    #3
  4. Too Many 'Audit Success' Security-Auditing Events Happening

    Did you ever find a solution? I'm having the identical issue with no luck searching the web for solutions. . .
     
    jacobjingle, Sep 9, 2016
    #4
  5. EdTittel Win User
    You don't see audit success entries in Event Viewer unless you've turned security auditing on for a Windows system. This usually happens because of some audit policy or another. See this TechNet article "Basic Security Audit Policies" for more information.
    HTH,
    --Ed--
     
    EdTittel, Sep 9, 2016
    #5
  6. Mystere Win User
    That's not true. Security Audit messages are enabled by default. They didn't used to be, IIRC back in the XP days, but they have since at least vista. Don't believe me? Check your own security log.

    To the original posted (yikes, 2005!) this is normal. You get tons of these in the event log by default.
     
    Mystere, Sep 9, 2016
    #6
  7. EdTittel Win User
    Well color me embarrassed! I just checked my security log, Mystere, and you are indeed correct. I used to write and teach about this stuff in the late 90s and early 2000s for MCSE and didn't realize the rules had changed. Further research shows that with Vista and Windows Server 2003 service pack stuff, this did indeed change. I apologize for the error and will be sure to check my facts before spouting off further on event log and other stuff. Thanks for setting things straight, Mystere: this is completely a matter of "stale info" on my part.

    As for the original issue, because auditing is turned on by default, this behavior is completely normal and exactly what you want to see in the Security log. Any time you successfully access an encrypted object or read its associated key from the file where it's stored you'll get this event. I see hundreds per day in my security log, along with an equal number of "Logon" and "Special Logon" events associated with normal system operation. The real question then becomes (I think): Why do these events trigger some kind of system sound? This is a new one on me, so I'll ask other members of the community to chime in. Never came across anything like this before myself ... goes off to search ... can't find anything directly relevant, either.
    --Ed--
     
    EdTittel, Sep 10, 2016
    #7
  8. Too Many 'Audit Success' Security-Auditing Events Happening

    thanks for the help - After several false starts I've identified the security policy settings - as below - "No auditing" is still set as the default. Yet the problem persists. do you see anything askew?
     
    jacobjingle, Sep 10, 2016
    #8
  9. EdTittel Win User
    As Mystere has observed, auditing is now turned on by default for various classes of security events. Presumably, this is something that doesn't require a policy to occur since it's addressed by fiat in the default behavior of Windows. Thus, the fact that it's occurring is entirely normal and expected. So, no problems there. What's interesting is the associated sounds it's producing, if I've understood your posts correctly. I would agree that this is indeed problematic, but I'll be darned if I can find any information on how to set this up, or turn this off. It's about as senseless as emitting a system sound for every keypress or IP packet sent/received: it represents an audible flag for something normal and frequent, so is bound to be irritating. This one has me stumped...and intrigued. Keep us posted!
    Sorry,
    --Ed--
     
    EdTittel, Sep 10, 2016
    #9
  10. Thanks for the help. I verified that auditing was not set. Still getting the "audible warning" and a 2-4 second lag where the cursor disappears. At the conclusion of the sounds I get a record for each one - see below. 32,227 events! any more suggestions? this is driving the family nuts.
    Too Many 'Audit Success' Security-Auditing Events Happening [​IMG]
     
    jacobjingle, Sep 10, 2016
    #10
  11. EdTittel Win User
    Darn! That's a huge encrypted string for a base64 image; it also won't decode for me in any of the Base64 decoder tools I try. I can't see the actual original material, so you may want to try reposting. Or, you can e-mail it to me through ed at dot com if you want to send it to me direct (I am taking my family out to dinner in 20 minutes, so I may not be able to dig into this until after we get back later this evening). My flippant but hopefully helpful suggestion for the time being is to turn the computer audio off or way down low.
    HTH,
    --Ed--
     
    EdTittel, Sep 10, 2016
    #11
  12. Thanks again. The sounds not the real issue (just helped me identify what was going on) it's the fact that the machine effectively locks up for a few seconds every time it happens. I re-posted below as JPEG



    Too Many 'Audit Success' Security-Auditing Events Happening [​IMG]

    Too Many 'Audit Success' Security-Auditing Events Happening [​IMG]
     
    jacobjingle, Sep 10, 2016
    #12
  13. EdTittel Win User

    Too Many 'Audit Success' Security-Auditing Events Happening

    Ouch! Now I'm starting to understand more fully why this is making you miserable. I'll chew on this over dinner and get back to you later this evening with any thoughts I might come up with. In the meantime, you might want to grab the Sysinternals Process Explorer and watch it along with Resource Monitor (built into Windows) to see what's happening with your CPU as these hiccups are occurring. This might give some insight into where the resources are being consumed.
    Back later!
    --Ed--
     
    EdTittel, Sep 10, 2016
    #13
  14. EdTittel Win User
    Still chewing, but so far not getting anywhere. All I can think of is that the audit success stuff might be a red herring. Sounds like the real issue is that something, perhaps related to audit events completing successfully, is consuming most of your PC's CPU resources. I still think the process explorer/task manager (details/CPU consumption ranking) and perhaps resource manager approach to seeing what's happening on your system is likely to provide more insight. You should also take a look at the discussion in the recent TenForums thread "Windows 10 -- high CPU usage is a real issue" to see if it sheds any light on your situation.

    I'll keep digging around and see if I can come up with anything more specifically focused on the symptoms you mention, especially those related to security audit success events. So far, no joy, though.

    Stay tuned,
    --Ed--
     
    EdTittel, Sep 10, 2016
    #14
  15. Thanks Ed,

    I've done some monitoring with the process explorer and resource monitor and the CPU usage is staying low 2-5 % while the beeping is occurring. All that I see of interest is spikes for the GPU up to 100% then back down. Could that be indicative that something is going on?

    I use AVG free edition vs. 16 and Spybot - Search and Destroy 2.5, but I've never had problems with either of those. Did a full scan with both. . . no fix.

    Thanks again for your help and thoughts. . .
     
    jacobjingle, Sep 12, 2016
    #15
Thema:

Too Many 'Audit Success' Security-Auditing Events Happening

Loading...
  1. Too Many 'Audit Success' Security-Auditing Events Happening - Similar Threads - Too Many 'Audit

  2. Number of events from Windows security auditing

    in Windows 10 Gaming
    Number of events from Windows security auditing: I'm a Windows 11 user. When I check Event viewer>security, I saw many Windows Filtering platform events. "Windows filtering platform has permitted a connection.Application information Process ID: 4Application name: system Network information Direction: outbound Source...
  3. Number of events from Windows security auditing

    in Windows 10 Software and Apps
    Number of events from Windows security auditing: I'm a Windows 11 user. When I check Event viewer>security, I saw many Windows Filtering platform events. "Windows filtering platform has permitted a connection.Application information Process ID: 4Application name: system Network information Direction: outbound Source...
  4. Excessive "Audit Success" log events for event ID 5061 and 5058

    in Windows 10 Gaming
    Excessive "Audit Success" log events for event ID 5061 and 5058: I'm getting these 2 event IDs logged every 5 seconds in my Security log on Windows 11 Pro.This seems excessive. Also unsure why this is happening like clockwork, regardless what I'm doing on my laptop.Anyone else seeing this? Wondering whether I can/need to update my Audit...
  5. Security Audit Failure Event 5038 CloudStorageWizard

    in Windows 10 Gaming
    Security Audit Failure Event 5038 CloudStorageWizard: 43 of the following Security Audit Failures consistently appear following boot indicating an issue with hash of an OS system file:Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid...
  6. Security Audit Failure Event 5038 CloudStorageWizard

    in Windows 10 Software and Apps
    Security Audit Failure Event 5038 CloudStorageWizard: 43 of the following Security Audit Failures consistently appear following boot indicating an issue with hash of an OS system file:Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid...
  7. Security Audit Failure Event 5038 CloudStorageWizard

    in AntiVirus, Firewalls and System Security
    Security Audit Failure Event 5038 CloudStorageWizard: 43 of the following Security Audit Failures consistently appear following boot indicating an issue with hash of an OS system file:Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid...
  8. Disable auditing of successful events

    in Windows 10 Performance & Maintenance
    Disable auditing of successful events: I want to disable auditing of successful events! This command worked (at least CMD said it did) Code: auditpol /Set /Caregory:* /success:disable I need to check in event log, if there are reported any longer successful events. Problem is: overall there are too many...
  9. Disable auditing of successful events

    in Windows 10 Performance & Maintenance
    Disable auditing of successful events: This command worked Code: auditpol /Set /Caregory:* /success:disable I need to check event log, if there are reported any longer successful events. Problem is overall: there are too many categories to check manually. I ran this command: Code: auditpol /Get /Category:* And it...
  10. Audit Success event id 4798 loging every minute

    in Windows 10 Support
    Audit Success event id 4798 loging every minute: Hello, what could be cause of this ? [img] Every minute I see this event and every minute my desktop icons blinks YouTube YouTube YouTube How can I fix this problem? 137657

Users found this page by searching for:

  1. toom many success audit

    ,
  2. too many 4799 event id

    ,
  3. too many audit success with no auditing on