Windows 10: Windows-Security-LessPrivilegedAppContainer Filling Event Log

I keep getting this error in my event log and can't figure out the source of it. When it occurs, there will be nearly a thousand events logged for the given time. When I look up the associated PID in Task Manager, it lists the Runtime Broker C:\Windows\System32\RuntimeBroker.exe -Embedding. The Security UserID corresponds to my standard user account.OS: Windows 11 Pro, 23H2, 22631.3880Log: Microsoft-Windows-Security-LessPrivilegedAppContainer/OperationalEvent ID: 1General: Access to the a resource has been denied for a less privileged

:)

 

Windows 10 workstation Security log filling with Event ID 4703

My Windows 10 workstation's Security Event Log is filled with informational Event ID 4703 (like 20/second).

It's an Audit Success on Authorization Policy Change category.

Pretty much all are about the javaw.exe process & SeSecurityPrivilege. But also a few of them list svchost.exe as the process & a whole list of privileges.

I can't find anything on the Net about event 4703.

Sometimes it lists the privilege as Disabled (as below), and some are Enabled. Back & forth, multiple events per second.

Does anyone have any idea what/why this is, or anyone else experiencing it?

Here are the details of the event (edited for privacy)...

Task Category: Authorization Policy Change

Level: Information

Keywords: Audit Success

User: N/A

Computer: xxxxx.yyyy.com

Description:

A user right was adjusted.

Subject:

Security ID: SYSTEM

Account Name: XXXXXX

Account Domain: YYYYYYYY

Logon ID: 0x3E7

Target Account:

Security ID: SYSTEM

Account Name: XXXXXXX

Account Domain: YYYYYYYYY

Logon ID: 0x3E7

Process Information:

Process ID: 0xb24

Process Name: C:\Windows\SysWOW64\ContegoSPOP\jre1.7.0_65\bin\javaw.exe

Enabled Privileges:

-

Disabled Privileges:

SeSecurityPrivilege

 

Event Log > Security Event ID 5156 and 5158 filling it up

I am trying to use a Powershell scanner in PDQ Inventory (which runs a PS1 and enter the returning data into the asset) that scans the Security log for log on and log off events. The script then enters the data into that asset which allows us to see who has been using it and for how long (we are a school which generic computers all over). These log events are located in the Security logs.

In trying to research why we are only getting one MAYBE two user sessions I noticed that logs are getting FILLED with event 5156 and 5158. Upon research it's a log that the Windows Firewall allowed to pass. This is causing 1-7 events PER SECOND. This means the log gets filled to max in about 3-5 hours. So we only get 3-5 hours of user session events.

I looked around are there are some auditpol commands that people say stop this, however I want to restrict this is GP for obvious reason. I found a GPO for this in Machine > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Object Access > Audit Filtering Platform Connection

We set this to "No Auditing" by checking the box to configure it but leaving "Success" and "Failure" unchecked. GPRESULT /H shows this policy and the setting is "No Auditing". However, it still is logging these events. Did some research and found someone with the same issue and said it only works for them if it's added to the Default Domain Policy. While this is not ideal, we tried it. GPRESULT /H shows the change and it's assigned in the DDP, however it's STILL logging these events!

Running "auditpol /get /category:*" shows that "Filtering Platform Connection" is "success" even though we turned this off. Some how something is ignoring or over riding the DDP even. I am at a loss here, looking for help.

Increasing the size of the logs is not an option, even if we increase it 3x that is still only one day worth of user sessions (the PDQ scanner will over write the previous data, it will not append).

Thanks for any help!

 

Win-11 PC under domain controller, Security Log Full problem

The issue of the security log filling up quickly can be caused by a number of factors, such as excessive logging or insufficient log size. Here are some steps you can take to help resolve the issue:



1. Adjust the log retention policy: You can also adjust the log retention policy to overwrite older events when the log becomes full. To do this, open the Event Viewer, right-click on the Security log and select Properties. Under the When maximum event log size is reached section, select the Overwrite events as needed option.



2 Reduce the amount of logging: If the security log is filling up quickly due to excessive logging, you can reduce the amount of logging by disabling unnecessary auditing policies or reducing the level of auditing. To do this, open the Group Policy Editor, navigate to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy, and adjust the policies as needed.



I hope these suggestions help you resolve the issue of the security log filling up quickly.

Regards,

Zunhui