Windows 10: Windows Service will not execute fails Security Audit

Discus and support Windows Service will not execute fails Security Audit in Windows 10 Software and Apps to solve the problem; Hello I have a Visual Studio 2017 C# .Net Windows Service project that includes a Project installer. The service installs and executes fine in a... Discussion in 'Windows 10 Software and Apps' started by morelsc, Oct 11, 2018.

  1. morelsc Win User

    Windows Service will not execute fails Security Audit


    Hello

    I have a Visual Studio 2017 C# .Net Windows Service project that includes a Project installer. The service installs and executes fine in a Windows 7 OS but will not execute when installed on a Windows 10 OS. When trying to start the service on a Windows 10 OS the Event Viewer Windows Logs Security captures an Audit Failure shown below;

    A privileged service was called.

    Subject:
    Security ID: NU\
    Account Name:
    Account Domain: NU
    Logon ID: 0x1FEE28C

    Service:
    Server: Security
    Service Name: -

    Process:
    Process ID: 0x1730
    Process Name: C:\Apps\EMSCheckActivity\EMSActivityChecker.exe

    Service Request Information:
    Privileges: SeTcbPrivilege


    After some research I discovered what I believe is the problem however I don’t know how to fix it. The Windows 10 OS Local Policies Security Options System Settings has “Use Certificate Rules on Windows Executables for Software Restriction Policies” Enabled. How do I incorporate a Certificate that will allow the service to execute?

    :)
     
    morelsc, Oct 11, 2018
    #1

  2. Securing Windows 2000/XP/Server 2003 services HOW TO

    This is all i could save. I dont know if people can see what I can in the Wiki, but I got this article the others he deleted b4 he posted them in the wiki and i dont have the powers even in my sections to bring them back...perhaps a back up but Im not sure we have one ill go see. He did a damn good job at making sure nothing of his existed after he left...Im at school but when i get home ill email him and see if i can get him back im not done fighting yet.-Solaris17




    Securing Windows 2000/XP/Server 2003 services HOW TO
    I went at ALL of the services in Windows Server 2003 (some will not be in XP for instance, & Windows 2000 has no NETWORK SERVICE or LOCAL SERVICE as far as I know, but not sure, you can always make a limited privelege user too for this on 2000 if needed)...

    I did testing to see which services could be run/logged in as LOCAL SERVICE, or NETWORK SERVICE, rather than the default of LOCAL SYSTEM (which means Operating System entity level privileges - which CAN be "misused" by various spyware/malware/virus exploits).


    LOCAL SERVICE startable list (vs. LocalSystem Logon Default):


    --------------------------------------------------------------------------------

    Acronis Scheduler 2 Service
    Alerter (needs Workstation Service Running)
    COM+ System Application
    GHOST
    Indexing Service
    NVIDIA Display Driver Service
    Office Source Engine
    O&O Clever Cache
    Remote Registry
    Sandra Service
    Sandra Data Service
    SmartCard
    Tcp/IP NetBIOS Helper
    Telnet
    UserProfile Hive Cleanup Service
    Volume Shadowing Service
    Windows UserMode Drivers
    Windows Image Acquisition
    WinHTTP Proxy AutoDiscovery Service
    NETWORK SERVICE startable list (vs. LocalSystem Logon Default):


    --------------------------------------------------------------------------------

    ASP.NET State Service
    Application Layer Gateway
    Clipbook (needs Network DDE & Network DDE DSDM)
    Microsoft Shadow Copy Provider
    Executive Software Undelete
    DNS Client
    DHCP Client
    Error Reporting
    FileZilla Server
    Machine Debug Manager
    Merger
    NetMeeting Remote Desktop Sharing Service
    Network DDE
    Network DDE DSDM
    PDEngine (Raxco PerfectDisk)
    Performance Logs & Alerts
    RPC
    Remote Desktop Help Session Manager Service
    Remote Packet Capture Protocol v.0 (experimental MS service)
    Resultant Set of Policies Provider
    SAV Roam
    Symantec LiveUpdate
    Visual Studio 2005 Remote Debug
    PLEASE NOTE: Each service uses a BLANK password when reassigning their logon entity (when you change it from the default of LOCAL SYSTEM Account), because they use SID's as far as I know, not standard passwords.


    --------------------------------------------------------------------------------

    WHEN YOU TEST THIS, AFTER RESETTING THE LOGON USER ENTITY EACH SERVICE USES: Just run your system awhile, & if say, Norton Antivirus refuses to update, or run right? You KNOW you set it wrong... say, if one you test that I do NOT list won't run as LOCAL SERVICE? Try NETWORK SERVICE instead... if that fails? YOU ARE STUCK USING LOCAL SYSTEM!

    If you cannot operate properly while changing the security logon entity context of a service (should NOT happen w/ 3rd party services, & this article shows you which ones can be altered safely)?

    Boot to "Safe Mode", & reset that service's logon entity back to LOCAL SYSTEM again & accept it cannot do this security technique is all... it DOES happen!

    If that fails? There are commands in the "Recovery Console" (installed from your Windows installation CD as a bootup option while in Windows using this commandline -> D:\i386\winnt32.exe /cmdcons, where D is your CD-Rom driveletter (substitute in your dvd/cd driveletter for D of course)) of:

    ListSvc (shows services & drivers states of stopped or started)

    Enable (starts up a service &/or driver)

    Disable (stops a server &/or driver)

    Which can turn them back on if/when needed

    Last edited by APK on 03/04/2007
    I.E. -> I removed Telephony, Symantec AntiVirus, & Virtual Disk Service!

    (ON Virtual Disk Service being removed, specifically: This was done solely because, although it will run as LOCAL SERVICE, diskmgmt.msc will not be able to work! Even though the Logical Disk Manager service does not list VirtualDisk as a dependency, this occurs, so VirtualDisk service was pulled from BOTH the LOCAL SERVICE and NETWORK SERVICE lists here... apk)

    SECURING SERVICES @ THE ACL LEVEL VIA A SECURITY POLICY HOW-TO:

    STEP #1: CONFIGURE A CUSTOM Microsoft Management Console for this!

    Configuring yourself a "CUSTOM MMC.EXE (Microsoft Mgt. Console)" setup for security policy templates, here is how (these are NOT default Computer Mgt. tools, so you have to do this yourself, or run them by themselves, but this makes working w/ them convenient):

    ===============================================================
    The next part's per BelArcGuy of BELARC ADVISOR's advice (pun intended):
    ==============================================
    http://forums.techpowerup.com/showthread.php?p=282551#post282551

    ==============================================
    "Security Configuration and Analysis" is an MMC snap-in. To access the MMC, type in mmc to the Windows Run.. command to pop up the console. Then use it's File|Add/Remove Snap-in... command and click the Add button on the resulting dialog. Choose both "Security Configuration and Analysis" and "Security Templates", close that dialog, and OK. You'll end up with a management console that has both of those snap-ins enabled. The whole MMC mechanism is a bit weird, but does work"

    (It's easy, & it works, & is necessary for the actual steps to do this, below)


    --------------------------------------------------------------------------------

    (Next, is the actual "meat" of what we need to do, per Microsoft, to set ACLs)


    --------------------------------------------------------------------------------

    STEP #2: HOW TO: Define Security Templates By Using the Security Templates Snap-In in Windows Server 2003

    http://support.microsoft.com/kb/816297

    Create and Define a New Security Template

    (To define a new security template, follow these steps)

    1. In the console tree, expand Security Templates. 2. Right-click %SystemRoot%\Security\Templates, and then click New Template. 3. In the Template name box, type a name for the new template.

    (If you want, you can type a description in the Description box, and then click OK)

    The new security template appears in the list of security templates. Note that the security settings for this template are not yet defined. When you expand the new security template in the console tree, expand each component of the template, and then double-click each security setting that is contained in that component, a status of Not Defined appears in the Computer Setting column.

    1. To define a System Services policy, follow these steps: a. Expand System Services. b. In the right pane, double-click the service that you want to configure. c. Specify the options that you want, and then click OK.

    ==============================================
    )
    APK (added 03/08/2007)
     
    Alec§taar, Oct 11, 2018
    #2
  3. Audit mode

    Hi Diane,

    Windows boots into Windows Welcome Mode and Audit Mode. Windows Welcome Mode
    is the first user experience while the Audit mode is used to add customization to Windows images. Sometimes, Windows keeps running in Audit Mode and user has no idea about it, just like in your case. While your machine is running Audit
    Mode when upgrading or reinstalling Windows 10, the upgrade won’t progress.

    Here's how to exit from Audit mode to reinstall Windows 10:

    • Open the administrative or elevated Command Prompt. Type cmd in the
      Search
      field at the taskbar.
    • Type the following command and press Enter key: sysprep /oobe /generalize
      DISCLAIMER: Running sysprep command each time resets Windows licensing state to default. So if your Windows is activated and you run this command, you’ll need to reactivate Windows after executing this command.

    • Once the command IS successfully executed, you’ll be out of Audit Mode. Now you can re-try to upgrade to Windows 10 and it should work.

    Let us know if the steps above worked for you.
     
    Jennifer Bri, Oct 11, 2018
    #3
  4. Peeg Win User

    Windows Service will not execute fails Security Audit

    windows 8.1 is executing winsat.exe automatically even though its disabled in task scheduler.

    windows 8.1 is executing winsat.exe automatically even though its disabled in task scheduler. When Checking event viewer security logs it tells me someone logged into my computer even though I was already logged in but idle and executed winsat.exe. Is this normal or is someone logging into my computer remotely? I have multiple logins and special logins in my Log and logoffs when i did not logoff.

    Audit Success 6/29/2014 5:29:03 PM Microsoft Windows security auditing. 4616 Security State Change
    Audit Success 6/29/2014 5:03:25 PM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 5:03:25 PM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 2:13:16 PM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 2:13:16 PM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 2:03:54 PM Microsoft Windows security auditing. 4634 Logoff
    Audit Success 6/29/2014 2:03:54 PM Microsoft Windows security auditing. 4634 Logoff
    Audit Success 6/29/2014 2:00:18 PM Microsoft Windows security auditing. 4797 User Account Management
    Audit Success 6/29/2014 2:00:18 PM Microsoft Windows security auditing. 4797 User Account Management
    Audit Success 6/29/2014 2:00:18 PM Microsoft Windows security auditing. 4797 User Account Management
    Audit Success 6/29/2014 2:00:18 PM Microsoft Windows security auditing. 4797 User Account Management
    Audit Success 6/29/2014 2:00:15 PM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 2:00:15 PM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 2:00:15 PM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 2:00:15 PM Microsoft Windows security auditing. 4648 Logon
    Audit Success 6/29/2014 2:00:07 PM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 2:00:07 PM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 2:00:07 PM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 2:00:07 PM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 2:00:07 PM Microsoft Windows security auditing. 4648 Logon
    Audit Success 6/29/2014 2:00:06 PM Microsoft Windows security auditing. 4647 Logoff
    Audit Success 6/29/2014 12:55:51 PM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 12:55:51 PM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 12:43:02 PM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 12:43:02 PM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 12:43:02 PM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 12:43:02 PM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 12:16:13 PM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 12:16:13 PM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 11:20:53 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 11:20:53 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 11:19:04 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 11:19:04 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 11:09:04 AM Microsoft Windows security auditing. 6406 Other System Events
    Audit Success 6/29/2014 11:07:59 AM Microsoft Windows security auditing. 4797 User Account Management
    Audit Success 6/29/2014 11:07:59 AM Microsoft Windows security auditing. 4797 User Account Management
    Audit Success 6/29/2014 11:07:59 AM Microsoft Windows security auditing. 4797 User Account Management
    Audit Success 6/29/2014 11:07:59 AM Microsoft Windows security auditing. 4797 User Account Management
    Audit Success 6/29/2014 11:07:57 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 11:07:57 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 11:07:56 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 11:07:56 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 11:07:56 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 11:07:56 AM Microsoft Windows security auditing. 4648 Logon
    Audit Success 6/29/2014 11:07:50 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 11:07:50 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 11:07:48 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 11:07:48 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 11:07:45 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 11:07:45 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 11:07:45 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 11:07:44 AM Microsoft Windows security auditing. 5024 Other System Events
    Audit Success 6/29/2014 11:07:44 AM Microsoft Windows security auditing. 5033 Other System Events
    Audit Success 6/29/2014 11:07:44 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 11:07:44 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 11:07:42 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 11:07:42 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 11:07:42 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 11:07:42 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 11:07:42 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 11:07:42 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 11:07:42 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 11:07:42 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 11:07:42 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 11:07:42 AM Microsoft Windows security auditing. 4624 Logon
    Audit Success 6/29/2014 11:07:42 AM Microsoft Windows security auditing. 4648 Logon
    Audit Success 6/29/2014 11:07:42 AM Microsoft Windows security auditing. 4672 Special Logon
    Audit Success 6/29/2014 11:07:42 AM Microsoft Windows security auditing. 4624 Logon
     
Thema:

Windows Service will not execute fails Security Audit

Loading...
  1. Windows Service will not execute fails Security Audit - Similar Threads - Service execute fails

  2. Event 4673, Micorsoft Windows Security Auditing, A privileged service was called.

    in Windows 10 Software and Apps
    Event 4673, Micorsoft Windows Security Auditing, A privileged service was called.: Hi Everyone, I'm getting this event in millions everyday on my machine. The event occurs in almost every second and its not only related to Google Chrome, it is related to Teams, edge etc.. Can you please advise us if this is a critical issue, and how can we solve it....
  3. Event 4673, Micorsoft Windows Security Auditing, A privileged service was called.

    in Windows 10 Gaming
    Event 4673, Micorsoft Windows Security Auditing, A privileged service was called.: Hi Everyone, I'm getting this event in millions everyday on my machine. The event occurs in almost every second and its not only related to Google Chrome, it is related to Teams, edge etc.. Can you please advise us if this is a critical issue, and how can we solve it....
  4. Event 4673, Micorsoft Windows Security Auditing, A privileged service was called.

    in Windows 10 BSOD Crashes and Debugging
    Event 4673, Micorsoft Windows Security Auditing, A privileged service was called.: Hi Everyone, I'm getting this event in millions everyday on my machine. The event occurs in almost every second and its not only related to Google Chrome, it is related to Teams, edge etc.. Can you please advise us if this is a critical issue, and how can we solve it....
  5. Windows Service Auditor: audit and track services on Windows

    in Windows 10 News
    Windows Service Auditor: audit and track services on Windows: Windows Service Auditor is a free portable program for Microsoft Windows devices to track and audit services on the machine it is run on. The application offers assistance to system administrators who need to figure out why services started, stopped, or were updated or...
  6. Microsoft Windows security auditing.

    in AntiVirus, Firewalls and System Security
    Microsoft Windows security auditing.: So recently I have been getting weird background noises/notifications and I found out that they have been coming from the event viewer. I checked the security logs and many of the logs say someone has logged in or created special privellages to a new logon. I was wondering...
  7. Microsoft Security Auditing Issue

    in Windows 10 Support
    Microsoft Security Auditing Issue: I hope someone can help me fix this issue i'm having. I ended up discovering that under my event viewer under the security tab, my computer has been logging tons of "audit success", source being "Microsoft Windows Security Auditing". It can generate easily 5 per minute and...
  8. Security auditing - how to disable?

    in AntiVirus, Firewalls and System Security
    Security auditing - how to disable?: I noticed after checking my event viewer for something that under Windows>security, there are tons and tons of "audit success" entries. Is this necessary for the PC to run security auditing constantly like this and log it? It seems unnecessary. Can I disable it? 76900
  9. Too Many 'Audit Success' Security-Auditing Events Happening

    in Windows 10 Performance & Maintenance
    Too Many 'Audit Success' Security-Auditing Events Happening: Hi! I've been using Windows 10 for a while now and except for one time where my start button and notification tray stopped working (solved that by migrating to a new user account), I haven't had any problems. Except maybe a week ago. Consistently during use (either for...
  10. Audit failed

    in Windows 10 Installation and Upgrade
    Audit failed: Hi! Just a question I always wondered about: what logged errors in the category Audit failed actually mean? hope I translated it right, because in Dutch it's something like Controle mislukt (check failed). Normally this category isn't even visible in the logs, but very...