Click here to get back home

Finding Which Application Requires Specific User Privilege?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Finding Which Application Requires Specific User Privilege? Will 12-26-2006
Posted by Will on December 26, 2006, 3:17 am
Please log in for more thread options
 Is there any application that would intercept a call by an application or
device driver for a specific user privilege and either log this or show it
to you? I have eventviewer messages on one computer showing every 10
minutes that the administrator account is trying to get "Act as Part of
Operating System" privilege. I would like to find out if that is a
Microsoft application, user application I trust, or some application or
device driver I cannot identify.

--
Will



Posted by Jesper on December 26, 2006, 12:11 pm
Please log in for more thread options
 Yes. Aaron Margosis excellent LUA BugLight
(http://blogs.msdn.com/aaron_margosis/archive/2006/08/07/LuaBuglight.aspx)
does that.

What process do you see on the privilege use log entry? It should have a
process ID on it. Which processes do you have that run as the Administrator
account? There are no built-in processes in Windows that use that account
unless you are using Small Business Server.

"Will" wrote:

> Is there any application that would intercept a call by an application or
> device driver for a specific user privilege and either log this or show it
> to you? I have eventviewer messages on one computer showing every 10
> minutes that the administrator account is trying to get "Act as Part of
> Operating System" privilege. I would like to find out if that is a
> Microsoft application, user application I trust, or some application or
> device driver I cannot identify.
>
> --
> Will
>
>
>

Posted by Roger Abell [MVP] on December 30, 2006, 2:37 am
Please log in for more thread options
You might also take a look at tokenmon from sysinternals to see
if you can define a filtering that makes this convenient, at least
assuming your unknown process(es) is(are) using calls for
AdjustTokenPrivilege in attempting to enable SeTcbPrivilege.

> Is there any application that would intercept a call by an application or
> device driver for a specific user privilege and either log this or show it
> to you? I have eventviewer messages on one computer showing every 10
> minutes that the administrator account is trying to get "Act as Part of
> Operating System" privilege. I would like to find out if that is a
> Microsoft application, user application I trust, or some application or
> device driver I cannot identify.
>
> --
> Will
>
>



Similar ThreadsPosted
Finding all ntfs folders showing a specific group in ACL... March 26, 2008, 4:43 pm
Finding folders where user was specifically given access September 11, 2006, 1:45 pm
How to allow standard user to install an application August 18, 2005, 6:51 am
MSIE 7 Requires Browser Security Permissions to Run a Network File Share EXE? November 2, 2006, 11:51 pm
Finding Product Keys July 16, 2007, 5:47 am
Finding out which account added a workstation to the AD... September 1, 2005, 9:19 am
The privilege to start a Windows service June 13, 2006, 6:37 am
System Logs: Remote Access for Low-Privilege Account October 22, 2006, 12:02 pm
MS08-002 Vulnerability in LSASS Could Allow Local Elevation of Privilege (943485) February 1, 2008, 1:22 pm
Blocking Specific IP Addresses July 18, 2006, 12:37 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap