Windows 10: Turn Off Auditing Event ID 4663 For Computer Account

Discus and support Turn Off Auditing Event ID 4663 For Computer Account in Windows 10 Customization to solve the problem; Hello, We are trying to reduce log volumes and we have a very noisy computer account that is generating millions of 4663 a day. I cannot for the life... Discussion in 'Windows 10 Customization' started by Zack Posz, Nov 11, 2020.

  1. ZACK POSZ
    Zack Posz Win User

    Turn Off Auditing Event ID 4663 For Computer Account


    Hello,


    We are trying to reduce log volumes and we have a very noisy computer account that is generating millions of 4663 a day. I cannot for the life of me figure out a way to turn auditing off for this specific account and event. I tried looking in to SACL but couldn't find a way to properly do it. If anyone could please help guide me in how to do something like this it would be greatly appreciated.

    :)
     
    Zack Posz, Nov 11, 2020
    #1
  2. SCOTT ZELLER KL
    Scott Zeller KL Win User

    Event logs (and storage) filling up with Event 4663 due to HealthService.exe

    I would like object access auditing turned on for an Azure VM running Windows Server 2016 (fully updated). This system potentially stores Private Health Information.

    I noticed today that the disk space within the VM had essentially run out. I traced the problems to archived Security event logs. These logs are filling up with entries generated by HealthService.exe and an event ID of 4663 for accessing the registry.
    Approximately 60 are generated every second, and I can watch the disk free space decline.

    I have restarted the VM, but that did no good. I am turning off the object access auditing for now, but that is not the configuration I would like.

    Is there a corruption? Has HealthService.exe been replaced by malware?
     
    Scott Zeller KL, Nov 11, 2020
    #2
  3. TECHIE_DD
    Techie_DD Win User
    Windows 10 workstation Security log filling with Event ID 4703

    My Windows 10 workstation's Security Event Log is filled with informational Event ID 4703 (like 20/second).

    It's an Audit Success on Authorization Policy Change category.

    Pretty much all are about the javaw.exe process & SeSecurityPrivilege. But also a few of them list svchost.exe as the process & a whole list of privileges.

    I can't find anything on the Net about event 4703.

    Sometimes it lists the privilege as Disabled (as below), and some are Enabled. Back & forth, multiple events per second.

    Does anyone have any idea what/why this is, or anyone else experiencing it?

    Here are the details of the event (edited for privacy)...

    Task Category: Authorization Policy Change

    Level: Information

    Keywords: Audit Success

    User: N/A

    Computer: xxxxx.yyyy.com

    Description:

    A user right was adjusted.

    Subject:

    Security ID: SYSTEM

    Account Name: XXXXXX

    Account Domain: YYYYYYYY

    Logon ID: 0x3E7

    Target Account:

    Security ID: SYSTEM

    Account Name: XXXXXXX

    Account Domain: YYYYYYYYY

    Logon ID: 0x3E7

    Process Information:

    Process ID: 0xb24

    Process Name: C:\Windows\SysWOW64\ContegoSPOP\jre1.7.0_65\bin\javaw.exe

    Enabled Privileges:

    -

    Disabled Privileges:

    SeSecurityPrivilege
     
    Techie_DD, Nov 11, 2020
    #3
  4. MICHAEL KARSYAN
    Michael Karsyan Win User

    Turn Off Auditing Event ID 4663 For Computer Account

    Event ID 7036 not showing in Windows Event Log on Win10

    It looks like 7036 event is missing from Windows desktop OS (starting from 8).
    However you can monitor process termination:

    1. Enable Audit Policy to audit process tracking:

    1. Check for event 4689 in Security Event Log

    Alternatively you may try this solution.

    But in this case, you will get event 4546 not only when the service starts or stops, but whenever something is trying to access it (e.g. when Services applet is open).
     
    Michael Karsyan, Nov 11, 2020
    #4
Thema:

Turn Off Auditing Event ID 4663 For Computer Account

Loading...

  1. Turn Off Auditing Event ID 4663 For Computer Account - Similar Threads - Turn Off Auditing

  2. How do I link Event IDs 4660 and 4663?

    in Windows 10 Gaming
    How do I link Event IDs 4660 and 4663?: Hello,I have found a Python script that extracts IDs 4660 and 4663 and displays information such as computer name, user name, file and folder name, and time and date for files and folders. I want to know which file or folder was deleted by whom.The problem is that there is no...

  3. How do I link Event IDs 4660 and 4663?

    in Windows 10 Software and Apps
    How do I link Event IDs 4660 and 4663?: Hello,I have found a Python script that extracts IDs 4660 and 4663 and displays information such as computer name, user name, file and folder name, and time and date for files and folders. I want to know which file or folder was deleted by whom.The problem is that there is no...

  4. How do I link Event IDs 4660 and 4663?

    in AntiVirus, Firewalls and System Security
    How do I link Event IDs 4660 and 4663?: Hello,I have found a Python script that extracts IDs 4660 and 4663 and displays information such as computer name, user name, file and folder name, and time and date for files and folders. I want to know which file or folder was deleted by whom.The problem is that there is no...

  5. Event ID 5038 Audit Failure for avamsi.dll Avira

    in AntiVirus, Firewalls and System Security
    Event ID 5038 Audit Failure for avamsi.dll Avira: I have recently noticed an "Audit Failure" event in the Event Viewer, that comes up a few times every day, and seemingly always regarding the exact same fileEvent ID: 5038File Name: \Device\HarddiskVolume3\Program Files\Avira\Endpoint Protection SDK\amsi\x64\avamsi.dllError...

  6. Event ID 5038 Audit Failure for avamsi.dll Avira

    in Windows 10 Gaming
    Event ID 5038 Audit Failure for avamsi.dll Avira: I have recently noticed an "Audit Failure" event in the Event Viewer, that comes up a few times every day, and seemingly always regarding the exact same fileEvent ID: 5038File Name: \Device\HarddiskVolume3\Program Files\Avira\Endpoint Protection SDK\amsi\x64\avamsi.dllError...

  7. Event ID 5038 Audit Failure for avamsi.dll Avira

    in Windows 10 Software and Apps
    Event ID 5038 Audit Failure for avamsi.dll Avira: I have recently noticed an "Audit Failure" event in the Event Viewer, that comes up a few times every day, and seemingly always regarding the exact same fileEvent ID: 5038File Name: \Device\HarddiskVolume3\Program Files\Avira\Endpoint Protection SDK\amsi\x64\avamsi.dllError...

  8. Excessive "Audit Success" log events for event ID 5061 and 5058

    in Windows 10 Gaming
    Excessive "Audit Success" log events for event ID 5061 and 5058: I'm getting these 2 event IDs logged every 5 seconds in my Security log on Windows 11 Pro.This seems excessive. Also unsure why this is happening like clockwork, regardless what I'm doing on my laptop.Anyone else seeing this? Wondering whether I can/need to update my Audit...

  9. Excessive "Audit Success" log events for event ID 5061 and 5058

    in Windows 10 Software and Apps
    Excessive "Audit Success" log events for event ID 5061 and 5058: I'm getting these 2 event IDs logged every 5 seconds in my Security log on Windows 11 Pro.This seems excessive. Also unsure why this is happening like clockwork, regardless what I'm doing on my laptop.Anyone else seeing this? Wondering whether I can/need to update my Audit...

  10. Audit Success event id 4798 loging every minute

    in Windows 10 Support
    Audit Success event id 4798 loging every minute: Hello, what could be cause of this ? [img] Every minute I see this event and every minute my desktop icons blinks YouTube YouTube YouTube How can I fix this problem? 137657