"Security Log Full, Only Adm can logon" issue. (1 Viewer)

[Mary M S]

Tech help at MS is laborious and confusing (and often useless to lay people).

Cannot access any account other than Adm. due to “Sec. Log full” warning. When researching I see that MS considers this an important enough issue to recommend default setting of “Shut down computer when S. log is full”.

Following tech help, I saved the log, cleared it. And within 10 or 15 mins it is full again.

How do I make sense of what the log “logs” to determine what’s going on in my system, who/what is attacking? I have loaded Zone Alarm onto this system, which was probably deeply compromised before the new VP was installed. Additionally, having trouble downloading any MS updates, all suggested 'fixes' by MS have failed (or I'm not implementing correctly)
I have everything I can find (and only half understand) turned off in services which still continue to allow this PC to run. I may be blocking MS.
OS: Windows XP pro

 

[Mike_J_Potter]

I would check the security log for failed login attempts or other failed or sucessful attempts to access files. Usually the security log will only log attemps to login or access files if someone is port scanning you or the pc is infected with a trojan or other backdoor it won't show up in the windows security log. So most likely that is not causing the log files to overflow.

I would look at each log for errors or one certain process or progrm that has allot of entries in the log. You can use the sort functions to make this easy to look at. Your looking for one thing or a few things that have allot of enteries Then if its a program disable it or search the web for solutions.

Also if your log is filling up go into event viewer and right click and go into properties and change the log settings from Overwrite events older then 7 days, to Overwrite events as needed, also increase the maximum log size while your in there. Do this each log file you have in event viewer. That should help, I know that is the fix I use when we have a server do that and it crashes it.

If you want pm me and I can tell you how to export the logs and you can send them to me and maybe I can figure it out

 

[Mike Voigt]

I suggest you work with the machine offline; that'll eliminate outside threats and may give you more time. See if that works. Also, try rebooting into safe mode to see if that cuts down on issues.

Then, on another, clean computer, create a CD with at least the following, executable (i.e. runnable from the CD) software on it:

1. HiJackThis
2. Killbox
3. Spybot Search and Destroy
4. Some antivirus package
5. Spyware Blaster
6. Fresh copy of ZoneAlarm
7. cmd.exe (that is to have the command prompt)

and any other ones you may want. If you can, get the most recent updates to your AV/spyware programs and put them on there. Same, if you can, for any Windows updates.

Go back into safe mode, and run HiJackThis. See what it finds; if there are oddball processes, post them here and/or at some of the other help sites for this stuff before deleting them. Some oddballs are necessary for software you may want to run.

Run spybot and see what it finds. Run your antivirus and see what it finds. Correct as much as you can.

Then boot into regular mode and do the same.

This should help wipe out most anything resident on your machine - including trojans and the like.

Check ZA to see what, if anything, is coming in or going out.

Hook up to MS website and get the latest updates. Ditto for your other pacakges.

Then run another scan using HiJackThis, make sure everything is correct - and save that copy. It gives you something to go back to later.

HTH,

Mike

 

[Mary M S]

the problem is a "clean" computer. I need to wipe my LT. which had some issues a while back. Then use it for the above list.

I've run ad-aware
Spybot S&D
and the new Zone Alarm
for awhile.
I have booted into safe mode and run all above.
Trouble is they don't seem to catch anything, but they may have been compromised by installing onto this 'unclean' DT.

Zone Alarm is working, I have it set to high, and see a lot it blocks, just nervous that I had nefarious components tied to legit programs (which allowed) when I first loaded it and struggled to get internet connectivity while blocking everything possible.

eeekkk what work! ...to keep a basic system running clean.
good thing I made the choice years ago to do no business/banking/credit cards/bill paying, etc over my computer.


.tried to check my saved log which has no suggested program to open, it is hard to decipher in notepad.

Basically, I had repeated permission events going on. Many seemed tied to NT AuthoritySystem, which should be? legit, (can that corrupt?)..I guess anything can!
Ex: current log:
Authentication pkg. load by local security...used to authorize logon attempts.
pkg. name: C;WINDOWSsystem32wdigest.dll: WDigest
and the like.

It drives me crazy I have not studied since the age of 3 to be able to interpret this stuff!.

 

[Parker Clack]

Mary:

Download Crap Cleaner and run it on your system. You can choose which areas on your PC you want it to analyze and it will remove them for you.

It will delete the index.dat from the IE directory from your system and has options to remove log files.

Use caution when using it so it doesn't remove files that you want to keep.

Parker

 

[Mary M S]

Just wanted to thank all for the advice. I had something nefarious increasing quickly so at my last post I just stayed off-web and deleted files for a few weeks when time was avalible. I can't seem to get the energy to shop for a new harddrive (or gut and up-grade...).
Whatever I have is way too embeded for the normal routes and cleaning it all without being ready for the upgrades needed seems a waste of energy.
All that gathering /upgrading software/hardware etc...(I need to learn (understand) slip streaming to make this stuff easier... it's so much work & time!

Still can't resolve the security-log-full problem, had a soft-ware programer neighbor who (quickly) came over ...loaded f-prot played with the system, ...he thought I was very clean...but i know I'm not.

I've sure I have a deep set data miner...+ my hacker (dsl hitch-hiker) .. still on board.

..so I just keep beating it back with a stick..and cont. being carefull to keep this particular HD clean as possible of personal infor. No acct checking, bill paying, banking et all. for me.

Thanks again..I'll use these tips in future.

 

[SethH]

I don't think this is virus or spyware or anything like that. I've had this before, but can't remember the exact fix. I'm pretty sure it's just a system setting though. I'm guessing you have XP Pro, correct? If so, then I'm pretty sure it's a setting that you find under Control Panel -> Admin Tools -> Local Security Policy. Also you may be able to clear out the log by going to Computer Management under the Admin Tools.

I could be wrong about this, but I remember having this problem a few years back pretty soon after installing XP Pro for the first time. I can't remember the exact fix, but I know it wasn't any type of malware that was causing it.

 

[Mary M S]

XP Pro: yes

I can clear it ..but it repopulates so fast I can not switch users and log in on any other acct.

It is possible this particular problem could be a setting changed accidentally, and incorrectly by myself in Local-SP which is filling it up.
But I think whatever else I have managed to lock down and keep out, (general everyday malware) is not stopping what is allready embedded.

While playing around in files with my last Virus protection (Norton’s) loaded. I suddenly could see a log of web sites surfed concurrently of unfamiliar URL’s while I was on-line. All heavily computer related sites.
I was never able to uncover this log again, and then switched to ZA.
Small oddities go on…slowdowns….I’m not clean.

 

[Joseph DeMartino]

Login as Adminstrator
Control Panel
Administrative Tools
Computer Managment
System Tools
Event Viewer
Security
Right-click, go to properties.
Clear the log file
Set the maximun log size to something reasonable (we use 1024 KB) and select "Over-write as needed"
Then clear the log file again
Repeat for the Application and Event logs

Regards,

Joe

 

[Mary M S]

Thank you Joe.
Worked like a charm after clearing only the Security log, BUT
then I found issues of unknown duration.
Virus protection did not load in this limited acct until I manually started it. My Internet connection had the “enable” tab grayed out.

While starting to sort the above out, I discovered my fast-user-switching (?). is MIA. Cannot switch between accts without rebooting computer and my Internet Troubleshooter will not load or is missing.

 

[SethH]

It sounds like you need to drop a shortcut to your AV into your user's startup folder (or in the All Users startup folder).

This can be found at Document & Settings/All Users/Start Menu/Programs/Startup

About the "enable" being grayed out, you may want to give yourself Power User permissions. To give yourself these permissions, go to Control Panel -> Admin Tools -> Computer Management -> Local Users & Groups. Click on Groups, then double-click on Power Users and add yourself to that group. This is a happy medium between a user account and an admin account. I do all of my "normal" computer work as a power user and have a separate admin account for the other stuff.