From: VanguardLH on
William B. Lurie wrote:

> All of the old complaints about Norton and Symantec
> taken into consideration, they have cleaned up their act
> tremendously over the years, and are extremely helpful and
> have kept my machines free of (most) intruders very well.
> They do try to do too many things for me automatically,
> but I have it tuned so that I am in control. This
> automatic live update thing, I changed back to manual,
> so I'm not going to shut them down.

You should still uninstall Norton (and disconnect your host from the
network) to clear the event logs and then check later if you are still
getting the same login or policy change failures. I haven't used anything
Norton for awhile but it could be that their firewall's HIPS (host intrusion
prevention system) which you see as their rules but includes heuristics is
causing the events.
From: Unknown on
I don't use either one and have a perfect running system.
"William B. Lurie" <billurie(a)nospam.net> wrote in message
news:Oh2T43MrKHA.5936(a)TK2MSFTNGP04.phx.gbl...
> All of the old complaints about Norton and Symantec
> taken into consideration, they have cleaned up their act
> tremendously over the years, and are extremely helpful and
> have kept my machines free of (most) intruders very well.
> They do try to do too many things for me automatically,
> but I have it tuned so that I am in control. This
> automatic live update thing, I changed back to manual,
> so I'm not going to shut them down.
>
> Unknown wrote:
>> Why don't you simply shut down NORTON?
>> "William B. Lurie" <billurie(a)nospam.net> wrote in message
>> news:uLtdZwLrKHA.6064(a)TK2MSFTNGP02.phx.gbl...
>>> JD wrote:
>>>> William B. Lurie wrote:
>>>>> William B. Lurie wrote:
>>>>>> William B. Lurie wrote:
>>>>>>> VanguardLH wrote:
>>>>>>>> William B. Lurie wrote:
>>>>>>>>
>>>>>>>>> Gerry, I found that Norton System Works Premier, which
>>>>>>>>> has a separate menu for such things, has a place where
>>>>>>>>> I can choose "Turn off all automatic updates". I
>>>>>>>>> did that several hours ago, and now the events have
>>>>>>>>> trickled down to a very few.
>>>>>>>> But doesn't that also mean that you won't get signature and/or
>>>>>>>> program
>>>>>>>> updates for your Norton security program? You would end up with an
>>>>>>>> out-of-
>>>>>>>> date Norton product.
>>>>>>> I turned off all *automatic* updates. I can still do
>>>>>>> Live Update when I choose to do so.
>>>>>> *************************************************
>>>>>> And now, some evidence and a question.
>>>>>> Overnight it did something every hour that
>>>>>> prevented it from going to hibernate. Or even screen saver!
>>>>>>
>>>>>> Here's the event log:
>>>>>>
>>>>>> http://bellsouthpwp.net/b/i/billurie/events.evt
>>>>>>
>>>>>> Can someone please tell me how to interpret what it shows?
>>>>>> (By the way, I uploaded the file but my notepad can't read
>>>>>> it; I hope somebody can!)
>>>>> Here is a screen shot of the events log.......maybe more
>>>>> decipherable.......
>>>>>
>>>>> http://bellsouthpwp.net/b/i/billurie/events.jpg
>>>> Go back to the events log and double left mouse click on one of the
>>>> errors. That will bring up the Event Properties. On the upper right
>>>> side of that window will be an up and down arrow and two little pages.
>>>> Left mouse click on the two pages. Then open Notepad and either hit
>>>> Ctrl V or click on Edit and select Paste. Now you have a copy of the
>>>> error properties and maybe you or someone here can tell you what is
>>>> causing the error.
>>>>
>>> Great instructions, JD, and here's one typical 'event'.
>>>
>>> Event Type: Failure Audit
>>> Event Source: Security
>>> Event Category: Policy Change
>>> Event ID: 615
>>> Date: 2/13/2010
>>> Time: 6:38:44 AM
>>> User: NT AUTHORITY\NETWORK SERVICE
>>> Computer: COMPAQ-2006
>>> Description:
>>> IPSec Services: IPSec Services failed to get the complete
>>> list of network interfaces on the machine. This can be a potential
>>> security hazard to the machine since some of the network interfaces
>>> may not get the protection as desired by the applied IPSec filters.
>>> Please run IPSec monitor snap-in to further diagnose the problem.
>>>
>>>
>>> That, of course, leads me to another place I've never been before...
>>> IPSec monitor snap-in. And now.......??
>>>
>>

From: Jose on
On Feb 13, 2:23 pm, JD <J...(a)example.invalid> wrote:
> Jose wrote:
> > On Feb 13, 9:51 am, "William B. Lurie"<billu...(a)nospam.net>  wrote:
> >> JD wrote:
> >>> William B. Lurie wrote:
> >>>> William B. Lurie wrote:
> >>>>> William B. Lurie wrote:
> >>>>>> VanguardLH wrote:
> >>>>>>> William B. Lurie wrote:
>
> >>>>>>>> Gerry, I found that Norton System Works Premier, which
> >>>>>>>> has a separate menu for such things, has a place where
> >>>>>>>> I can choose "Turn off all automatic updates". I
> >>>>>>>> did that several hours ago, and now the events have
> >>>>>>>> trickled down to a very few.
>
> >>>>>>> But doesn't that also mean that you won't get signature and/or program
> >>>>>>> updates for your Norton security program? You would end up with an
> >>>>>>> out-of-
> >>>>>>> date Norton product.
> >>>>>> I turned off all *automatic* updates. I can still do
> >>>>>> Live Update when I choose to do so.
> >>>>> *************************************************
> >>>>> And now, some evidence and a question.
> >>>>> Overnight it did something every hour that
> >>>>> prevented it from going to hibernate. Or even screen saver!
>
> >>>>> Here's the event log:
>
> >>>>>http://bellsouthpwp.net/b/i/billurie/events.evt
>
> >>>>> Can someone please tell me how to interpret what it shows?
> >>>>> (By the way, I uploaded the file but my notepad can't read
> >>>>> it; I hope somebody can!)
>
> >>>> Here is a screen shot of the events log.......maybe more
> >>>> decipherable.......
>
> >>>>http://bellsouthpwp.net/b/i/billurie/events.jpg
>
> >>> Go back to the events log and double left mouse click on one of the
> >>> errors. That will bring up the Event Properties. On the upper right side
> >>> of that window will be an up and down arrow and two little pages. Left
> >>> mouse click on the two pages. Then open Notepad and either hit Ctrl V or
> >>> click on Edit and select Paste. Now you have a copy of the error
> >>> properties and maybe you or someone here can tell you what is causing
> >>> the error.
>
> >> Great instructions, JD, and here's one typical 'event'.
>
> >> Event Type:     Failure Audit
> >> Event Source:   Security
> >> Event Category: Policy Change
> >> Event ID:       615
> >> Date:           2/13/2010
> >> Time:           6:38:44 AM
> >> User:           NT AUTHORITY\NETWORK SERVICE
> >> Computer:       COMPAQ-2006
> >> Description:
> >> IPSec Services:         IPSec Services failed to get the complete
> >> list of network interfaces on the machine. This can be a potential
> >> security hazard to the machine since some of the network interfaces
> >> may not get the protection as desired by the applied IPSec filters.
> >> Please run IPSec monitor snap-in to further diagnose the problem.
>
> >> That, of course, leads me to another place I've never been before...
> >> IPSec monitor snap-in. And now.......??
>
> > Is there some reason you have your system configured to monitor and
> > audit and log security policy settings and changes?
>
> > That is what puts things in the Security log.  Such settings do not
> > usually apply to "normal" home type users.  Normally, this log is
> > empty, or has one entry in it - "The audit log was cleared ".
>
> > I dare say you are seeing a self inflicted wound.
>
> > Unless you are in an environment where you need to be extensively
> > auditing your Internet traffic, searching for network connectivity
> > issues, etc. you do not need to be monitoring these events.  This 615
> > probably occurred when you booted your system before the IPSec service
> > started and was then followed by a successful 615.
>
> > If you don't know what these things mean or how to begin to interpret
> > them you should turn them all off since they slow your system down
> > with all the unnecessary activity logging.  More logging is not always
> > good logging unless you are troubleshooting a problem.
>
> > If you don't know how to use the security auditing and IPSec tools and
> > don't need to know, turn off all that extra stuff you don't need and
> > your system will thank you for it by rewarding you with better
> > performance and fewer mysteries.
>
> > If you care to delve into all the settings, what they mean, how to
> > interpret them, etc. you should take a class, read a book, do some
> > Internet searching.
>
> Thanks for a non-response. Which book would you suggest he read? Or how
> does he turn off the security log? Oh wait though, I have 2,012 events
> in my Security log and I've never turned it on. And not one of those
> says "The audit log was cleared". I'm not being a smarty pants, I'm just
> curious as to the explanation of your response.
>
> --
>   JD..

Yeah - maybe I was coming on too strong or rude. I now have a better
Security Event Log message for the future.

Here is what I have seen...

Sometimes people wonder why the Security log is empty and think it is
a problem that nothing is being logged. All the other logs have stuff
and know I want some security on my system so they read some, poke
around and end up turning on Security Auditing from Control Panel,
Administrative Tools, Local Security Policy.

Everything for Security Auditing is turned off by default with "No
Auditing", so sometimes the thought is that some kind of additional
security auditing must be a good thing either because they are having
some problem they can't figure out or maybe they are curious.
Security is good, therefore I will put some security on everything!

The logging goes on unnoticed, they may resolve whatever the original
problem was and sometime later they peek at the Security log and see
all the failure messages and wonder what is wrong with their system.
Failure messages must mean something is wrong!

Turn all that logging on and reboot your system and you will get a lot
of failure events. Now folks think they have an issue and things are
failing all over the place, but it is an understanding issue (usually)
or they forgot they turned on the logging and never turned it off.

Event Logs also do not accumulate forever, they wrap when they get
full. Full is defined in the Properties of the log and defaults to
512KB and 7 days after that, then old things get overwritten
(luckily). The logs are usually in the c:\windows\system32\config
folder where those registry files are. You know those files... the
event logs are there too. Maybe yours wrapped or was never cleared -
or both.

Excess logging slows things down (any logging slows things down).
Maybe not much for this stuff, but if something has to read/write or
to even check to see if it needs to or even consider it, it takes some
CPU time that I would rather be spent someplace else. If you are
"tuning up" a system for performance, you can turn all that extra junk
off unless you need it to troubleshoot a problem. If you turn it on,
turn it off when you are done if you remember.

There is a similar story with the Internet Explorer log - why is it
always empty and is that my IE problem? An empty IE log can't be good
if I'm having IE problems. I can tell you, mine is empty and it
better stay that way.

You can buy books on Amazon that discuss Windows security,
performance, forensic analysis, malware - there are even Dummies books
for these things.

Like I mentioned before, no event in the Event Log should defy
explanation. If you have things in your Security Event Log, most
certainly they are there for a reason and should be explainable. Some
people will say the security events can be ignored. Well, I want to
explain them, then maybe I'll decide to ignore them.

I generally only have the one security event noting that my log was
cleared and I don't even need to have that. I only keep it so I know
my Security Event Log is working. Sometimes I use the Security
logging for troubleshooting or understanding somebody else's problem,
but generally not - it is extra I/O I don't need.

I sometimes keep an unused entry in my msconfig Startup tab and a
unused non MS service - just so I know msconfig is working. Seeing
those empty tabs is a little creepy.





From: Gerry on
Jose

All Success Audit (lots of them), no failures here!

--


Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

Jose wrote:
> On Feb 13, 2:23 pm, JD <J...(a)example.invalid> wrote:
>> Jose wrote:
>>> On Feb 13, 9:51 am, "William B. Lurie"<billu...(a)nospam.net> wrote:
>>>> JD wrote:
>>>>> William B. Lurie wrote:
>>>>>> William B. Lurie wrote:
>>>>>>> William B. Lurie wrote:
>>>>>>>> VanguardLH wrote:
>>>>>>>>> William B. Lurie wrote:
>>
>>>>>>>>>> Gerry, I found that Norton System Works Premier, which
>>>>>>>>>> has a separate menu for such things, has a place where
>>>>>>>>>> I can choose "Turn off all automatic updates". I
>>>>>>>>>> did that several hours ago, and now the events have
>>>>>>>>>> trickled down to a very few.
>>
>>>>>>>>> But doesn't that also mean that you won't get signature
>>>>>>>>> and/or program updates for your Norton security program? You
>>>>>>>>> would end up with an out-of-
>>>>>>>>> date Norton product.
>>>>>>>> I turned off all *automatic* updates. I can still do
>>>>>>>> Live Update when I choose to do so.
>>>>>>> *************************************************
>>>>>>> And now, some evidence and a question.
>>>>>>> Overnight it did something every hour that
>>>>>>> prevented it from going to hibernate. Or even screen saver!
>>
>>>>>>> Here's the event log:
>>
>>>>>>> http://bellsouthpwp.net/b/i/billurie/events.evt
>>
>>>>>>> Can someone please tell me how to interpret what it shows?
>>>>>>> (By the way, I uploaded the file but my notepad can't read
>>>>>>> it; I hope somebody can!)
>>
>>>>>> Here is a screen shot of the events log.......maybe more
>>>>>> decipherable.......
>>
>>>>>> http://bellsouthpwp.net/b/i/billurie/events.jpg
>>
>>>>> Go back to the events log and double left mouse click on one of
>>>>> the errors. That will bring up the Event Properties. On the upper
>>>>> right side of that window will be an up and down arrow and two
>>>>> little pages. Left mouse click on the two pages. Then open
>>>>> Notepad and either hit Ctrl V or click on Edit and select Paste.
>>>>> Now you have a copy of the error properties and maybe you or
>>>>> someone here can tell you what is causing the error.
>>
>>>> Great instructions, JD, and here's one typical 'event'.
>>
>>>> Event Type: Failure Audit
>>>> Event Source: Security
>>>> Event Category: Policy Change
>>>> Event ID: 615
>>>> Date: 2/13/2010
>>>> Time: 6:38:44 AM
>>>> User: NT AUTHORITY\NETWORK SERVICE
>>>> Computer: COMPAQ-2006
>>>> Description:
>>>> IPSec Services: IPSec Services failed to get the complete
>>>> list of network interfaces on the machine. This can be a potential
>>>> security hazard to the machine since some of the network interfaces
>>>> may not get the protection as desired by the applied IPSec filters.
>>>> Please run IPSec monitor snap-in to further diagnose the problem.
>>
>>>> That, of course, leads me to another place I've never been
>>>> before... IPSec monitor snap-in. And now.......??
>>
>>> Is there some reason you have your system configured to monitor and
>>> audit and log security policy settings and changes?
>>
>>> That is what puts things in the Security log. Such settings do not
>>> usually apply to "normal" home type users. Normally, this log is
>>> empty, or has one entry in it - "The audit log was cleared ".
>>
>>> I dare say you are seeing a self inflicted wound.
>>
>>> Unless you are in an environment where you need to be extensively
>>> auditing your Internet traffic, searching for network connectivity
>>> issues, etc. you do not need to be monitoring these events. This 615
>>> probably occurred when you booted your system before the IPSec
>>> service started and was then followed by a successful 615.
>>
>>> If you don't know what these things mean or how to begin to
>>> interpret them you should turn them all off since they slow your
>>> system down with all the unnecessary activity logging. More logging
>>> is not always good logging unless you are troubleshooting a problem.
>>
>>> If you don't know how to use the security auditing and IPSec tools
>>> and don't need to know, turn off all that extra stuff you don't
>>> need and your system will thank you for it by rewarding you with
>>> better performance and fewer mysteries.
>>
>>> If you care to delve into all the settings, what they mean, how to
>>> interpret them, etc. you should take a class, read a book, do some
>>> Internet searching.
>>
>> Thanks for a non-response. Which book would you suggest he read? Or
>> how does he turn off the security log? Oh wait though, I have 2,012
>> events in my Security log and I've never turned it on. And not one
>> of those says "The audit log was cleared". I'm not being a smarty
>> pants, I'm just curious as to the explanation of your response.
>>
>> --
>> JD..
>
> Yeah - maybe I was coming on too strong or rude. I now have a better
> Security Event Log message for the future.
>
> Here is what I have seen...
>
> Sometimes people wonder why the Security log is empty and think it is
> a problem that nothing is being logged. All the other logs have stuff
> and know I want some security on my system so they read some, poke
> around and end up turning on Security Auditing from Control Panel,
> Administrative Tools, Local Security Policy.
>
> Everything for Security Auditing is turned off by default with "No
> Auditing", so sometimes the thought is that some kind of additional
> security auditing must be a good thing either because they are having
> some problem they can't figure out or maybe they are curious.
> Security is good, therefore I will put some security on everything!
>
> The logging goes on unnoticed, they may resolve whatever the original
> problem was and sometime later they peek at the Security log and see
> all the failure messages and wonder what is wrong with their system.
> Failure messages must mean something is wrong!
>
> Turn all that logging on and reboot your system and you will get a lot
> of failure events. Now folks think they have an issue and things are
> failing all over the place, but it is an understanding issue (usually)
> or they forgot they turned on the logging and never turned it off.
>
> Event Logs also do not accumulate forever, they wrap when they get
> full. Full is defined in the Properties of the log and defaults to
> 512KB and 7 days after that, then old things get overwritten
> (luckily). The logs are usually in the c:\windows\system32\config
> folder where those registry files are. You know those files... the
> event logs are there too. Maybe yours wrapped or was never cleared -
> or both.
>
> Excess logging slows things down (any logging slows things down).
> Maybe not much for this stuff, but if something has to read/write or
> to even check to see if it needs to or even consider it, it takes some
> CPU time that I would rather be spent someplace else. If you are
> "tuning up" a system for performance, you can turn all that extra junk
> off unless you need it to troubleshoot a problem. If you turn it on,
> turn it off when you are done if you remember.
>
> There is a similar story with the Internet Explorer log - why is it
> always empty and is that my IE problem? An empty IE log can't be good
> if I'm having IE problems. I can tell you, mine is empty and it
> better stay that way.
>
> You can buy books on Amazon that discuss Windows security,
> performance, forensic analysis, malware - there are even Dummies books
> for these things.
>
> Like I mentioned before, no event in the Event Log should defy
> explanation. If you have things in your Security Event Log, most
> certainly they are there for a reason and should be explainable. Some
> people will say the security events can be ignored. Well, I want to
> explain them, then maybe I'll decide to ignore them.
>
> I generally only have the one security event noting that my log was
> cleared and I don't even need to have that. I only keep it so I know
> my Security Event Log is working. Sometimes I use the Security
> logging for troubleshooting or understanding somebody else's problem,
> but generally not - it is extra I/O I don't need.
>
> I sometimes keep an unused entry in my msconfig Startup tab and a
> unused non MS service - just so I know msconfig is working. Seeing
> those empty tabs is a little creepy.

From: Jose on
On Feb 13, 5:51 pm, "Gerry" <ge...(a)nospam.com> wrote:
> Jose
>
> All Success Audit (lots of them), no failures here!
>
> --
>
> Gerry
>  ~~~~
> FCA
> Stourport, England
> Enquire, plan and execute
> ~~~~~~~~~~~~~~~~~~~
>
>
>
> Jose wrote:
> > On Feb 13, 2:23 pm, JD <J...(a)example.invalid> wrote:
> >> Jose wrote:
> >>> On Feb 13, 9:51 am, "William B. Lurie"<billu...(a)nospam.net> wrote:
> >>>> JD wrote:
> >>>>> William B. Lurie wrote:
> >>>>>> William B. Lurie wrote:
> >>>>>>> William B. Lurie wrote:
> >>>>>>>> VanguardLH wrote:
> >>>>>>>>> William B. Lurie wrote:
>
> >>>>>>>>>> Gerry, I found that Norton System Works Premier, which
> >>>>>>>>>> has a separate menu for such things, has a place where
> >>>>>>>>>> I can choose "Turn off all automatic updates". I
> >>>>>>>>>> did that several hours ago, and now the events have
> >>>>>>>>>> trickled down to a very few.
>
> >>>>>>>>> But doesn't that also mean that you won't get signature
> >>>>>>>>> and/or program updates for your Norton security program? You
> >>>>>>>>> would end up with an out-of-
> >>>>>>>>> date Norton product.
> >>>>>>>> I turned off all *automatic* updates. I can still do
> >>>>>>>> Live Update when I choose to do so.
> >>>>>>> *************************************************
> >>>>>>> And now, some evidence and a question.
> >>>>>>> Overnight it did something every hour that
> >>>>>>> prevented it from going to hibernate. Or even screen saver!
>
> >>>>>>> Here's the event log:
>
> >>>>>>>http://bellsouthpwp.net/b/i/billurie/events.evt
>
> >>>>>>> Can someone please tell me how to interpret what it shows?
> >>>>>>> (By the way, I uploaded the file but my notepad can't read
> >>>>>>> it; I hope somebody can!)
>
> >>>>>> Here is a screen shot of the events log.......maybe more
> >>>>>> decipherable.......
>
> >>>>>>http://bellsouthpwp.net/b/i/billurie/events.jpg
>
> >>>>> Go back to the events log and double left mouse click on one of
> >>>>> the errors. That will bring up the Event Properties. On the upper
> >>>>> right side of that window will be an up and down arrow and two
> >>>>> little pages. Left mouse click on the two pages. Then open
> >>>>> Notepad and either hit Ctrl V or click on Edit and select Paste.
> >>>>> Now you have a copy of the error properties and maybe you or
> >>>>> someone here can tell you what is causing the error.
>
> >>>> Great instructions, JD, and here's one typical 'event'.
>
> >>>> Event Type: Failure Audit
> >>>> Event Source: Security
> >>>> Event Category: Policy Change
> >>>> Event ID: 615
> >>>> Date: 2/13/2010
> >>>> Time: 6:38:44 AM
> >>>> User: NT AUTHORITY\NETWORK SERVICE
> >>>> Computer: COMPAQ-2006
> >>>> Description:
> >>>> IPSec Services: IPSec Services failed to get the complete
> >>>> list of network interfaces on the machine. This can be a potential
> >>>> security hazard to the machine since some of the network interfaces
> >>>> may not get the protection as desired by the applied IPSec filters.
> >>>> Please run IPSec monitor snap-in to further diagnose the problem.
>
> >>>> That, of course, leads me to another place I've never been
> >>>> before... IPSec monitor snap-in. And now.......??
>
> >>> Is there some reason you have your system configured to monitor and
> >>> audit and log security policy settings and changes?
>
> >>> That is what puts things in the Security log. Such settings do not
> >>> usually apply to "normal" home type users. Normally, this log is
> >>> empty, or has one entry in it - "The audit log was cleared ".
>
> >>> I dare say you are seeing a self inflicted wound.
>
> >>> Unless you are in an environment where you need to be extensively
> >>> auditing your Internet traffic, searching for network connectivity
> >>> issues, etc. you do not need to be monitoring these events. This 615
> >>> probably occurred when you booted your system before the IPSec
> >>> service started and was then followed by a successful 615.
>
> >>> If you don't know what these things mean or how to begin to
> >>> interpret them you should turn them all off since they slow your
> >>> system down with all the unnecessary activity logging. More logging
> >>> is not always good logging unless you are troubleshooting a problem.
>
> >>> If you don't know how to use the security auditing and IPSec tools
> >>> and don't need to know, turn off all that extra stuff you don't
> >>> need and your system will thank you for it by rewarding you with
> >>> better performance and fewer mysteries.
>
> >>> If you care to delve into all the settings, what they mean, how to
> >>> interpret them, etc. you should take a class, read a book, do some
> >>> Internet searching.
>
> >> Thanks for a non-response. Which book would you suggest he read? Or
> >> how does he turn off the security log? Oh wait though, I have 2,012
> >> events in my Security log and I've never turned it on. And not one
> >> of those says "The audit log was cleared". I'm not being a smarty
> >> pants, I'm just curious as to the explanation of your response.
>
> >> --
> >> JD..
>
> > Yeah - maybe I was coming on too strong or rude.  I now have a better
> > Security Event Log message for the future.
>
> > Here is what I have seen...
>
> > Sometimes people wonder why the Security log is empty and think it is
> > a problem that nothing is being logged.  All the other logs have stuff
> > and know I want some security on my system so they read some, poke
> > around and end up turning on Security Auditing from Control Panel,
> > Administrative Tools, Local Security Policy.
>
> > Everything for Security Auditing is turned off by default with "No
> > Auditing", so sometimes the thought is that some kind of additional
> > security auditing must be a good thing either because they are having
> > some problem they can't figure out or maybe they are curious.
> > Security is good, therefore I will put some security on everything!
>
> > The logging goes on unnoticed, they may resolve whatever the original
> > problem was and sometime later they peek at the Security log and see
> > all the failure messages and wonder what is wrong with their system.
> > Failure messages must mean something is wrong!
>
> > Turn all that logging on and reboot your system and you will get a lot
> > of failure events.  Now folks think they have an issue and things are
> > failing all over the place, but it is an understanding issue (usually)
> > or they forgot they turned on the logging and never turned it off.
>
> > Event Logs also do not accumulate forever, they wrap when they get
> > full.  Full is defined in the Properties of the log and defaults to
> > 512KB and 7 days after that, then old things get overwritten
> > (luckily).  The logs are usually in the c:\windows\system32\config
> > folder where those registry files are.  You know those files...  the
> > event logs are there too.  Maybe yours wrapped or was never cleared -
> > or both.
>
> > Excess logging slows things down (any logging slows things down).
> > Maybe not much for this stuff, but if something has to read/write or
> > to even check to see if it needs to or even consider it, it takes some
> > CPU time that I would rather be spent someplace else.   If you are
> > "tuning up" a system for performance, you can turn all that extra junk
> > off unless you need it to troubleshoot a problem.  If you turn it on,
> > turn it off when you are done if you remember.
>
> > There is a similar story with the Internet Explorer log - why is it
> > always empty and is that my IE problem?  An empty IE log can't be good
> > if I'm having IE problems.  I can tell you, mine is empty and it
> > better stay that way.
>
> > You can buy books on Amazon that discuss Windows security,
> > performance, forensic analysis, malware - there are even Dummies books
> > for these things.
>
> > Like I mentioned before, no event in the Event Log should defy
> > explanation.  If you have things in your Security Event Log, most
> > certainly they are there for a reason and should be explainable.  Some
> > people will say the security events can be ignored.  Well, I want to
> > explain them, then maybe I'll decide to ignore them.
>
> > I generally only have the one security event noting that my log was
> > cleared and I don't even need to have that.  I only keep it so I know
> > my Security Event Log is working.  Sometimes I use the Security
> > logging for troubleshooting or understanding somebody else's problem,
> > but generally not - it is extra I/O I don't need.
>
> > I sometimes keep an unused entry in my msconfig Startup tab and a
> > unused non MS service - just so I know msconfig is working.  Seeing
> > those empty tabs is a little creepy.

Good for you!

Such was not the case for the OP.

Do you have success audits enabled?

If you don't know what they mean, post some up for interpretation if
you want, or post some anyway so I can add them to my list if I don't
have them already.

I find them all annoying in day to day activities.