Security Event Log 4673
-
Has anyone checked their WinEventLog for Audit Failures caused by Vivaldi? Windows was installed a week ago. I'm getting sets of Event ID 4673, a privileged service was called. The subject is a standard user account, the service is undefined, and the process is vivadi. I've converted the Hex Process ID and its for an instance with the Command Line switch:
vivaldi.exe renderer --field-trial-handle=1516,16418120127194597676,3321558924824056225,131072 --lang=en-US --disable-oor-cors --enable-auto-reload --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=15610072476550406771 --renderer-client-id=236 --no-v8-untrusted-code-mitigations --running-vivaldi --mojo-platform-channel-handle=18724 /prefetch:1
-
@brenji Nope, not seeing any of those. Running Win10 Pro here.
Are you running any security software on your system? Some such software add hooks into the browser for intercepting network traffic and similar.
You can maybe use the tool FullEventLogView to get more information on the event:
https://www.nirsoft.net/utils/full_event_log_view.htmlAlso see:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4673 -
I have various security software running. I'll look into these suggestions. Funny, I found this with the Nirsoft tool. I'm now using Advanced Event Viewer software, which is very nice. Good price. I'm working on resolving warnings and failures. This was one. It's on all the computers I reimaged, so it must be and add-in.
Anyone else see a 4673?
-
@Pathduck I think I see why. In the Local Security Policy, I'd set Advanced Audit Policy > Privilege Use > Audit Non Sensitive Privilege Use > Success/Failure. One non-sensitive privilege is to run an exe as a single process: "SeProfileSingleProcessPrivilege". We see that in process explorer Vivaldi runs as multiple instances. The one that's failing looks like it's for the graphics. There's a Google engineer [*linkedin] with a blog containing the Chrome command switches: peter[.]sh/experiments/chromium-command-line-switches . My switches above include raster threads, renderer, and other assumed graphics fields.
Ultimately, it looks like my 4673 is a false-positive due to aggressive Security logging. Failures because of a function, single process, that Chromium/Vivaldi, doesn't use.
-
For Reference:
Subject:
Security ID: S-1-5-21-3305502653-4100909561-3226654684-1001
Account Name:
Account Domain:
Logon ID:Service:
Server: Security
Service Name: -Process:
Process ID: 0x5318
Process Name: C:\Program Files\Vivaldi\Application\vivaldi.exeService Request Information:
Privileges: SeTcbPrivilege -
I didn't post my a finding from last year. Chromium's task manager pinpointed uBlock Origin. 4673 would make absolute sense, bc websites are gonna try to control the browser with your privileges. Good demo on why you don't should use an admin account.
At some I might set up a VM and use detailed logging to see what handles they're trying. I'm interested capture examples. Filddler, uBlock logging, and few other tools should catch it. All it takes is leaving one site to be open for a day to make a million of these. I wonder if Vivaldi's built-in blocking would make these too.
-
Ppafflick moved this topic from Vivaldi for Windows on
