CSA - Winlogon.exe causes rule 699 to fire

Unanswered Question
Sep 19th, 2007
User Badges:

I am seeing the following message: "The process 'C:\Windows\system32\winlogon.exe (as user NT Authority\System) attempted to modify a Cisco Service Agent resource Cisco process c:\Program Files\Cisco Systems\CSAgent\bin\leventmgr.exe. The Operation was denied." This firing rule was 699. I have also attached a screenshot of the firing rule details. Has anyone seen this before or have any ideas?


The alert is comming from the agent running on the MC, which appears to have been disabled.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tsteger1 Thu, 09/20/2007 - 15:06
User Badges:
  • Red, 2250 points or more

My 5.2.210 MC had 4 of these messages.


They appeared to occur when I was connected via a terminal session and generated rules.


I haven't had any since I upgraded to 5.2.225.


Tom

Actions

This Discussion