question

JAndrewJohnson-0631 avatar image
0 Votes"
JAndrewJohnson-0631 asked JAndrewJohnson-0631 commented

Hundreds of 6417 Events in Windows 10 Security Log

I'm a bit of a Security Log neophyte, but have had to learn as much as possible over the last several months as I have solid evidence that my home network has been breeched (why? who? no clue).

But this is something I have never seen on this machine before, and it just started within the last 36 hours. My security log has begun to be filled with hundreds of event 6417... 1517 of them to be exact. Here are a few examples, starting with the first instance:

Record Date Time Type Event PID Process Name
10093 8/16/2021 3:42:46 AM Audit Success 6417 00000250 C:\Windows\System32\csrss.exe
10124 8/16/2021 3:42:51 AM Audit Success 6417 000002DC C:\Windows\System32\LogonUI.exe
10860 8/16/2021 3:53:08 AM Audit Success 6417 000002DC C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
12176 8/15/2021 9:13:03 PM Audit Success 6417 00000B58 C:\Program Files\WindowsApps\
Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe

The PIDs and Process names run through hundreds of different executables, but the largest represented process is msedge.com.

I'm running an older machine:

Device name
Processor Intel(R) Core(TM)2 Duo CPU E4600 @ 2.40GHz 2.40 GHz
Installed RAM 6.00 GB
Device ID 4372B41C-30C5-42F9-824C-81C7D
**
Product ID 00330-80000-00000-AA314
System type 64-bit operating system, x64-based processor
Pen and touch No pen or touch input is available for this display
Edition Windows 10 Pro
Version 21H1
Installed on ‎8/‎14/‎2021
OS build 19043.1165
Experience Windows Feature Experience Pack 120.2212.3530.0

...with an older TPM (v 1.2), but have never seen a single 6417 event, let alone 1500.

When I look in the system log for events 14 or 17, I find 11 event 14 entries, three of which occurred in the same time frame as the 6417 events in the system log:

Type Date Time Event Source Category User Computer
Information 8/17/2021 10:53:14 AM 14 Microsoft-Windows-Wininit None \SYSTEM
Information 8/16/2021 3:42:49 AM 14 Microsoft-Windows-Wininit None \SYSTEM

Information 8/15/2021 9:11:30 PM 14 Microsoft-Windows-Wininit None \SYSTEM *


Interestingly enough, these events look nothing like event 14 as represented here:

https://docs.microsoft.com/en-us/troubleshoot/windows-client/windows-security/tpm-device-driver-error-log

As the entire entry consists of one line: 'Credential Guard configuration: 0,0'

My machine is a workgroup on a small home network, not in a domain with an AD server, so I'm not sure why Credential Guard enters into this.

Am I correct in thinking this is a bit unusual?

Any insight would be appreciated, and thanks ahead of time!


windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GaryNebbett avatar image
0 Votes"
GaryNebbett answered JAndrewJohnson-0631 commented

Hello @JAndrewJohnson-0631,

Good to see that you corrected your self-description - it makes things a lot clearer :-)

You have probably recently enabled the policy "System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms"; disabling the policy should also cause these events to stop.

124332-image.png

Gary


image.png (126.2 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you, Gary!

I'm surprised that a fairly comprehensive search did not find anything on this effect of this setting. Interestingly, I have had this setting turned on previously, and did not notice any instances of event 6417, although admittedly I was not looking for them. But even given that, there could not have been this many. I wonder what caused the volume I saw this time? And I also wonder what overall effect on performance this constant self-testing caused? Given that using FITS is only useful under one particular circumstance that doesn't apply to me, I've turned it off.

Much appreciated!

0 Votes 0 ·

Hello @JAndrewJohnson-0631,

There are web sites that track when new functions were first exported from the Windows kernel (e.g. https://www.geoffchappell.com/studies/windows/km/ntoskrnl/history/names1511.htm), and the function used by cng.sys to log these events (SeAuditFipsCryptoSelftests) was first exported in Windows 10 Version 1511.

Gary

0 Votes 0 ·

Geoff Chappell's web site is excellent!
This has been most hopeful
Thanks for the reference, and again, thanks for your help.

0 Votes 0 ·