1 Reply Latest reply on Apr 13, 2012 4:03 AM by rackroyd

    McScript_InUse.exe attempting logon to server account?

    Isagel

      Odd question, I have a security-auditing entry in event viewer, event ID 4625 - an account failed to logon.

       

      I have an AV service account created, local account on Win 2008 server.

       

       

      Subject:

           Security ID:              SYSTEM

           Account Name:       'server name'

           Accunt Domain:      SP

           Logon ID:                  0x3e7

       

      Logon Type:      2

          

      Account for which logon failed:

           Security ID:             NULL SID

           Account Name:      svc_antivirus

           Account Domain:   

       

      Failure Information:

           Failure Reason:      Unknown user name or bad password

           Status:                       0xc000006d

           Sub Status:               0xc000006a

       

      Process Information:

           Caller Process ID:             0x8724

           Caller Process Name:      C:\Program Files (x86)\McAfee\Common Framework\McScript_InUse.exe

       

       

       

      I'm wondering if the process McScript_InUse.exe would try to logon to the account I created with a different ID (0x3e7)...doesn't make much sense but any thoughts?  Not related to McAfee or ePO or VSE maybe.

       

       

       

      Thanks.

        • 1. Re: McScript_InUse.exe attempting logon to server account?
          rackroyd

          mcscrpt_inuse is invoked as part of the scripting engine of the McAfee Agent. It is basically called when the agent is running a task, such as an update for example.

          As tasks are generally scheduled, this process will often run in the system context.

           

          However  an update task may need to carry additional credentials to allow access to a network or internet resource (perhaps a distributed repository or source site). The system account won't have network access if my sketchy Windows skills recall correctly Hence the additional account info.

           

          So you may be seeing a failed update task, which would be reflected in the local mcscript.log in more detail with any luck.

           

          Rgds,

           

          Rob.

          1 of 1 people found this helpful