Missing lsass.exe entries in seaudit

Document ID : KB000005949
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

Not getting lsass.exe entries in seaudit when a user logs in on windows. e.g. the following kind of message is missing (where <server> is the endpoint and <user> is the user): 

30 Jan 2017 08:48:04 P LOGIN <user> 59 2 <server> C:\Windows\System32\lsass.exe 

 

 

Resolution:

This is likely to be because %SystemRoot%\system32\eACSubAuth.dll was renamed to eACSubAuth.dll.old and this causes lsass.exe to no longer be called during login. Rename it back to eACSubAuth.dll and the entry should now be in seaudit.