Event Viewer Spam Causing PC Stutter - Events 5379, 4624, 4672 -- Security Audits

Discussion in 'Operating Systems' started by bbacks26, Aug 30, 2020.

  1. bbacks26

    bbacks26 New Member

    Messages:
    5
    Likes Received:
    0
    GPU:
    RTX 2080Ti
    Hi,

    Since getting my new PC, I have experienced these instances of noticeable stutter when browsing, gaming, or simply being on the desktop. The best way to describe it is as a very brief but noticeable micro-stutter/micro-freeze, the screen does not flash and audio does not cut out. It lasts for about half a second, but it is very noticeable and annoying, especially when playing games. After spending hours troubleshooting, I have ended up finding the cause. These stutters happen at the exact same logs are generated in the Event Viewer application. These logs are listed under the "Audit Success" column and I currently have about 5000 of these logs just in the last 24 hours. Out of these logs, there are 3 particular Event ID logs that correlate with my stuttering: Event ID: 4624, 4672, and 5379. The 4624 and 4672 occur more frequently than the 5379 and the stutter resulting from them is less severe. The 5379 event however, results in the worst stuttering. This is probably because the 5379 event is logged about 300 times during instances of stutter. Event Viewer shows event 5379 being logged around 300 times at the exact same time interval (For example 300 entries all at 1:00:00PM or 2:37:51PM etc etc).

    The events themselves have different descriptions for why they're occuring:

    Event 4624:

    An account was successfully logged on.
    Subject:
    Security ID: SYSTEM
    Account Name: DESKTOP-N2CELSJ$
    Account Domain: WORKGROUP
    Logon ID: 0x3E7

    Logon Information:
    Logon Type: 5
    Restricted Admin Mode: -
    Virtual Account: No
    Elevated Token: Yes
    Impersonation Level: Impersonation
    New Logon:
    Security ID: SYSTEM
    Account Name: SYSTEM
    Account Domain: NT AUTHORITY
    Logon ID: 0x3E7
    Linked Logon ID: 0x0
    Network Account Name: -
    Network Account Domain: -
    Logon GUID: {00000000-0000-0000-0000-000000000000}

    Process Information:
    Process ID: 0x358
    Process Name: C:\Windows\System32\services.exe

    Network Information:

    Workstation Name: -
    Source Network Address: -
    Source Port: -

    Detailed Authentication Information:
    Logon Process: Advapi
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    This event is generated when a logon session is created. It is generated on the computer that was accessed.

    The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

    The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

    The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The impersonation level field indicates the extent to which a process in the logon session can impersonate.

    The authentication information fields provide detailed information about this specific logon request.

    - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.

    - Transited services indicate which intermediate services have participated in this logon request.

    - Package name indicates which sub-protocol was used among the NTLM protocols.

    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    Event 4672:
    Special privileges assigned to new logon.
    Subject:
    Security ID: SYSTEM
    Account Name: SYSTEM
    Account Domain: NT AUTHORITY
    Logon ID: 0x3E7
    Privileges: SeAssignPrimaryTokenPrivilege
    SeTcbPrivilege
    SeSecurityPrivilege
    SeTakeOwnershipPrivilege
    SeLoadDriverPrivilege
    SeBackupPrivilege
    SeRestorePrivilege
    SeDebugPrivilege
    SeAuditPrivilege
    SeSystemEnvironmentPrivilege
    SeImpersonatePrivilege
    SeDelegateSessionUserImpersonatePrivilege


    Event 5379:
    Credential Manager credentials were read.

    Subject:
    Security ID: DESKTOP-N2CELSJ\bback
    Account Name: bback
    Account Domain: DESKTOP-N2CELSJ
    Logon ID: 0x85277
    Read Operation: Enumerate Credentials
    This event occurs when a user performs a read operation on stored credentials in Credential Manager.

    HERE ARE SCREENSHOTS:
    [​IMG]
    [​IMG]
    [​IMG]

    I'm really at a loss of how to fix this. If anyone has any suggestions or has experienced this before please tell me how I should go about solving this. Thank you.
     
    Last edited: Aug 30, 2020
  2. Astyanax

    Astyanax Ancient Guru

    Messages:
    8,411
    Likes Received:
    2,810
    GPU:
    GTX 1080ti
    I can assure you, there is no correlation between these events being logged and your stutter.
     
  3. bbacks26

    bbacks26 New Member

    Messages:
    5
    Likes Received:
    0
    GPU:
    RTX 2080Ti
    Then how is it that when I do get a stutter and record the time it took place, that it matches up exactly with the time the events were logged? I just can't accept this to be coincidence...
     
  4. bbacks26

    bbacks26 New Member

    Messages:
    5
    Likes Received:
    0
    GPU:
    RTX 2080Ti
    Can anyone help me please? Upon further investigation I have run latencymon and so far have gotten latency in the following:nvlddmkm.sys, Ndis.sys, wdf01000.sys, and Acpi.sys. I am not sure what to do with this info but would appreciate any help in solving this. Thanks
     

  5. CPC_RedDawn

    CPC_RedDawn Ancient Guru

    Messages:
    8,280
    Likes Received:
    658
    GPU:
    Zotac GTX1080Ti AMP
    I really do doubt these would correspond with stutter but have you tried repairing windows a little, using DSM and SFC commands in CMD or Powershell? You can also clean out your event log with a custom bat file

    copy this into notepad

    save as something like clearevents.bat this will create a file that once opened AS ADMIN will clean your registry entries out. This wont stop them from being created again but by cleaning it out it could help identify specific ones and finding a solution.

    I strongly don't think this is the reason for the stutter though, it could be some other underlining issue that is happening and an event log gets created because of what happened.
     
  6. mbk1969

    mbk1969 Ancient Guru

    Messages:
    10,039
    Likes Received:
    7,036
    GPU:
    GF RTX 2070 Super
    There is a simpler way to check whether events are related to stutters.
    Use this tool
    https://forums.guru3d.com/threads/alternative-event-viewer-for-windows.431209/
    to subscribe for all events to all event logs. Start a subscription, then do what you usually do to test stutters, and when stutters happen switch back to the tool, stop subscription and browse through events.
    I mean live subscription is easier way to relate events to glitches.
     
    CPC_RedDawn and bbacks26 like this.
  7. Astyanax

    Astyanax Ancient Guru

    Messages:
    8,411
    Likes Received:
    2,810
    GPU:
    GTX 1080ti
    True, but i think an IO interaction taking too much time is at the root of it.
     
  8. mbk1969

    mbk1969 Ancient Guru

    Messages:
    10,039
    Likes Received:
    7,036
    GPU:
    GF RTX 2070 Super
    Or we see in first event in OP that some service has started - that start can cause stutters, but events in event viewer do simply state the fact of the start.
     
  9. bbacks26

    bbacks26 New Member

    Messages:
    5
    Likes Received:
    0
    GPU:
    RTX 2080Ti
    Hello, I used you're tool and think I have found the source of the stutters. Under the log named, "PushNotification-Platform/Operational", each time an event with the id "3055 is generated, there is a stutter. I tested by playing a game for 30 mins and wrote down the time of each stutter. When I looked back at the Event 3055 logs the times matched exactly with one another. Here is a description of Event ID 3055 under "PushNotification-Platform/Operational":
    • DESCRIPTION
    Some toast notifications have been cleared - informed session 1.
    • XML
    <?xml version="1.0" encoding="utf-16"?>
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-PushNotifications-Platform" Guid="{88cd9180-4491-4640-b571-e3bee2527943}" />
    <EventID>3055</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>23</Task>
    <Opcode>0</Opcode>
    <OpcodeName xmlns="">Info</OpcodeName>
    <Keywords>0x80000000a1878800</Keywords>
    <TimeCreated SystemTime="2020-09-01T19:19:49.6298361Z" />
    <EventRecordID>63698</EventRecordID>
    <Correlation />
    <Execution ProcessID="6612" ThreadID="11832" />
    <Channel>Microsoft-Windows-PushNotification-Platform/Operational</Channel>
    <Computer>DESKTOP-N2CELSJ</Computer>
    <Security UserID="S-1-5-21-3464151166-1996309816-2618597815-1001" />
    </System>
    <EventData>
    <Data Name="SessionId">1</Data>
    </EventData>
    </Event>

    I should also add that there are 2 other events that cause stuttering: Event 3052 and Event 3049

    EVENT 3052 DESCRIPTION:
    • DESCRIPTION
    Toast with notification tracking id 4375 is being delivered to Windows.ActionCenter.QuietHours on session 1.
    • XML
    <?xml version="1.0" encoding="utf-16"?>
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-PushNotifications-Platform" Guid="{88cd9180-4491-4640-b571-e3bee2527943}" />
    <EventID>3052</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>10</Task>
    <Opcode>1</Opcode>
    <OpcodeName xmlns="">Start</OpcodeName>
    <Keywords>0x8000000080800803</Keywords>
    <TimeCreated SystemTime="2020-09-01T20:10:33.0780186Z" />
    <EventRecordID>63736</EventRecordID>
    <Correlation />
    <Execution ProcessID="6612" ThreadID="10988" />
    <Channel>Microsoft-Windows-PushNotification-Platform/Operational</Channel>
    <Computer>DESKTOP-N2CELSJ</Computer>
    <Security UserID="S-1-5-21-3464151166-1996309816-2618597815-1001" />
    </System>
    <EventData>
    <Data Name="TrackingId">4375</Data>
    <Data Name="AppUserModelId">Windows.ActionCenter.QuietHours</Data>
    <Data Name="SessionId">1</Data>
    <Data Name="MessageId">{f34a86d6-47b2-434e-ae4f-3c646fd038d2}</Data>
    </EventData>
    </Event>

    EVENT 3049 DESCRIPTION:
    • DESCRIPTION
    Endpoint 0x1e91d363870 is being cleanedup
    • XML
    <?xml version="1.0" encoding="utf-16"?>
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-PushNotifications-Platform" Guid="{88cd9180-4491-4640-b571-e3bee2527943}" />
    <EventID>3049</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <OpcodeName xmlns="">Info</OpcodeName>
    <Keywords>0x8000000000000800</Keywords>
    <TimeCreated SystemTime="2020-09-01T20:10:33.0860305Z" />
    <EventRecordID>63737</EventRecordID>
    <Correlation />
    <Execution ProcessID="6612" ThreadID="10520" />
    <Channel>Microsoft-Windows-PushNotification-Platform/Operational</Channel>
    <Computer>DESKTOP-N2CELSJ</Computer>
    <Security UserID="S-1-5-21-3464151166-1996309816-2618597815-1001" />
    </System>
    <EventData>
    <Data Name="Object">0x1e91d363870</Data>
    </EventData>
    </Event>

    So I'm guessing this is related to some form of notification setting?? Any help appreciated.
     
    Last edited: Sep 1, 2020
  10. bbacks26

    bbacks26 New Member

    Messages:
    5
    Likes Received:
    0
    GPU:
    RTX 2080Ti
    See reply below
     

  11. mbk1969

    mbk1969 Ancient Guru

    Messages:
    10,039
    Likes Received:
    7,036
    GPU:
    GF RTX 2070 Super
    Have you tried to disable push notifications? Events you posted look related to Quiet Hours settings
    https://www.howtogeek.com/233215/how-to-configure-do-not-disturb-mode-in-windows-10/
     
  12. Astyanax

    Astyanax Ancient Guru

    Messages:
    8,411
    Likes Received:
    2,810
    GPU:
    GTX 1080ti
    event is triggered by the actual cause of the stutter.
     
  13. Pablo Hernandez

    Pablo Hernandez New Member

    Messages:
    2
    Likes Received:
    0
    GPU:
    Intel Graphics
    I have the same problem here. I use two monitors. The screen is projected on the other monitor. Every fraction of time, the screen flashes on both monitors and emits a sound similar to the disconnection of a USB device. This annoys me and usually happens more when I use full screen applications, such as games or videos on youtube, but it is not limited to full screen applications, occurring at times when I am away from the computer too and the applications are closed.

    I'm trying everything, but I can't find a solution. I've formatted, reinstalled, turned off notifications, but the problem persists. I can't figure out what causes the problem. I only notice an excess of security events ID 4798 and ID 5379.

    I'm not sure what it can be. This problem is difficult to solve.
     
  14. Pablo Hernandez

    Pablo Hernandez New Member

    Messages:
    2
    Likes Received:
    0
    GPU:
    Intel Graphics
    I think I discovered (after months) the problem.
    I was using a second monitor, at 1440x900 resolution.
    I found an old manual of his, saying that the ideal resolution is 1600x900.
    After using the resolution indicated in the manual, the problems stopped happening.
    I'm reporting here just so that maybe I can help someone else with this annoying and serious problem.
     

Share This Page