Symptômes
Windows Security logs indicate that avtar.exe is accessing every user profile on a client.
For active user profiles, the entries will look like:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/27/2017 4:00:07 PM
Event ID: 4648
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: CNCSD1C.corp.emc.com
Description:
A logon was attempted using explicit credentials.
Subject:
Security ID: SYSTEM
Account Name: CNCSD1C$
Account Domain: CORP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: testuser
Account Domain: CORP
Logon GUID: {1d662ff0-b57a-9c60-620c-b7f5c70ad1df}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x1544
Process Name: C:\Program Files\avs\bin\avtar.exe
-----
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/27/2017 4:00:07 PM
Event ID: 4624
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: CNCSD1C.corp.emc.com
Description:
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: CNCSD1C$
Account Domain: CORP
Logon ID: 0x3e7
Logon Type: 3
New Logon:
Security ID: CORP\testuser
Account Name: testuser
Account Domain: CORP
Logon ID: 0x8150fc1
Logon GUID: {cac983ee-8bf7-3789-896f-c9be1e852ead}
Process Information:
Process ID: 0x1334
Process Name: C:\Program Files\avs\bin\avtar.exe
For expired user profiles, it will look like:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/27/2017 12:51:58 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: CNCSD1C.corp.emc.com
Description:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: W8001DB03$
Account Domain: INTERNAL
Logon ID: 0x3e7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: The specified user account has expired.
Status: 0xc0000193
Sub Status: 0xc0000193
Process Information:
Caller Process ID: 0xe7c
Caller Process Name: C:\Program Files\avs\bin\avtar.exe
For
disabled user profiles, it will look like:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/27/2017 12:51:58 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: CNCSD1C.corp.emc.com
Description:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: W8001DB03$
Account Domain: INTERNAL
Logon ID: 0x3e7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: Account currently disabled.
Status: 0xc000006e
Sub Status: 0xc0000072
Process Information:
Caller Process ID: 0xe7c
Caller Process Name: C:\Program Files\avs\bin\avtar.exe
Entries such as the following can also be seen:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/27/2017 12:51:58 PM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: CNCSD1C.corp.emc.com
Description:
An account failed to log on.
Subject:
Security ID:
Account Name: testuser
Account Domain: CORP
Logon ID: 0x3e7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: Error occured during Logon.
Status: 0xc000018b
Sub Status: 0x0
Process Information:
Caller Process ID: 0x1544
Caller Process Name: C:\Program Files\avs\bin\avtar.exe
The following is a list of common Status/Sub Statuses that may be encountered:
| Status\Sub-Status Code |
Description |
| 0XC000005E |
There are currently no logon servers available to service the logon request. |
| 0xC0000064 |
User logon with misspelled or bad user account |
| 0xC000006A |
User logon with misspelled or bad password |
| 0XC000006D |
This is either due to a bad username or authentication information |
| 0XC000006E |
Unknown user name or bad password. |
| 0xC000006F |
User logon outside authorized hours |
| 0xC0000070 |
User logon from unauthorized workstation |
| 0xC0000071 |
User logon with expired password |
| 0xC0000072 |
User logon to account disabled by administrator |
| 0XC00000DC |
Indicates the Sam Server was in the wrong state to perform the desired operation. |
| 0XC0000133 |
Clocks between DC and other computer too far out of sync |
| 0XC000015B |
The user has not been granted the requested logon type (aka logon right) at this machine |
| 0XC000018C |
The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
| 0XC0000192 |
An attempt was made to logon, but the Netlogon service was not started. |
| 0xC0000193 |
User logon with expired account |
| 0XC0000224 |
User is required to change password at next logon |
| 0XC0000225 |
Evidently a bug in Windows and not a risk |
| 0xC0000234 |
User logon with account locked |
| 0XC00002EE |
Failure Reason: An Error occurred during Logon |
| 0XC0000413 |
Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
For a full list, see
http://errorco.de/win32/ntstatus-h/
These entries will be found in the Security Log for every user profile on the client machine every time the backup runs.
Cause
At the end of each backup, the avtar process gathers information on every profile on the client.
In the avtar log, the following line can be found (notice, the number will vary depending on the number of profiles):
avtar Info <11035>: Reading 14 user profiles
avtar Info <11036>: Done reading user profiles
This gathering of profiles happens at the end of every avtar session on a Windows machine. This means that it will happen not only at the end of a Windows File System backup (avtar), but also every time a plugin spawns an avtar.exe process. So if a Windows VSS backup spawns 3 avtar processes to backup various volumes, the profiles will be gathered 3 times.
This profile gathering is turned on by default, but is only used for DTLT restores. For each user profile, avtar obtains all groups the user belongs to in order to determine whether the user is a local administrator. This information is used to determine which files the logged in user can see and restore using the DTLT web interface.
Résolution
Although these security entries can be safely ignored, profile gathering can be disabled on Windows Server clients. It should not be disabled on desktops or laptops if the DTLT web interface is being used.
Please contact Avamar Support for help in disabling the gathering of profiles.
Produits concernés
Avamar
Produits
Avamar, Avamar Client, Avamar Client for Windows