I'm getting a large number of 4674 events on one of my 2 work computers (my laptop) with my non-admin account, and most of them reference the SeBackupPrivilige on files like firefox.exe. I am not in the Backup Operators group and a GPO report shows that
User Rights Assignment for Backing up files is set to Backup Operators. I have verified that my account does not have full ntfs rights to system or program folders (eg, C:\Program Files (x86)\Mozilla Firefox).
Running whoami /priv, I get:
PRIVILEGES INFORMATION
----------------------
Privilege Name Description
State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
Any idea how I might be getting the SeBackupPrivilege, or if there is some way for me to stop these events from logging just for my user id? I don't want to impact the normal logging function.
As I say, this is on one of two computers. Both computers are in the same domain and get most of the same policies except for a few things set especially for laptops. My desktop computer does not have this problem.
Thanks.
