This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Getting Microsoft Security Client event ID 5000 with Endpoint Intercept X installed on it.

In the Event Viewer/Application/General Tab the message is Log off network every 20 minutes or so. 

It doesn't appear to be affecting anything that we can tell.  

We are not receiving the on a machine that does not have Intercept X installed on it.  Only Windows Defender on the machine that doesn't get the error.

Any insight would be appreciated.



This thread was automatically locked due to age.
  • Odd, nothing here. Does the full XML for the event reveal any more detail? Can you paste that, maybe redact any computer/domain info but sometimes there are more details.

    Right click on the event -> "Copy" -> "Copy Details as Text" will capture the full details.

    It's also interesting that 5000 is the Windows message "Log off network". 

    certutil -error 5000
    0x1388 (WIN32: 5000) -- 5000 (5000)
    Error message text: Log off network

    Typically the event ids have no relation to a Windows error codes. I guess "Microsoft Security Client" uses the Error codes as the Event ID in places.

  • Not really but see below.  

    Log Name: Application
    Source: Microsoft Security Client
    Date: 3/28/2023 1:28:03 PM
    Event ID: 5000
    Task Category: None
    Level: Error
    Keywords: Classic
    User: N/A
    Log off network
    Event Xml:
    <Event xmlns="">">
    <Provider Name="Microsoft Security Client" />
    <EventID Qualifiers="0">5000</EventID>
    <TimeCreated SystemTime="2023-03-28T18:28:03.2631240Z" />
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Security />