Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 12 subscribers
  • Views 2658 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Getting Microsoft Security Client event ID 5000 with Endpoint Intercept X installed on it.

Jim Boettger

In the Event Viewer/Application/General Tab the message is Log off network every 20 minutes or so. 

It doesn't appear to be affecting anything that we can tell.  


We are not receiving the on a machine that does not have Intercept X installed on it.  Only Windows Defender on the machine that doesn't get the error.

Any insight would be appreciated.

Thanks,

Jim



This thread was automatically locked due to age.
  • 0

    Odd, nothing here. Does the full XML for the event reveal any more detail? Can you paste that, maybe redact any computer/domain info but sometimes there are more details.

    Right click on the event -> "Copy" -> "Copy Details as Text" will capture the full details.


    It's also interesting that 5000 is the Windows message "Log off network". 

    certutil -error 5000
    0x1388 (WIN32: 5000) -- 5000 (5000)
    Error message text: Log off network

    Typically the event ids have no relation to a Windows error codes. I guess "Microsoft Security Client" uses the Error codes as the Event ID in places.

  • 0 in reply to Sophos User930

    Not really but see below.  

    Log Name: Application
    Source: Microsoft Security Client
    Date: 3/28/2023 1:28:03 PM
    Event ID: 5000
    Task Category: None
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: computer.xxxxxxx.com
    Description:
    Log off network
    Event Xml:
    <Event xmlns="">schemas.microsoft.com/.../event">
    <System>
    <Provider Name="Microsoft Security Client" />
    <EventID Qualifiers="0">5000</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2023-03-28T18:28:03.2631240Z" />
    <EventRecordID>881269</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>Computer.xxxxxxx.com</Computer>
    <Security />
    </System>
    <EventData>
    <Data>0x1</Data>
    <Data>ProtectionManagement</Data>
    </EventData>
    </Event>

    Thanks,

    Jim

Unfiltered HTML